What is PGP encryption? How to protect against the PGP vulnerability

Researchers find major flaw in email encryption program PGP, leaving users' messages exposed

German researchers have found a major vulnerability in PGP (Pretty Good Privacy), a popular email encryption program, which could reveal past and present encrypted emails.

Sebastian Schinzel, professor of computer science at Münster University investigated the flaw, tweeting that full details of the vulnerability will be available from 15 May. 

He said: "they might reveal the plaintext of encrypted emails, including encrypted emails sent in the past."

We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4

— Sebastian Schinzel (@seecurity) May 14, 2018

Since its release in 1991, PGP has been considered the standard for encrypted messages, holding place as one of the most popular methods of sending private emails.

Although, an obvious tail off came with the adoption of private messaging apps such as Signal or Telegram, offering end-to-end encryption. 

The Electronic Frontier Foundation (EFF), a San Francisco-based digital rights group has reviewed the possible flaws and could confirm in a blog post that "these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages."

Details about the vulnerability have been released by the Suddeutsche Zeitung newspaper before its scheduled embargo.

How to protect against PGP flaw? 

The advice of the EFF and Schinzel mirror one another: disable any plug-ins using PGP, stop sending and reading PGP-encrypted email and use other channels using end-to-end encryption like Signal for the time being. 

The EFF has issued detailed tutorials on how to disable PGP encryption in the major email clients such as Outlook and Apple Mail.

If you use Thunderbird with EnigmailApple Mail with GPGTools or Outlook with Gpg4win the EFF has step-by-step tutorials to temporarily disable their PGP plug-ins.

It's believed that the vulnerabilities exist in the email clients themselves, rather than the PGP encryption protocol. 

According to encryption software GNU Privacy Guard (GnuPG), the problem comes from email programs that fail to check for decryption errors properly and follow links in emails that included HTML code.

They figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation.

— GNU Privacy Guard (@gnupg) May 14, 2018

Werner Koch, principle author of GnuPG, described the issue as "overblown" by the EFF in a blog post today. He also noted that he was not contacted about the issue directly. 

Right now there is no fix for the flaw, so taking extra precautions and using an alternative secure messaging service is the best temporary way to navigate the situation. 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about AppleEFFElectronic Frontier FoundationPGPPretty Good Privacy

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Christina Mercer

Latest Videos

More videos

Blog Posts