Attention PGP Users: New Vulnerabilities Require You To Take Action Now

Posted on by pogowasright.org

Danny O’Brien and Gennie Gebhart write:

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

Read more on EFF, who provide directions on how to disable plugins.

You can read more about the vulnerability here, on https://efail.de.  And the full technical paper in draft form can be found here:

Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels [v0.9 Draft] [PDF]
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk.
27th USENIX Security Symposium, San Diego, August 2018.

Update: on Twitter, a spokesperson for Enigmail advised users not to believe all the hype.

He later added, “The flaw can be completely mitigated by watching for packets with missing or invalid MDCs and reacting appropriately. Most email clients already do this. If you’re one of them, you’re safe.”

You may wish to read the entire thread on Twitter, beginning with GNUPG’s statement.

Category: Featured News