December 26, 2024

Critical PGP and S/MIME Bugs May Reveal Plaintext of Encrypted Emails

Posted May 14, 2018 at 1:23pm by iClarified · 6749 views
A group of security researchers have found critical vulnerabilities in PGP/GPG and S/MIME email encryption that can reveal the plaintext of encrypted emails, including encrypted emails sent in the past.

Sebastian Schinzel, a professor of computer security at Münster University of Applied Sciences, announced the discovery on Twitter.

"There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now."

The EFF says it has confirmed that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages. It's suggested that users "immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email."

Here are the guides posted by the EFF that show you how to temporarily disable PGP plug-ins:
Thunderbird with Enigmail
Apple Mail with GPGTools
Outlook with Gpg4win

Full vulnerability details will be published in a paper that will be posted Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific).

Read More