Published: Mon, May 14, 2018
IT | By Emmett Cole

In the most popular encryption method found a hole

In the most popular encryption method found a hole

European researchers have found that the popular PGP and S/MIME email encryption standards are vulnerable to being hacked, leading them to urge people using them to disable and uninstall them immediately. The researchers say new and archived emails are vulnerable to attack. The Electronic Frontier Foundation advises to immediately disable all email tools that automatically decrypt PGP.

The researchers said on a website devoted to this vulnerability that "EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs".

Unfortunately, these apps that offer better security than email are all quick messaging platforms, which means you don't get all the features and organization you've grown accustomed to with Apple Mail, Outlook, or Thunderbird.

The use of PGP - short for Pretty Good Privacy - for secure communications has been advocated, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the U.S. National Security Agency before fleeing to Russian Federation. According to Werner Koch, principal author of GNU Privacy Guard, users can protect themselves in two ways, one is by not using the HTML emails, and the other is to use authenticated encryption.

Full details of the flaws began to leak on Monday.

If you are asked for the admin password, enter it to confirm the action.

The researchers said that it will publish more detailed information on may 15.

But on Monday, Munich newspaper Süddeutsche Zeitung appeared to break that embargo. The flaw, named EFAIL, reportedly affects both sent and received messages, including past correspondence. The attacks rely on the attacker to be in possession of the encrypted emails and can trick either the sender or the recipient to open an invisible snippet of the intercepted messages in a new email.

Green already recommended not using PGP. The EFF's report only indicated that a vulnerability existed, and that users should disable PGP plugins in their mail clients until patches are deployed. "Poking through an OpenPGP implementation is like visiting a museum of 1990s crypto", he warned. "Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking Efail".

Electronic Frontier Foundation (EFF) has said it has confirmed a set of vulnerabilities that have the potential to reveal the contents of email previously thought to be encrypted with PGP.

Email users who use PGP (based on OpenPGP) and S/MIME to encrypt and decrypt their communications are at "immediate risk".

But some think the vulnerability warning is overblown.

PGP is often used to encrypt messages in popular email programs such as Outlook, Apple Mail, Thunderbird, and Enigmail. In computer security, an oracle attack refers to an attackers being able to exploit a vulnerability to extract information from a target.

"Don't use HTML mails". EFF has a write up on this also with all the links you need if reading Twitter is not your thing.

But if you're still anxious, you can always opt for plain-text over HTML emails - or just use Signal like everyone else. CounterMail, Hushmail and Mailfence all use OpenPGP.

Like this: