Vulnerabilities found in -encrypted emails, users urged to take immediate action

A group of European researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. These vulnerabilities pose an immediate risk to those using these tools for communication, including the potential exposure of the contents of past messages.

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. The Electronic Frontier Foundation (EFF) says it has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

The full details of the vulnerability will be published in a paper tomorrow (Tuesday, 15 May, at 3:00 a.m. EST, midnight Pacific).

EFF says that in order to reduce the short-term risk, EFF the researchers have agreed to warn the wider PGP user community in advance of the full publication of the vulnerability.

EFF and the researchers urge users to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

For a detailed discussion of the vulnerability and how to minimize the risk it entails, see Erica Portnoy, Danny O’Brien, and Nate Cardozo, “Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw” (EFF, 14 May 2018).

Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

Users should refer to these guides on how to temporarily disable PGP plug-ins in:

Thunderbird with Enigmail

Apple Mail with GPGTools

Outlook with Gpg4win

EFF notes that these steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community.

Leave a comment

Register for your own account so you may participate in comment discussion. Please read the Comment Guidelines before posting. By leaving a comment, you agree to abide by our Comment Guidelines, our Privacy Policy, and Terms of Use. Please stay on topic, be civil, and be brief. Names are displayed with all comments. more about Joining our Web Community.





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here