May 24, 2018

Your encrypted email messages might not be that secure after all

15 May 2018, 04:22 | Francis Delgado

PGP is leaking plain text versions of your emails and there's no known fix

PGP is leaking your emails in plaintext and there's no known fix

A paper detailing the vulnerability, co-authored by Sebastian Schinzel, computer security professor at the M√ľnster University of Applied Sciences in Germany, is available online. The email encryption vulnerability was first reported by the Electronic Frontier Foundation (EFF) on Monday.

A post on EFF's website says that users of PGP, which stands for "Pretty Good Privacy", should "pause" their use until the vulnerability is fixed.

Once altered, the encrypted email can be sent back to the victim's email client, which will mistakenly decrypt the contents inside and send the information to the attacker's server via a URL request. It will be safer for the users to switch to services like Signal, the massaging app backed by WhatsApp co-founder Brian Acton.

The vulnerability has been named "efail", but many researcher believe the issue has been overblown. In contrast, mainstream email clients simply process and store your messages using plain text. They also advised users to stop using the encryption tools S/MIME and OpenPGP.

Mike Pompeo: US Will Help Make North Korea Rich If It Disarms
The US will assist North Korea with its economy if Pyongyang gets rid of its nuclear weapons, its secretary of state has said . To the US , that means the North giving up the nuclear weapons it has already built. "For decades, we have been adversaries.

The research is focused on how popular HTML-based email platforms - like Mozilla's Thunderbird, Apple's Mail, and Microsoft Outlook - continue to mishandle specific, internal configurations within email.

Schinzel also urged users via Twitter to visit the blog posts by the EFF, which includes detailed step-by-step guides on how to disable PGP in Outlook, Apple Mail, and Thunderbird. "They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past". The PGP CFB gadget attack was assigned CVE-2017-17688, while the S/MIME CBC vulnerability was given CVE-2017-17689. They say the PGP and S/MIME standards need an update, but that "will take some time".

Asking his online community if any of the members use PGP, responses ranged from "LOL, no" to "Most don't even know what that is" to a member saying he set up PGP, but no client has ever wanted to use the encryption option. The importance of email encryption went mainstream after whistleblower Edward Snowden revealed the extent of the USA government's electronic surveillance in 2013. Hacker House cofounder and Brit infosec pro Matthew Hickey told The Register while we're unlikely to see widespread abuse of EFAIL, the potential for targeted attacks against journalists, corporations, activists, and academics makes it worth taking seriously.

Mikko Hypponen of F-Secure, a cyber security firm, said: "This is bad because the people who use PGP use it for a reason, people don't use it for fun - people who use it have real secrets, like business secrets or confidential things". Security experts recommend to remove them immediately, so hackers are unable to read correspondence.

Other News

Trending Now

MMA Community reacts to Mackenzie Dern's submission win at UFC 224
Dern remains unbeaten in her career improved to 7-0, while Cooper falls to 1-2 in her past three outings. As this is being written, Dern has not publicly commented on what led to her disastrous weight-cut.

6 killed in Indonesia church attacks
As of 10.30 a.m., police reported that at least nine people had been killed, while at least 40 had been injured in the attacks. The blasts came four days after inmates killed five police officers during a revolt at a police detention center near Jakarta .

Thanos has been rebalanced a bunch of times in Fortnite
When you're missing 100 extra shield points to carry from fight to fight, and players are focusing on you, that's a big deal. For a limited time, The Avengers' greatest foe, Thanos is terrorizing Fortnite Battle Royal players in an epic crossover.

What moms really want on Mother's Day
You've always supported every dream or goal of mine, regardless of how unattainable and ridiculous they may have been. All the sacrifices, however, will be worth it because of all the joy and laughter and happiness they will bring you.

'Vomitive. Pathetic': Lars Von Trier film prompts mass walkouts at Cannes
He views each murder as an artwork in itself, even though his dysfunction gives him problems in the outside world. The House That Jack Built is an uncompromising, barbaric, distressing watch, and one very hard to stomach.

Here's how Google will handle your data under GDPR
Our ambition is to have the highest possible standards of data security and privacy, and to put our users and partners in control.

Tiger Woods is back to his confident self after Players Championship
Woods shot a seven-under 65 in the third round Saturday, besting his previous low score on the Stadium Course by a stroke. Tiger was as close as three but had a bad final three holes he would finish 8 shots back.

Trump Skewers Donnelly for Immigration Vote
Trump and Pence flew into Elkhart to drum up support for GOP nominee Mike Braun, who will challenge incumbent Democrat Sen. Yet for all his talk of others, the president also couldn't help but return to his chief ideology - himself.

China's first domestically built aircraft carrier begins sea trials
The carrier set out from Dalian in northeast Liaoning province, according to China's state-run news agency, Xinhua. But China made a decision to built a second STOBAR carrier in the meantime, given the geopolitical tensions.

Uneducated migrants can't assimilate, says Trump chief of staff
During the meeting, Trump yelled about the United States' porous border and said more needed to be done to fix it. One person close to Nielsen said she is miserable in her job.