Email Vulnerable: The internet’s two most popular forms of encryption over the net – PGP and S/MIME—vulnerable to hacks that can reveal the plaintext of encrypted emails and messages, according to researcher Sebastian Schinzel, a professor of computer security with Münster University of Applied Sciences.
After breaking the news on Twitter on Sunday night he added: “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”
What is PGP?
PGP, which stands for Pretty Good Privacy, is one of the most popular encryption programs, it is a two-factor authentication system. Although it was first developed in 1991 by a software engineer named Phil Zimmermann, it became mainstream after whistleblower Edward Snowden revealed the scope of the US government’s surveillance programme. While PGP is today owned by Symantec, an open source implementation called GNU Privacy Guard (GPG) has been widely adopted by the security community in a number of contexts, this is referred to as OpenPGP.
>See also: Darknet Market still open for business
The Efail Report
The discovery was made as part of wider research which has just been released. While the security community react to the research and assess it, for now, Schinzel is keeping the public updated on social media. The EEF, who have seen the research in full, have issued a warning.
>See also: 5 tips for keeping corporate email secure
“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email,” the EFF wrote in its blog post.
Furthermore, separate guides have been provided to disable PGP plugins in Thunderbird, Apple Mail, and Outlook. Anyone who wants their email communication to be secure and private should take notice.