If you’ve been using PGP or S/MIME to securely send and receive sensitive emails, you’ll want to stop using them right away, as a group of European researchers have found vulnerabilities in both standards.
The security flaws that have been discovered could potentially leak the contents of the encrypted messages you send and receive via email when signed with PGP or S/MIME encryption methods.
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
— Sebastian Schinzel (@seecurity) May 14, 2018
The warning comes from a group of security researchers in Europe, from Münster University, Ruhr-University, and KU Leuven University, and its members have previously revealed the Drown attack that affected some 11 million HTTPS sites back in 2016.
The group will publish a research paper detailing the vulnerability on Tuesday; it notes that there’s no fix just yet, and that you’ll want to disable PGP plugins in your email client of choice until we have more information.
Your best bet for secure communication at this point would likely be an encrypted messaging app like Signal.
Update (11:42 AM CET): Werner Koch, the founder of the GNU Privacy Guard (an implementation of the OpenPGP standard), noted in a user group email chain that HTML emails may not be entirely secure for PGP and S/MIME email clients at this point (as opposed to the encryption standards themselves), and that there isn’t yet a fix for the vulnerability with messages with certain kinds of attachments with S/MIME clients just now.
Robert Hansen, who works on the popular Enigmail plugin for Thunderbird which allows for reading and sending OpenPGP-signed emails, recommends updating the app to stay secure:
Speaking for Enigmail: don't believe the hype. Don't panic. Make sure you're running the latest version of Enigmail. Yes, we have seen the paper. Out of deference to the paper authors, we will forego further comment until publication. https://t.co/I5crWs8fYI
— Robert J. Hansen (@robertjhansen) May 14, 2018
Update 2 (12:43PM CET): The researchers have published their findings early over on this site, along with their paper (PDF). They explain that the EFAIL attacks “break PGP and S/MIME email encryption by coercing clients into sending the full plaintext of the emails to the attacker.” That sounds serious, but it’s worth noting that the malicious actor needs to have access to your S/MIME or PGP encrypted emails to carry out the attack.
That means that a specifically targeted user could be affected, but it’s not a security flaw that will see users’ emails leaked in the wild because of a broken protocol. We’ve altered our title now to more accurately reflect the level of concern surrounding this issue.
The researchers note that, at present, you’ll want to remove your PGP and S/MIME private keys from your email client, and decrypt incoming encrypted emails by copying and pasting the ciphertext into a separate app to decrypt and read your messages; this prevents your email client from transmitting the plaintext contents of your encrypted messages back to the attacker. Additionally, disabling HTML rendering for incoming email messages should also help protect you from unknowingly sending this information from your email client.
Ideally, email client developers should release patches for their software to prevent this vulnerability from being exploited, and those who maintain the PGP and S/MIME standard should update them and lock out malicious actors.