Critical vulnerabilities in PGP/GPG and S/MIME email encryption, warn researchers  - broken email encryption - Critical vulnerabilities in PGP/GPG and S/MIME email encryption, warn researchers

Update

Full details of the Efail flaw have now been made public ahead of the original schedule.

On Tuesday, a team of are planning to release details of a vulnerability which they claim could have serious consequences for internet users who use PGP/GPG to encrypt and decrypt their sensitive communications.

Details of the threat are currently very sketchy, but the Electronic Freedom Foundation (EFF) says that there is a risk that encrypted messages sent in the past could be exposed through exploitation of the vulnerability:

EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

In fact, users are being advised to stop using and disable the encryption tools immediately in their email client if they use them for sensitive communications.

The EFF appears to have seen the research and has published its own blog post advising users to stop sending and – in particular – decrypting PGP/GPG-encrypted emails until the issues are more widely understood and fixed.

To that end, here are the EFF’s links on how to temporarily disable PGP/GPG encryption plugins on the Thunderbird, Apple Mail, and Outlook email clients:

Without knowing any details of the vulnerability, I might also add that generally disabling HTML email is a jolly good idea from the point of view as it can reduce your attack surface considerably. However, I’m also aware that virtually nobody does this.

Of course, if you recognise the need to secure encrypt your communications you probably also understand that resorting to sending and receiving unencrypted email is far from an acceptable solution. For now you may wish to consider your other communication options, including end-to-end encryption apps such as Signal.

The researchers’ full findings are scheduled to be released at 7:00 am UTC on Tuesday as part of a co-ordinated public disclosure.

Until more details are made public, it’s hard to know just how serious the security issue really is. Hopefully affected vendors have been contacted in advance, so make sure that when the inevitable product updates and mitigation patches are pushed out you install them as quickly as possible.

- aa9ea0686c5d1aa9086d4b12c3aa05f2 s 80 d mm r g - Critical vulnerabilities in PGP/GPG and S/MIME email encryption, warn researchers

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and privacy.

Follow him on Twitter at @gcluley, or drop him an email.

Follow @gcluley





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here