Sci-tech

PGP and S/MIME email encryption are vulnerable to hacking

PGP and S/MIME email encryption are vulnerable to hacking

The reason is that a team of European researchers has found critical flaws in the encryption standards and now there are no fixes available.

A security flaw with email encryption appears to have left a small opening for hackers to read your private messages.

"EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs", they wrote. Their advice for mitigating the vulnerability's impact is to stop encrypting or decrypting emails directly in affected email clients and to disable HTML rendering.

The two attacks, details of which were published on Monday in a research paper, affect PGP, the most popular technology for sending encrypted emails.

Users are advised to disable email encryption to avoid any attackers from recovering past encrypted emails after the paper's publication.

Germany's Federal Office for Information Security (BSI) put out a statement saying there were risks that attackers could secure access to emails in plain text once the recipient had decrypted them.

"If you were using GnuPG on the command line and checking your error results, it's absolutely true that you're fine", Green tweeted, adding that "If you've been using (one of several) GUI clients with PGP encryption, you were anything but fine".

Instead, EFAIL exploits vulnerabilities in mail clients such as Apple Mail, iOS Mail and Mozilla Thunderbird, which we'd expect to issue patches shortly.

More news: Raptors fire coach Dwane Casey

"It's a lot of steps for sure, and one that honestly is more hypothetical than is it is unsafe", Dave Kennedy, the chief executive at security company TrustedSec, said.

Furthermore, in order to exploit the Efail vulnerability, attackers would need to capture emails and send them to the original recipient for decryption, the researchers said.

Werner Koch, the principal author of the cryptographic software GNU Privacy Guard, called EFF's warnings about the vulnerability "pretty overblown".

Schinzel says that there isn't a reliable fix available at the moment, but there is one way to mitigate the risk.

EFF recommends using Signal by Open Whisper Systems while the PGP vulnerability is being fixed.

EFF said in a blog post that users should uninstall PGP until the flaw is patched.

Cluley also pointed out that it is not a new problem - the root problem of mail clients attempting to display corrupted S/MIME messages has been known about since 2000. If some sources are to be believed, it could spell the end of email as a secure channel.

Researchers have discovered a vulnerability in the OpenPGP and S/MIME protocols that allows for the exfiltration of plaintext messages.


  • Mariners second baseman leaves game with fractured hand

    Mariners second baseman leaves game with fractured hand

    On the year, Goodrum is now hitting.242/.315/.424, and he owns two homers and five RBI to go along with that less than ideal line. Suzuki shifted into a front office role earlier this month, but he didn't completely rule out playing again.
    Twitter's in Awe of Lomachenko's TKO to Win Lightweight Title

    Twitter's in Awe of Lomachenko's TKO to Win Lightweight Title

    The power-punching Lomachenko (10 1, 8 KOs) wowed everybody in his final struggle by making his competitor quit there at the ring. The right hand is working and landing regularly, and it could be an early night for Barrera if he doesn't defend against it.
    Bomb attacks occur at three Surabaya churches

    Bomb attacks occur at three Surabaya churches

    It was the first major attack in Jakarta since Jemaah Islamiyah's 2009 simultaneous attacks on the J.W. Extremists have mounted a series of attacks against Christians and other minorities in recent years.
  • China's first home-grown aircraft carrier launches

    China's first home-grown aircraft carrier launches

    This May 9, 2018, photo released by China's Xinhua News Agency shows China's aircraft carrier Liaoning at a shipyard in Dalian. Little is known about China's aircraft program which is a state secret, according to the news wire.
    11:12Facebook Activated Safety Check in Paris Only After Terror Attack

    11:12Facebook Activated Safety Check in Paris Only After Terror Attack

    French authorities are denouncing a knife attack in central Paris that French media say left two dead including the assailant. The attacker reportedly shouted " Allahu Akbar " (God is greatest) before stabbing his victims.
    AT&T CEO Laments Cohen Affiliation: 'Big Mistake'

    AT&T CEO Laments Cohen Affiliation: 'Big Mistake'

    AT&T also said , "we didn't ask him to set up any meetings for us with anyone in the administration and he didn't offer to do so". Giuliani, a lawyer for Trump, said Wednesday that the president was unaware of Cohen's consulting agreements.
  • The House That Jack Built, Cannes Film Festival

    The House That Jack Built, Cannes Film Festival

    As an interesting sidenote, those who soldiered through The House That Jack Built reportedly gave it a standing ovation. The House That Jack Built will premiere at Cannes and awaits US distribution.
    Super-hot lava threat for Hawaii as Trump declares disaster

    Super-hot lava threat for Hawaii as Trump declares disaster

    Geological Survey recorded more than two dozen earthquakes in the area near the east coast of the Big Island on Saturday alone. As a result, lava levels inside the volcano's main crater have been decreasing.
    Trump to meet North Korea's Kim in Singapore

    Trump to meet North Korea's Kim in Singapore

    When asked how it feels to be home, one of the detainees said through a translator "it's like a dream and we're very, very happy". United States media said Trump scored a diplomatic victory with North Korea releasing the three imprisoned American citizens.
  • Dominant Hamilton wins in Spain, Vettel fourth

    Dominant Hamilton wins in Spain, Vettel fourth

    Vettel who had pitted for fresh mediums during the safety auto , found it hard to match Hamilton's pace at the restart. Ferrari pitted Vettel early from second, forcing Mercedes to react with Bottas a couple of laps later.
    SpaceX's new Falcon 9 just landed perfectly, and it's a game-changer

    SpaceX's new Falcon 9 just landed perfectly, and it's a game-changer

    Two ground stations for controlling the satellite have already been built at Joydebpur and Betbunia. SpaceX landed the rocket's first stage back on a drone ship stationed in the Atlantic Ocean.
    Amanda Nunes drops Raquel Pennington with final-round TKO

    Amanda Nunes drops Raquel Pennington with final-round TKO

    She has won four consecutive bouts, with a submission victory over Jessica Andrade starting that run back at UFC 191. Nunes delivered several knees to Pennington's face in the fourth, leaving her faced bloodied.