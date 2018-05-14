Critical PGP/GPG, S/MIME email encryption vulnerabilities require immediate action, EFF warns

As a group of European security researchers readied the release of a paper for early May 15 detailing vulnerabilities in PGP/GPG and S/MIME email encryption that could reveal the plaintext of encrypted emails, the Electronic Frontier Foundation (EFF) issued a warning to the PGP user community, advising users to “immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted mail.”

Promising greater detail, the researchers tweeted Sunday that plaintext might be revealed even in past encrypted emails.

“Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal and temporarily stop sending and especially reading PGP-encrypted email,” the EFF wrote in a blog post, noting that the organization along with the European researchers were warning PGP users in advance in an effort “to reduce the short-term risk.”

The EFF offered guides for temporarily disabling PGP plug-ins for Thunderbird with Enigmail, Apple Mail with GPGTools, and Outlook with Gpg4win.

“These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community,” the EFF blog said. “We will release more detailed explanation and analysis when more information is publicly available.”

Calling #efail issue “clearly overhyped producing subpar user advice,” Joel Wallenstrom, Wickr CEO and data privacy expert, called the issue “very symptomatic of a larger trend impacting communication security.”

Noting that “PGP and other protocols used to run email rely on the server to manage keys and store content,” Wallenstrom, stressed “that users tend to never delete old emails, no matter how sensitive” so that anyone that has a user's “PGP keys has access to your entire email spool (not just one message), making it practically impossible to protect communications.”

The burden rests at least partially “on users to not only ensure proper configuration but also a timely disposal of communications that are no longer needed so they cannot be compromised,” he said. “These unrealistic expectations will always lead to poor security.”