Critical PGP vulnerability could reveal text of your encrypted business emails

Daniel Sambraus—EyeEm  Getty Images

Daniel Sambraus—EyeEm Getty Images

The EFF appears to have seen the research and has published its own blog post advising users to stop sending and - in particular - decrypting PGP/GPG-encrypted emails until the issues are more widely understood and fixed.

Professor Schinzel posted on Twitter that the university would publish its findings in the early hours of Tuesday morning, before alerting the Electronic Frontier Foundation (EFF), who first reported the vulnerability.

Some security experts said that because EFAIL seems to affect specific email applications, it is overkill to say that there is a flaw in the actual underlying encryption protocols.

Lavrov: Iran nuclear deal situation is a crisis
The 2015 arrangement hunted to suppress Iran's nuclear programme in exchange for its lifting of economic sanctions. Secretary of State Mike Pompeo said the USA still wanted to work with the Europeans on a new deal.

The foundation has created guides for disabling PGP in Outlook using Gpg4win, Thunderbird and Enigmail, and Apple Mail with GPGTools. The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker.

After breaking the news on Twitter on Sunday night he added: "There are now no reliable fixes for the vulnerability".

The PGP encryption is mostly used by political activists, journalists, and whistleblowers as an extra layer of encryption. Secure/Multipurpose Internet Mail Extensions (S/MIME) is an alternative end-to-end encryption standard that is used to secure corporate email communication.

Green Beret Live-Streams Waterboarding to Back Gina Haspel for Central Intelligence Agency
Sadly, but not surprisingly, one of Gina Haspel's most vocal opponents in the confirmation process is fellow Kentuckian Rand Paul. Donnelly shared a few sentences about why he has chosen to support Haspel for CIA Director on Saturday.

The EFAIL vulnerabilities, which now have no software patch, "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", according to researchers.

If you use your email for sending sensitive information and want to protect it, the OpenPGP and S/MIME standards used for end-to-end encryption have been broken. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker. According to the European researchers, "EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs".

The security flaws could potentially leak the contents of the encrypted messages you send and receive via email when signed with PGP or S/MIME encryption methods. In addition, "use authenticated encryption".

Deal Agreed: Wayne Rooney Set To Leave Everton For The MLS
Rooney's proposed move is likely to be confirmed on July 10, when the MLS "secondary" (or mid-season) transfer window opens. Rooney is on the back half of his career, and Everton has experienced a disappointing season .

So far, it's not clear how many MUAs or service providers are vulnerable to the two flaws found by researchers. The importance of email encryption went mainstream after whistleblower Edward Snowden revealed the extent of the USA government's electronic surveillance in 2013. There are other methods that could be used to attack the information, but these backchannels are more hard to exploit.

Latest News