A team of European cybersecurity researchers discovered that hackers have can break the encryption of email that is designed to be highly secure. The vulnerability is being called Efail, and allows hackers to crack OpenPGP and S/MIME, two widely used email programs that provide full end-to-end encryption when using email. PGP (Pretty Good Privacy) is a popular encryption method that’s often added to email applications to make the email secure. It’s considered the gold standard for email security.
The vulnerability affects journalists, businessmen, political activists, scientists, government security workers, whistleblowers, and others who depend on encrypted email.
The Electronic Frontier Foundation is advising users to “immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. It provided instructions for disabling PGP plug-ins in Thunderbird, Apple Mail, and Outlook.”
They go on to say, “EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”
The company that makes the widely used secure email service ProtonMail noted that their email service is not vulnerable to this issue.
The problem was investigated by Sebastian Schinzel, a professor of computer security at Munster University of Applied Sciences. He noted, “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
— Sebastian Schinzel (@seecurity) May 14, 2018
Initially, there was concern among cybersecurity experts that all files encrypted with PGP were vulnerable, but that was not the case. The problem involves whether the email programs check for errors in the decryption. It’s not a vulnerability in PGP system but rather in the email apps that were lacking the safeguards in using PGP.
You can read more about what the researchers are calling the EFAIL vulnerability here.