Critical Flaw Found in PGP and S/MIME Email Clients Like Apple Mail

Computer encryption

Uninstall PGP: EFF warns of exploit that may reveal plaintext of encrypted emails

The security flaws that have been discovered could potentially leak the contents of the encrypted messages you send and receive via email when signed with PGP or S/MIME encryption methods.

The researchers behind the flaw say the only way to fully protect against it will be to stop handling PGP and S/MIME decryption in the mail client, and fully patching it will require updates to the encryption standards themselves.

The researchers recommend disabling HTML rendering in your email client to prevent your PGP messages from being decrypted.

The researchers have said that users of PGP email can disable HTML in their mail programs to stay safe from attacks based on the vulnerability.

"These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community", wrote EFF. The attacker crafts a message that includes the old encrypted message.

The researchers are advising everyone to temporarily stop using plugins for mail clients like Microsoft Outlook and Apple Mail that automatically encrypt and decrypt emails-at least until someone figures out how to remedy the situation.

PGP or Pretty Good Privacy was developed in 1991 by Phil Zimmermann.

End-to-end encryption is used specifically to secure emails that have been compromised in those manners.

The PGP encryption is mostly used by political activists, journalists, and whistleblowers as an extra layer of encryption. There are other methods that could be used to attack the information, but these backchannels are more hard to exploit.

Of course, if you recognise the need to secure encrypt your communications you probably also understand that resorting to sending and receiving unencrypted email is far from an acceptable solution. He recommended switching off HTML emails or using authenticated encryption.

But while that advice might be easier to implement for anyone who uses and configures their own PGP tools, it fails to address how secure webmail providers might address the flaws.

Professor Schinzel is a member of a research team consisting of a long list of respected security researchers, and which has been responsible for uncovering a number of cryptographic vulnerabilities. While encrypted email keeps your messages secret, email clients see HTML content - for example, images or hyperlinks - and translate them in plain-text, even if there is encrypted content in them. But the authors state that they have "disclosed the vulnerabilities to all affected email vendors, and to national CERTs and our findings were confirmed by these bodies".

Últimas noticias