Wednesday, 23 May, 2018

A "serious" flaw has been found in PGP and S/MIME email encryption

PGP is leaking your emails in plaintext and there's no known fix PGP is leaking plain text versions of your emails and there's no known fix
Cecil Davis | 16 May, 2018, 10:39

In a blog post, the EFF recommended that PGP users uninstall or disable their PGP e-mail plug-ins while the research community evaluates the seriousness of the flaws reported by the European research team.

In an era when email hacks are a very real and common personal security threat, encryption is a way to ensure prying eyes don't spy on your digital correspondence. PGP encryption is used by some of the bigger guys such as Apple Mail, Outlook, and Thunderbird.

Teams from KU Leuven University and Ruhr University have worked alongside FH Munster and the Electronic Freedom Foundation (EFF) is working with them to get the word out. The researchers further elaborated the attack methods in documentation (PDF) on EFAIL released Monday.

EFAIL works by targeting "active content" of HTML emails - namely loaded images or styles - to exfiltrate plaintext through requested URLs. The attacks assume that an attacker has possession of the encrypted e-mails and can trick either the original sender or one of the recipients to open an invisible snippet of one of the intercepted messages in a new e-mail. The Foundation which has been in communication with the researchers has advised users to "temporarily stop sending and especially reading PGP-encrypted email". If it's not, GnuPG returns an alert.

The second vulnerability partially incorporates the first, and relies on an attacker being able to guess parts of the encrypted communication, which is generally possible due to the nature of the protocol involved. He recommended switching off HTML emails or using authenticated encryption.

Crystal Palace boss Roy Hodgson gives Wilfried Zaha's transfer update
And, when Crystal Palace secured safety with an away win over Stoke City last week, it marked one of the most tremendous achievements of the Premier League season.

Koch says the researchers found that HTML can be "used as a back channel to create an oracle for modified encrypted mails".

Yet others take issue with that line. It is one of the standard encryption program tools used for signing MIME data. The EFF's report only indicated that a vulnerability existed, and that users should disable PGP plugins in their mail clients until patches are deployed. "It seems to not be easily reproducible in all cases".

Until more details are made public, it's hard to know just how serious the security issue really is. A website has also been set up that advises PGP user to disable HTML renderings in emails sent via PGP as that will close the most prominent way of taking advantage of the vulnerability. "The reason is that PGP compresses the plaintext before encrypting it, which complicates guessing known plaintext bytes". Professor of computer security at Münster Sebastian Schinzel wrote on Twitter that "there are now no reliable fixes for the vulnerability".

While not explicitly mentioned, you may also disable the loading of remote content in the email client to prevent successful exploits.