Critical PGP/GPG, S/MIME vulnerabilities require immediate action

News by Teri Robinson

A group of European security researchers readied the release of a paper for early 15 May detailing vulnerabilities in PGP/GPG and S/MIME email encryption that could reveal the plaintext of encrypted emails.

As a group of European security researchers readied the release of a paper for early 15 May detailing vulnerabilities in PGP/GPG and S/MIME email encryption that could reveal the plaintext of encrypted emails, the Electronic Frontier Foundation (EFF) issued a warning to the PGP user community, advising users to “immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted mail.”

Promising greater detail, the researchers tweeted Sunday that plaintext might be revealed even in past encrypted emails.

“Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal and temporarily stop sending and especially reading PGP-encrypted email,” the EFF wrote in a blog post, noting that the organisation along with the European researchers were warning PGP users in advance in an effort “to reduce the short-term risk.”

The EFF offered guides for temporarily disabling PGP plug-ins for Thunderbird with EnigmailApple Mail with GPGTools, and Outlook with Gpg4win.

“These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community,” the EFF blog said. “We will release more detailed explanation and analysis when more information is publicly available.”

Calling #efail issue “clearly overhyped producing subpar user advice,” Joel Wallenstrom, Wickr CEO and data privacy expert, called the issue “very symptomatic of a larger trend impacting communication security.”

Noting that “PGP and other protocols used to run email rely on the server to manage keys and store content,” Wallenstrom, stressed “that users tend to never delete old emails, no matter how sensitive” so that anyone that has a user's “PGP keys has access to your entire email spool (not just one message), making it practically impossible to protect communications.”

The burden rests at least partially “on users to not only ensure proper configuration but also a timely disposal of communications that are no longer needed so they cannot be compromised,” he said. “These unrealistic expectations will always lead to poor security.”

In an email to SC Media UK, Randhir Shinde, CEO, Galaxkey added, “These vulnerabilities show that companies can no longer be complacent about protecting their data and sensitive information. Business needs to take protection seriously. Encryption services need to be upgraded, but companies need to also look beyond encryption – they must ensure that data is managed and held securely. Until this happens, our personal information remains vulnerable and regular data breaches will continue.”

A more radical solution of giving up on email is proposed by Wire CEO Morten Brogger who commented in an email to SC Media UK that the news, “...highlights the danger in relying on email for sensitive communication. Email protocol was never built with security in mind. Efforts to make email safer haven't seen widespread adoption because these solutions are “hacks” on top of legacy infrastructure, causing an error prone and clunky user experience." Instead, Brogger says companies must:"... invest to secure their internal and external communications. This investment in time and money must go into new future-proofed platforms that are built from the ground-up with security in mind. In 2018, businesses must re-evaluate how they communicate, opting to phase out email for secure communications solutions that are open-source, independently audited and end-to-end encrypted.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews