Woman using iPad

rawpixel.com/Flickr (CC-BY)

Researchers discover major flaw in email encryption

A critical PGP flaw could expose your past emails.


Christina Bonnington


Posted on May 14, 2018   Updated on May 21, 2021, 3:53 pm CDT

A serious Pretty Good Privacy (PGP) flaw could expose emails you’ve sent in the past among those who use either PGP or S/MIME for email encryption, and security researchers are recommending users immediately disable or uninstall tools that decrypt emails.

In an era when email hacks are a very real and common personal security threat, encryption is a way to ensure prying eyes don’t spy on your digital correspondence. PGP has been a popularly adopted standard for email encryption.

Unfortunately, a group of European researchers published a warning this weekend that a critical PGP hole that could expose private emails to hackers.

A paper detailing the vulnerability, co-authored by Sebastian Schinzel, computer security professor at the Münster University of Applied Sciences in Germany, is available online.

The issue, dubbed EFAIL, has to do with a hole in OpenPGP and S/MIME standards that can reveal the plain text of encrypted emails. Attacks using the EFAIL vulnerability take advantage of “active content” in HTML emails, such as externally loaded graphics, to extract the plain text through those requested URLs. There are two different types of attacks that can occur, which the researchers have dubbed Direct Exfiltration and the CBC/CFB Gadget attack.

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email,” the Electronic Frontier Foundation advised in a post published Sunday evening (emphasis theirs). “Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.”

For those affected, the Electronic Frontier Foundation has three guides on how to temporarily disable PGP plug-ins. Despite the Mac desktop app flaw discovered last week, the EFF recommends using an app like Signal for secure communications until EFAIL is properly resolved.

If you want to continue to send and receive PGP-encrypted emails, the researchers advise decrypting those messages in a separate application, not your email client. You can also disable HTML rendering in your email messages. According to some in the security community, such as GNU Privacy Guard, the EFAIL issue is primarily a fault of email providers rather than a failing of the encryption protocol itself.

In the future, patches should prevent this PGP flaw from being exploited. For a long-term solution, the OpenPGP and S/MIME standards will need to be updated to completely prevent these kinds of attacks from happening.

H/T Gizmodo

Share this article
*First Published: May 14, 2018, 3:06 pm CDT