Research

'EFAIL' Vulnerability Undermines PGP, S/MIME Email Encryption

'EFAIL' Vulnerability Undermines PGP, S/MIME Email Encryption

"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email", EFF said. Even better, convert messages to plain text and read them offline in a text editor to avoid being exploited via EFAIL.

Security researchers have discovered and warned against vulnerabilities in PGP/GPG and S/MIME email encryption standards that could be used by malicious actors.

Ultimately, if you don't use PGP or S/MIME for email encryption, then there's nothing to worry about.

Professor Schinzel posted on Twitter that the university would publish its findings in the early hours of Tuesday morning, before alerting the Electronic Frontier Foundation (EFF), who first reported the vulnerability.

The PGP encryption is mostly used by political activists, journalists, and whistleblowers as an extra layer of encryption.

In a website devoted to the issues, which the researchers called eFail, they said the attacks exploit problems with the OpenPGP and S/MIME standards and can expose the plaintext of encrypted emails.

The flaw, codenamed EFAIL, if exploited, allow an attacker to decrypt sent or received messages, according to the researcher team.




The security flaw may also also represent more of a problem with PGP implementation than any bug with the encryption standard.

The flaw works when an attacker already has access to a victim's encrypted emails. And that person's email client decrypts the email and loads external content, "thus exfiltrating the plaintext to the attacker". For instance, ProtonMail, an email client that supports a version of PGP, is not affected.

Werner Koch, the developer behind GNU Privacy Guard (GnuPG), an open-source PGP software suite, was also critical of the research.

Attackers need to send emails as specially crafted HTML messages that contain the code required to exfiltrate decoded text from vulnerable programs.

"As the world's largest encrypted email service based on PGP, we are disappointed that some organizations and publications have contributed to a narrative that suggests PGP is broken or that people should stop using PGP", a spokesperson for ProtonMail said.

The researchers claim that they have disclosed their findings "responsibly" to worldwide computer emergency readiness teams (Certs), GNU PG developers and the affected suppliers, which have applied (or are in the process of applying) countermeasures. But individuals, companies, and corporations who use these technologies on a daily basis are advised to disable related plugins and use a third-party client to encrypt emails, such as Signal (iOS, Android).