Computer techologies

Critical vulnerabilities of PGP and S / MIME make encryption of correspondence practically useless


A group of academicians, led by Sebastian Schinzel, a professor at the University of Applied Sciences in Munster (Sebastian Schinzel), warned of critical vulnerabilities in the composition of PGP and S / MIME. While technical details of the problem are not disclosed, they are promised to be unveiled tomorrow, May 15, 2018.

Now, according to experts, it is known that holes in PGP and S / MIME allow you to read messages encrypted in this way in plain text format. Worse, the problem also applies to old letters sent and received earlier.

In his Twitter, Shinzel writes that there are currently no patches for the problems found, and recommends that you temporarily stop using PGP and S / MIME altogether. [19659006] There are currently no reliable fixes for the vulnerability. If you use PGP / GPG or S / MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF ‘s blog post on this issue: #efail 2/4

– Sebastian Schinzel (@seecurity) May 14, 2018

To address the issue of publicity and warn users, the specialists turned to the Electronic Frontier Foundation (EFF) for help. EFF representatives confirmed the criticality of the detected problems and published a message in which they also called for disabling or uninstalling tools for working with PGP and S / MIME. While there are no corrections, users are advised to pay attention to Signal messaging as an alternative method of secure communication.

In addition, experts of the Electronic Frontier Foundation published instructions on disabling the corresponding plug-ins:

  • Thunderbird with Enigmail;
  • Apple Mail with GPGTools;
  • Outlook with Gpg4win.

However, GnuGP developers report that the detected vulnerabilities do not directly affect GnuGP and Enigmail, but are related to the use of PGP in mail clients. In addition, the site earned before the deadline, and it became known that the problems arise only with those letters that were transmitted in HTML format.