PGP Email has Critical Flaw

EnlargeElsamuko

EnlargeElsamuko

The researchers recommend disabling HTML rendering in your email client to prevent your PGP messages from being decrypted.

"There are now no reliable fixes for the vulnerability", lead researcher Sebastian Schinzel, professor of applied cryptography at the Muenster University of Applied Sciences, said on Monday.

A second Tweet warns "There are now no reliable fixes for the vulnerability". The potential for compromised communications increases if the email is part of a group conversation, as the attacker only needs to target one person in the chain to pull off the decryption.

Disabling PGP and S/MIME are seen as conservative stopgaps until proper mitigation can be applied more broadly.

A team of nine academics is warning the world about a critical vulnerability in the OpenPGP and S/MIME email encryption tools.

German researchers have warned those using a popular form of email encryption that serious flaws mean their messages could be decoded by attackers.

Pretty Good Privacy (PGP) is an encryption tool used to sign emails, documents, directories, and even full hard disks. According to the European researchers, "EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs".

Xerox says ending deal with Fujifilm
As part of its choice to call off the merger contract, Xerox fired its chief executive Jeff Jacobson in ancient might. However, Xerox said it had repeatedly requested new negotiations be opened between the two businesses on the deal.

PGP is considered the standard for email encryption and was first introduced way back in 1991.

"They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", researchers said.

Researcher Sebastian Schinzel, a professor of computer security with Münster University of Applied Sciences, claims to have identified a security flaw that "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past". PGP encryption is used by some of the bigger guys such as Apple Mail, Outlook, and Thunderbird.

PGP works using an algorithm to generate a "hash", or mathematical summary, of a user's name and other information. Users are advised to stop using tools that decrypt PGP or S/MIME encrypted emails. This is then encrypted with the sender's private "key" and decrypted by the receiver using a separate public key.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim.

To exploit the weakness, a hacker would need to have access to an email server or the mailbox of a recipient.

Latest News