A "serious" flaw has been found in PGP and S/MIME email encryption


A "serious" flaw has been found in PGP and S/MIME email encryption

However, there is some debate as to how serious the issues are.

The flaws, some of which have existed for more than a decade, are part of a series of vulnerabilities dubbed "Efail". Email protocol was never built with security in mind.

More particularly, the attacks use specially crafted HTML emails that exploit bugs in the way PGP is implemented in some email programs.

Both standards can be used with popular email applications such as Microsoft Outlook and Apple Mail.

The client used by the target decrypts the email and loads external content that transmits the plaintext message to the attacker.

Cavs vs. Celtics analysis: Stats, strategies, and matchups to watch
It's definitely easier said than done, because I've heard it said again and again without any proof of execution. LeBron knocked off the Celtics in the conference finals last season with sidekick Kyrie Irving .

How to Watch the Eurovision 2018 Grand Final in the US
It also blurred out rainbow flags and removed Albania's entry from its broadcast because of the performers' visible tattoos. Although homosexuality was decriminalized in China in 1997, many people are still discriminated against in the country .

Juventus Thrash AC Milan 4-0 To Win Coppa Italia
Donnarumma reacted too late to stop Brazilian winger Costa's shot from the edge of the box in the 61st. Medhi Benatia set the Turin giants on their way with a header from a corner early in the second half.

Without knowing any details of the vulnerability, I might also add that generally disabling HTML email is a jolly good idea from the security point of view as it can reduce your attack surface considerably. The problem resides in how email clients use these plug-ins to decrypt HTML-based emails. The expert said that the attackers using these programs can "access" not only to intercepted letters, but all are ever sent. But in the meantime, affected email clients are preparing patches to address the flaw. For the time being, Motherboard recommends that you can get around the issue by disabling HTML rendering in your mail client, which prevents the request being sent to a hacker that would allow them to decrypt your messages. While PGP is today owned by Symantec, an open source implementation called GNU Privacy Guard (GPG) has been widely adopted by the security community in a number of contexts, this is referred to as OpenPGP. If it's not, GnuPG returns an alert. "This is a pretty old thing which we are aware of, and the reasons why a warning has always been printed in that case". That's because EFAIL can be stopped by using authenticated encryption; OpenPGP started to support authenticated encryption in 2001.

Full details of the PGP and S/MIME flaws were due to be released on Tuesday, when the researchers appear to have negotiated a coordinated vulnerability announcement with makers of vulnerable software. EFF provides walk-throughs on their site to disable PGP for Apple Mail, Outlook and Thunderbird. "It seems to not be easily reproducible in all cases".

The researchers warn that journalists, political activists, and whistleblowers face the most risk from the flaw; for years, PGP has been a go-to tool to secure sensitive emails with a form of end-to-end encryption, with S/MIME acting as an alternative. The reason is that a team of European researchers has found critical flaws in the encryption standards and now there are no fixes available. "The reason is that PGP compresses the plaintext before encrypting it, which complicates guessing known plaintext bytes".

The info was also posted on Twitter by professor Sebastian Schinzel, who leads the ITS group at Münster University of Applied Sciences.

Related news

[an error occurred while processing the directive]