A team of European researchers claim to have found critical vulnerabilities in PGP/GPG and S/MIME. PGP, which stands for Pretty Good Privacy, is code used to encrypt communications, commonly email. S/MIME, which stands for Secure/Multipurpose Internet Mail Extension, is a way to sign and encrypt modern email and all the extended character sets, attachments, and content it contains. If you want the same level of security in email as you have in end-to-end encrypted messaging, it's likely you're using PGP / S/MIME. And, right now, they may be vulnerable to hacks.
Danny O'Brien and Gennie Genhart, writing for The EFF:
A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.
Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.
Dan Goodin at Ars Technica notes:
Both Schinzel and the EFF blog post referred those affected to EFF instructions for disabling plug-ins in Thunderbird, macOS Mail, and Outlook. The instructions say only to "disable PGP integration in e-mail clients." Interestingly, there's no advice to remove PGP apps such as Gpg4win, GNU Privacy Guard. Once the plugin tools are removed from the Thunderbird, Mail or Outlook, the EFF posts said, "your emails will not be automatically decrypted." On Twitter, EFF officials went on to say: "do not decrypt encrypted PGP messages that you receive using your email client."
The topic of that paper is that HTML is used as a back channel to create an oracle for modified encrypted mails. It is long known that HTML mails and in particular external links like are evil if the MUA actually honors them (which many meanwhile seem to do again; see all these newsletters). Due to broken MIME parsers a bunch of MUAs seem to concatenate decrypted HTML mime parts which makes it easy to plant such HTML snippets.
There are two ways to mitigate this attack
Don't use HTML mails. Or if you really need to read them use a proper MIME parser and disallow any access to external links.
Use authenticated encryption.
There's a lot to sift through here and the researchers aren't releasing their findings to the public until tomorrow. So, in the meantime, if you use PGP and S/MIME for encrypted email, read the EFF article, read the gnupg mail, and then:
- If you feel the least bit concerned, temporarily disable email encryption in Outlook, macOS Mail, Thunderbird, etc. and switch to something like Signal, WhatsApp, or iMessage for secure communication until the dust settles.
- If you're not concerned, still keep an eye on the story and see if anything changes over the next couple of days.
There will always be exploits and vulnerabilities, potential and proven. What's important is that they're disclosed ethically, reported responsibly, and addressed expeditiously.
We'll update this story as more becomes known. In the meantime, let me if you use PGP / S/MIME for encrypted email and, if so, what's your take?
Spellbreak update: Story driven quests and competitive challenges await
Exciting new challenges and storylines are in store for Spellbreak players when the Chapter 1 update releases on Dec. 15. Learn all about it here.
PC Gamer is teaming up with SpecialEffect for a holiday giveaway
PC Gamer has joined forces with UK nonprofit SpecialEffect to for a holiday giveaway. Several EPOS | SENNHEISER products are available and there's multiple ways to enter.
Microsoft acquires Smash.gg esports tournament platform
Microsoft has announced an agreement to acquire online esports tournament platform, Smash.gg, after five years of operations.
Here are the best Cyberpunk 2077 collectibles and merch
Cyberpunk 2077 is a huge game, and is accompanied by a massive pool of collectibles, accessories, and merch for everyone from hardcore collectors to dabbling fans. Here are the best collectibles and merch for Cyberpunk 2077.