- Academics from the Electronic Frontier Foundation have discovered critical vulnerabilities in two email encryption protocols.
- PGP and S/MIME have flaws that could be exploited to decrypt any incoming or outgoing communication.
- More details are to be published by the researchers on May 15 who recommend not using the two encryption tools until they are fixed.
A research team of nine academics from the Electronic Frontier Foundation has discovered critical vulnerabilities in two email encryption tools. PGP and S/MIME are said to have flaws that could be exploited to get access to any incoming or outgoing emails on platforms that use either of the two encryption tools.
The researchers have also confirmed that no reliable fixes possible for the vulnerability exist as of now. More details are to be published on May 15 at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific) by the team. Users of platforms that use S/MIME and PGP encryption have been advised to disable email encryption to avoid the chances of an attack. The researchers have already contacted email service providers through the Electronic Frontier Foundation. Service providers have been requested by the EFF to communicate the news to all users and request them to disable all related security plugins including Thunderbird with Enigmail, Apple mail with GPG tools, Outlook with GPG4win.
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
— Sebastian Schinzel (@seecurity) May 14, 2018
PGP or Pretty Good Privacy was developed in 1991 by Phil Zimmermann. It is one of the most trusted encryption programs used for signing, encryption, and decryption of private texts and emails. The program also sees implementation in desktop programs for data encryption. However, the researchers have confirmed the exploitable vulnerabilities only exist for email users.
Unlike PGP, S/MIME (Secure/Multipurpose Internet Mail Extensions) is an email-only encryption program. It is one of the standard encryption program tools used for signing MIME data. It was developed by RSA Data Security and is currently built into most modern email software. Thunderbird, Apple Mail, and Outlook are the three major email providers who need to be wary of the exploit as they use PGP encryption.
Disabling both of these encryption methods is only a temporary fix to avoid immediate risk. Electronic Frontier Foundation mentioned that the email vulnerabilities need to be patched immediately to avoid large-scale risks to email service providers. The EFF posted a detailed blog post on how users can avoid risks, and a detailed explanation of the exploits will be published on Tuesday at 07:00 AM UTC.