A group of academicians, led by Sebastian Schinzel, a professor at the University of Applied Sciences in Munster (Sebastian Schinzel), warned of critical vulnerabilities in the composition of PGP and S / MIME. While technical details of the problem are not disclosed, they are promised to be unveiled tomorrow, May 15, 2018.
Now, according to experts, it is known that holes in PGP and S / MIME allow you to read messages encrypted in this way in plain text format. Worse, the problem also applies to old letters sent and received earlier.
In his Twitter, Shinzel writes that there are currently no patches for the problems found, and recommends that you temporarily stop using PGP and S / MIME altogether. [19659006] There are currently no reliable fixes for the vulnerability. If you use PGP / GPG or S / MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF ‘s blog post on this issue: https://t.co/zJh2YHhE5q #efail 2/4
– Sebastian Schinzel (@seecurity) May 14, 2018
To address the issue of publicity and warn users, the specialists turned to the Electronic Frontier Foundation (EFF) for help. EFF representatives confirmed the criticality of the detected problems and published a message in which they also called for disabling or uninstalling tools for working with PGP and S / MIME. While there are no corrections, users are advised to pay attention to Signal messaging as an alternative method of secure communication.
In addition, experts of the Electronic Frontier Foundation published instructions on disabling the corresponding plug-ins:
- Thunderbird with Enigmail;
- Apple Mail with GPGTools;
- Outlook with Gpg4win.
However, GnuGP developers report that the detected vulnerabilities do not directly affect GnuGP and Enigmail, but are related to the use of PGP in mail clients. In addition, the site efail.de earned before the deadline, and it became known that the problems arise only with those letters that were transmitted in HTML format.
S / MIME vulnerability is facilitated by HTML. Do: (1) disable affected mail extensions (2) send text mails [not HTML](3) use OpenPGP. Do not: (1) Use vulnerable clients (2) panic. https://t.co/X4uJqboh4j pic.twitter.com/ZI7gp2nDgF
– Lukasz Olejnik (@lukOlejnik) May 14, 2018
In a nutshell, if I intercept an encrypted email sent to you, I can modify that email into a new encrypted email that contains custom HTML. In many GUI email clients, this HTML can exfiltrate the plaintext to a remote server. Ouch. 2 /
– Matthew Green (@matthew_d_green) May 14, 2018
The real news is probably about S / MIME , which is actually used in corporate e-mail settings. Attacking and modifying encrypted email stored on servers could actually happen, so this is a big deal. 4 /
– Matthew Green (@matthew_d_green) May 14, 2018
Willcontinuetomonitorthesituation