If you’ve been under the impression that your secure emails client is keeping you safe, then it’s time to rethink your privacy strategy. In case you have been relying on PGP or S/MIME to keep your email safe, then you need to stop using them right away. A group of European researchers have discovered vulnerabilities in both the standards used for secure transmission of email.
The security flaws in both the standard were discovered by a group of researchers in Europe. The researchers are from Münster University, Ruhr-University, and KU Leuven University and its members have previously revealed the Drown attack that affected some 11 million sites using HTTPS protocol in 2016. The security flaw discovered in PGP or S/MIME encryption methods could potentially leak the contents of your encrypted messages when you sign them using these standards.
The group of researchers plan to publish their research paper with details about the vulnerability on Tuesday. Their early findings detail the EFAIL attacks which break PGP and S/MIME email encryption standard by coercing the clients into sending the full plaintext of the emails to the attacker. The researchers also note that there is no fix for the vulnerability just yet and it is better to not sign off your emails using PGP or S/MIME standards.
In order to execute an attack, the attacker needs to have access to your PGP or S/MIME encrypted emails and attack could be aimed to specifically target certain users. It is recommended to disable PGP plugins in your email client of choice until there is more information about the vulnerability and a fix is being determined for the issue.
Speaking for Enigmail: don’t believe the hype. Don’t panic. Make sure you’re running the latest version of Enigmail. Yes, we have seen the paper. Out of deference to the paper authors, we will forego further comment until publication. https://t.co/I5crWs8fYI
— Robert J. Hansen (@robertjhansen) May 14, 2018
In a user group email chain, Werner Koch, the founder of the GNU Privacy Guard, which is an implementation of the OpenPGP standard, notes that HTML emails may not be entirely secure for PGP and S/MIME email clients at this point. The vulnerability does not seem to be restricted to encryption standards alone and the worst part is that there is no fix for this vulnerability just yet. Robert Hansen, who works on the Enigmail plugin for Thunderbird, which allows users to read and send emails signed with OpenPGP, recommends updating the application to stay secure.