Critical PGP vulnerability could reveal text of your encrypted business emails

Share

The Electronic Frontier Foundation (EFF), a San Francisco-based digital rights group has reviewed the possible flaws and could confirm in a blog post that "these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages".

Users should immediately disable or remove any tools that automatically decrypt PGP-encrypted emails until the flaws are understood and fixed, EFF said.

S/MIME is very similar to PGP except that instead of users defining their own encryption methods and web of trust (how to share their private encryption keys), S/MIME uses predefined encryption standards and public-private keypairs distributed by a trusted authority.

The full details of the flaw are set for release at 7am UTC on Tuesday, which is 3am on the USA eastern seaboard, midnight Pacific time, 5pm in Sydney, and 12:30pm in Mumbai.

Encryption used by most email software - from Outlook and Windows Mail to Thunderbird and Apple Mail - can be intercepted by hackers who can read at least parts of the written text, a German-led research team announced on Monday. Instead, the flaw is in various email programs that failed to check for "decryption errors properly before following links in emails that included HTML code".

Khloe Kardashian shares first photo of baby True Thompson
Now, she is sad for Khloe Kardashian because he did almost the same thing to her. She is yet to break her silence on their relationship status.

PGP, which stands for Pretty Good Privacy, is one of the most popular encryption programs, it is a two-factor authentication system.

The EFAIL vulnerabilities, which now have no software patch, "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", according to researchers. On the other hand, S/MIME is used mainly in enterprise infrastructure. "You are thus only affected if an attacker already has access to your emails".

UPDATE 2: Because some researchers started disclosing details about the vulnerability ahead of schedule, the efail.de website is now live, along with the research paper, both containing more info on the EFAIL vulnerability.

PGP - short for Pretty Good Privacy - was invented back in 1991 by Phil Zimmermann and has always been viewed as a secure form of end-to-end encryption impossible for outsiders to access.

PGP is used by activists, journalists and whistleblowers, including Edward Snowden, who revealed details of pervasive electronic surveillance by United States intelligence agencies before fleeing to Russian Federation. However, the researchers have confirmed the exploitable vulnerabilities only exist for email users.

Share