Security researchers discover critical flaw in PGP encryption that reveals plaintext

Daniel Sambraus—EyeEm  Getty Images

Daniel Sambraus—EyeEm Getty Images

Ahead of a full release of details on May 15, European researchers and the EFF are providing an early warning that messages encoded with PGP/GPG and S/MIME are vulnerable to a set of serious security vulnerabilities - an issue impacting over 20 email clients.

The two attacks, details of which were published on Monday in a research paper, affect PGP, the most popular technology for sending encrypted emails.

"The Efail attacks exploit flaws and undefined behavior in the MIME, S/MIME, and OpenPGP standards", the researchers wrote. Service providers have been requested by the EFF to communicate the news to all users and request them to disable all related security plugins including Thunderbird with Enigmail, Apple mail with GPG tools, Outlook with GPG4win. "Having used PGP since 1993, this sounds baaad".

'There are now no reliable fixes for the vulnerability, ' lead researcher Sebastian Schinzel, professor of applied cryptography at the Muenster University of Applied Sciences, said in a tweet on Monday.

PGP uses an algorithm to generate a "hash", or mathematical summary, of a user's name and other information. The reason is that a team of European researchers has found critical flaws in the encryption standards and now there are no fixes available. The attacker would have to have access to the encrypted emails to begin with, meaning that the victim's account would need to be compromised as a starting point.

S/MIME is very similar to PGP except that instead of users defining their own encryption methods and web of trust (how to share their private encryption keys), S/MIME uses predefined encryption standards and public-private keypairs distributed by a trusted authority.

But it said that, correctly used and configured, both forms of encryption remained secure.

S/MIME is relatively commonplace in enterprise email networks, making this vulnerability particularly concerning. Then the emails are changed in a particular way and sent to a victim.

'Securely encrypted email remains an important and suitable means of increasing information security, ' it said in a statement, adding that the flaws which have been discovered can be remedied through patches and proper use.

To exploit the weakness, a hacker would need to have access to an email server or the mailbox of a recipient. They also warned that nation state agencies are known to eavesdrop on email communications.

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.