The two most widely used methods of the Internet for encrypting emails – PGP and S / Mime – are vulnerable to hacks that can uncover the plaintext of encrypted messages, a researcher warned late Sunday night. He went on to say that there are no reliable fixes to recommend to anyone using an encryption standard for sensitive communication to immediately remove them from email clients.
The errors "could reveal the plaintext of encrypted emails" Sent in the past, "wrote Sebastian Schinzel, Professor of Computer Security at Münster University of Applied Sciences on Twitter ." There are no reliable fixes for the vulnerability. If you are using PGP / GPG or S / MIME for highly confidential communications, you should first disable it in your email client. "
There are currently no reliable fixes for the vulnerability, so if you use PGP / GPG or S / MIME for highly confidential communications, you should first disable it in your email client. @ EFF & # 39; s blog post about this issue: https://t.co/zJh2YHhE5q #fail 2/4
– Sebastian Schinzel (@security) May 14th 2018
Schinzel drew people's attention to this blog post, published late Sunday evening by the Electronic Frontier Foundation, saying, "EFF has communicated with the research team and can confirm that these vulnerabilities pose a direct risk to users using these tools for e-mail communication, including the potential disclosure of content from previous messages. "
Our advice, which corresponds to that of researchers, exists in immediately disable and / or uninstall tools that automatically decrypt PGP-encrypted emails . Until the errors described in this article are further understood and resolved, users should initiate the use of alternative secure, end-to-end secure channels, such as Signal, and temporarily suspend the sending and, in particular, the reading of PGP encrypted e-mails.
Both Schinzel and the EFF blogpost referred those affected to EFF statements for disabling plug-ins in Thunderbird, macOS Mail, and Outlook. The instructions just say "disabling PGP integration in email clients." Interestingly, there is no advice to remove PGP apps like Gpg4win, GNU Privacy Guard. Once the plugin tools were removed from Thunderbird, Mail or Outlook, the EFF posts said, "Your emails are not automatically decrypted." On Twitter EFF officials said, "Do not decrypt encrypted PGP messages that you receive with your email client."
Little is known about the shortcomings at the moment. Both Schinzel and the EFF blog post said they will be released late Monday evening in a work written by a team of European security researchers. Schinzel's Twitter messages used the hashtag #efail, a possible reference to the name the researchers have given to their exploit.
The members of the research team were behind a number of other major cryptographic attacks, including one from 2016 called Drown, which was decrypted communication that is protected by the transport layer's security protocol. Other researchers behind the PGP and S / MIME research are Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Simon Friedberger, Juraj Somorovsky and Jörg Schwenk. In addition to the University of Münster, the researchers also represent the Ruhr University and the KU Leuven University.
Given the stature of the researchers and the confirmation of EFF, it is advisable to follow the advice to disable PGP and S / MIME in email clients for more details released Monday night. Ars will post many more details as they become public.