2018-05-18

Vulnerability in Pretty Good Privacy (PGP) and Secure MIME email encryption services

PGP is a public key encryption-based program that is used often to secure emails. S/mime is a standard defining the encryption of the email ensuring confidentiality, integrity and originality. Now experts have found a vulnerability that may allow outsiders to read even the earlier encrypted emails.

Münster University of Applied Sciences signalled on 14th May that PGP and S/MIME have both vulnerabilities enabling the third party to reveal the plain-text of ongoing encrypted email traffic and even access the earlier sent secure emails.
"The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus ex-filtrating the plain-text to the attacker."

The following general advice may apply:

  • Remove the installed and automatic PGP and S/MIME services from your email-service until the vulnerability has been patched
  • Use other end-to-end email encryption services like Signal
  • Wait for detailed analysis and guidance to remedy the services.
  • Consider what has been sent earlier using the above encryption and assess the risks if they are revealed.


References

  1. https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now 
  2. https://www.forbes.com/sites/thomasbrewster/2018/05/14/pgp-encrypted-email-vulnerability-exposes-private-messages/#61cbede13e2a
  3. https://ssd.eff.org/en/module/how-use-signal-ios
  4. https://efail.de/efail-attack-paper.pdf


No comments:

Post a Comment