Critical Vulnerabilities in PGP and S/MIME Make Email Encryption Practically Useless
A group of academics led by Professor Sebastian Schinzel from the University of Applied Sciences in Mรผnster has warned about critical vulnerabilities in PGP and S/MIME. While the technical details of the issue have not yet been disclosed, they are expected to be published on May 15, 2018.
According to experts, these flaws in PGP and S/MIME allow encrypted messages to be read as plain text. Even worse, the problem affects not only new messages but also old emails that were previously sent and received.
On Twitter, Schinzel stated that there are currently no patches available for the discovered vulnerabilities and recommends temporarily discontinuing the use of PGP and S/MIME altogether.
To raise awareness and warn users, the researchers reached out to the Electronic Frontier Foundation (EFF) for assistance. The EFF confirmed the severity of the vulnerabilities and published a statement urging users to disable or uninstall tools that work with PGP and S/MIME. Until fixes are available, users are advised to consider using the Signal messenger as an alternative for secure communication.
The EFF also published instructions for disabling the relevant plugins:
- Thunderbird with Enigmail
- Apple Mail with GPGTools
- Outlook with Gpg4win
Meanwhile, the developers of GnuPG report that the discovered vulnerabilities do not directly affect GnuPG or Enigmail, but are related to the use of PGP in email clients. Additionally, the website efail.de went live earlier than planned, revealing that the issues only occur with emails sent in HTML format.
For more information, you can read the EFFโs statement here: Attention PGP Users: New Vulnerabilities Require You to Take Action Now.