The Inquirer

PGP is leaking your emails in plaintext and there's no known fix

EFF advises switching to Signal

PGP is leaking your emails in plaintext and there's no known fix
PGP is leaking plain text versions of your emails and there's no known fix
0 Comments

YOUR EMAILS could be vulnerable to interception following a discovery of a major flaw in PGP/S-MIME encryption, far and away the most popular was of protecting emails.

Researchers at FH Munster University of Applied Sciences have released details of a vulnerability with no known patch which could allow hackers to turn a ciphered message into plain text and read it.

You could stop sending e-mails, except that even your old messages are vulnerable.

"There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now," said Sebastian Schinzel, a professor of computer security at the University.

Teams from KU Leuven University and Ruhr University have worked alongside FH Munster and the Electronic Freedom Foundation (EFF) is working with them to get the word out.

"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email," said EFF.

This includes Enigmail for Thunderbird, GPGTools for Apple Mail and Gpg4win for Outlook which all offer to decrypt emails on the fly.

It continues: "The flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email."

Full instructions on how to disable these plug-ins are available here. More details are starting to drip out, but the warning is that leaving encryption active will increase the danger and so for now, using something safe is the best course of action.

The EFF points out that this action represents "a temporary, conservative stop-gap" until the security team has released full details of the problem, due tomorrow at 0700 GMT.

Once the official announcement is made, there may turn out to be more practical ways of avoiding the problem, but for now, suck it up.

It wasn't that long ago that OEMs were being warned to share details of vulnerabilities in their chips via PGP so hackers couldn't evesdrop. Erm. Oops. 

This turning into another Heartbleed is unlikely given that this level of encryption is, for most, belt and braces - nobody cares what you had for dinner - but for those who rely on PGP for genuine confidentiality? It's time to squirm, seemingly.

Alternatively, you can throw the baby out with the bath water, by publishing your PGP key like Adobe. µ  

INQ Latest