Serious bugs in PGP and S/MIME can leak encrypted e-mails

by do son · Published May 14, 2018 · Updated October 10, 2021

According to ArsTechnica, the previously widely used email encryption methods (PGP and S/Mime) on the Internet has revealed two serious flaws, or have caused encrypted emails to be exposed to hackers. Later on Sunday, a researcher warned that there is currently no reliable solution, and only those who use encryption standards for sensitive communications will be immediately removed from the email client.

There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: https://t.co/zJh2YHhE5q #efail 2/4

— Sebastian Schinzel @seecurity@infosec.exchange (@seecurity) May 14, 2018

Sebastian Schinzel, professor of computer security at the Department of Applied Sciences at the University of Muenster, said on Twitter:

The vulnerability “might reveal the plaintext of encrypted emails, including encrypted emails you sent in the past. There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

Image: computersecuritypgp

In addition, Schinzel quoted the Electronic Frontier Foundation (EFF) as saying:

“EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”

Both the Schinzel and EFF blog posts point out that users should disable relevant encryption plugins in email clients such as Thunderbird, macOS Mail, and Outlook.

It is worth pondering that it is only explicitly reminded to disable those email clients that integrate GPG, while Gpg4win, GNU Privacy Guard, etc. are not included in this list.

Others engaged in GPG and S/MIME research include Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Simon Friedberger, juraj somorovsky, Jörg Schwenk.

In addition to Münster University, researchers also mentioned Ruhr-University and KU Leuven University.

Source: ArsTechnica