Ahead of a full release of details on May 15, European researchers and the EFF are providing an early warning that messages encoded with PGP/GPG and S/MIME are vulnerable to a set of serious security vulnerabilities - an issue impacting over 20 email clients.
The team had been due to publish its full findings on Tuesday but rushed them out after the news made waves among the community of encrypted email users that includes activists, whistleblowers and journalists working in hostile environments. The flaw, named EFAIL, reportedly affects both sent and received messages, including past correspondence.
The use of PGP - short for Pretty Good Privacy - for secure communications has been advocated, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the U.S. National Security Agency before fleeing to Russian Federation.
Schinzel, alongside his fellow security experts at Münster University of Applied Sciences as well as the researchers at Ruhr University Bochum and KKU Leuven, jointly published their research detailing the flaws. It's this variety that attackers use to ambush users of OpenPGP and S/Mime by sending a slightly modified S/Mime email to the victim's address. A critical vulnerability has been exposed by some German researchers and they have tweeted that there are no fixes available, and their immediate suggestion is to stop using PGP altogether.
A newly-discovered software vulnerability means it may be possible to read encrypted emails sent in the past.
More particularly, the attacks use specially crafted HTML emails that exploit bugs in the way PGP is implemented in some email programs.
Disabling PGP and S/MIME are seen as conservative stopgaps until proper mitigation can be applied more broadly.
Unlike PGP, S/MIME (Secure/Multipurpose Internet Mail Extensions) is an email-only encryption program.
PGP is a type of email encryption. Then the emails are changed in a particular way and sent to a victim. "You are thus only affected if an attacker already has access to your emails". In addition the mails would need to be in HTML format and have active links to external content to be vulnerable. The potential for compromised communications increases if the email is part of a group conversation, as the attacker only needs to target one person in the chain to pull off the decryption.