PGP and S/MIME protocols are used to ensure that emails are being sent securely. However, users of these protocols are urged to stop sending emails using these protocols since a serious flaw has been identified that can expose contents of new and previous encrypted emails.
Reportedly, Münster University of Applied Sciences’ professor of computer security and researcher Sebastian Schinzel, has identified a flaw that can reveal the “plaintext of encrypted emails including emails sent in the past.”
The issue has become a major cause of concern within the tech community and around 8 researchers from three mainstream European universities are currently working to find out details of the identified flaw.
Electronic Frontier Foundation (EFF) has also confirmed in its latest blog post that there the PGP is flawed and can potentially lead to leaking the contents of encrypted emails. Therefore, users are urged to immediately uninstall or disable the tools that can decrypt the PGP-encrypted email automatically until a patch is released.
The foundation also tweeted to inform users that they should not decrypt PGP-encrypted messages in mail clients since researchers have stated that currently there aren’t any reliable fixes available.
For now, do not decrypt encrypted PGP messages that you receive using your email client. Instead, use non-email based messaging platforms, like Signal, for your encrypted messaging needs.
— EFF (@EFF) May 14, 2018
“Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email,” read the blog post from EFF.
According to GnuPG’s Werner Koch, the EFF is exaggerating the situation and that the foundation hasn’t yet contacted GnuPG. While Enigmail’s Robert Hansen has stated that the call from EFF is merely a “tempest in a teapot,” about which the company isn’t a “least bit worried.”
Hansen believes that instead of releasing the news publicly the foundation should have reached out to the companies involved while he claims that users can use the newest Enigmail version confidently.
Koch further added that they have identified mail clients that are inappropriately identifying decryption errors and following HTML email links, which means the flaw is in not in the protocols but the mail clients.
“In fact, OpenPGP is immune if used correctly while S/MIME has no deployed mitigation,” tweeted Koch on behalf of GnuPG.
They figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation.
— GNU Privacy Guard (@gnupg) May 14, 2018
However, we do know that the EFF usually don’t release unnecessary warnings without any sound reasoning and this time around too there must be some solid reason behind the sudden response. The EFF also notified in its blog that:
“Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.”
We are still awaiting complete details about the vulnerability identified in this system, which is expected to be released on Tuesday at 7 am UTC. However, the EFF has provided guidelines for disabling PGP. You can disable it in Outlook using the Gpg4win, Enigmail, and Thunderbird while using GPGTools you can disable it in Apple Mail.
ProtonMail not affected
In an email conversation, the world-renowned encrypted email service which uses PGP protocol has said that its service has not been affected by the flaw. The company’s spokesperson revealed that the flaw is not new and existed since 2001 which means it is a seventeen years old flaw.
Image credit: Depositphotos