On Tuesday, a team of researchers are planning to release details of a critical vulnerability which they claim could have serious consequences for internet users who use PGP/GPG to encrypt and decrypt their sensitive email communications.
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
— Sebastian Schinzel (@seecurity) May 14, 2018
Details of the threat are currently very sketchy, but the Electronic Freedom Foundation (EFF) says that there is a risk that encrypted messages sent in the past could be exposed through exploitation of the vulnerability:
EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.
In fact, users are being advised to stop using and disable the encryption tools immediately in their email client if they use them for sensitive communications.
The EFF appears to have seen the research and has published its own blog post advising users to stop sending and – in particular – decrypting PGP/GPG-encrypted emails until the issues are more widely understood and fixed.
To that end, here are the EFF’s links on how to temporarily disable PGP/GPG encryption plugins on the Thunderbird, Apple Mail, and Outlook email clients:
Without knowing any details of the vulnerability, I might also add that generally disabling HTML email (and using plaintext instead) is a jolly good idea from the security point of view as it can reduce your attack surface considerably. However, I’m also aware that virtually nobody does this.
Of course, if you recognise the need to secure encrypt your communications you probably also understand that resorting to sending and receiving unencrypted email is far from an acceptable solution. For now you may wish to consider your other communication options, including end-to-end encrypted messaging apps such as Signal.
The researchers’ full findings are scheduled to be released at 7:00 am UTC on Tuesday as part of a co-ordinated public disclosure.
Until more details are made public, it’s hard to know just how serious the security issue really is. Hopefully affected vendors have been contacted in advance, so make sure that when the inevitable product updates and mitigation patches are pushed out you install them as quickly as possible.
Further reading: Despite Efail, the sky is not falling
Hi Graham/all,
Any news so far on if PGP products that are not "OpenPGP" are affected? i.e Symantec?
It's not really a GPG/PGP problem at all. It's problem with email client software (and plugins).
More details at https://grahamcluley.com/despite-efail-the-sky-is-not-falling/