European researchers have found that the popular PGP and S/MIME email encryption standards, famously used by Edward Snowden, are vulnerable to being hacked, leading them to urge people using them to disable and uninstall them immediately.
Cluley is among several security experts who have pointed out that Efail is not reliant on any inherent weakness in the PGP/GPG being used because it exploits users who have not told their email clients to stop remote or external content from being automatically rendered. EFAIL basically strips those protections and lets attackers read encrypted messages regardless of who sent them, how long ago they were sent, or how they were initially compromised.
However, one provider of software that can encrypt data using PGP explained the problem specifically concerned email programs that failed to check for decryption errors properly before following links in emails that included HTML code.
University researchers from Muenster and Bochum in Germany, and Leuven in Belgium, discovered the flaws in the encryption methods that can be used with popular e-mail applications such as Microsoft Outlook and Apple Mail. By injecting malformed images or styling resources into encrypted plaintext, the attacker has a one in three chance of success at decoding the remainder of the target email.
"You need to take action now", says Alan Woodward, a professor of computer science at the University of Surrey.
To help users, the organization has even posted guides on how to disable PGP in Thunderbird, Outlook and Apple Mail.More news: Footage from scene of Offaly light aircraft crash
Unlike PGP, S/MIME (Secure/Multipurpose Internet Mail Extensions) is an email-only encryption program.
Morten Brogger, CEO of Wire, a B2B end-to-end encryption firm, said: "Today's announcement from the EFF highlights the danger in relying on email for sensitive communication".
The research also prompted the Electronic Freedom Foundation (EFF) to issue a warning that encrypted messages sent in the past could be exposed through exploitation of the vulnerability.
"There are two ways to mitigate this attack", Koch writes in a Monday post to the GnuPG mailing list. He recommended switching off HTML emails or using authenticated encryption. "Use offline tools to decrpt PGP messages you have received in the past", the group said.
Now You: Do you use OpenPGP or S/Mime? And many corporate email services employ S/MIME.
UPDATE 2: Because some researchers started disclosing details about the vulnerability ahead of schedule, the efail.de website is now live, along with the research paper, both containing more info on the EFAIL vulnerability.