European researchers have found that the popular PGP and S/MIME email encryption standards are vulnerable to being hacked, with no known patch available. They urge users to disable and uninstall them immediately.
University researchers from Münster and Bochum in Germany, as well as Leuven in Belgium, discovered the flaws in the encryption methods that can be used with popular email applications such as Microsoft Outlook, Apple Mail and Enigmail for Thunderbird, which all offer to decrypt emails on the fly.
The security flaws could potentially leak the contents of the encrypted messages you send and receive via email when signed with PGP or S/MIME encryption methods.
Sebastian Schinzel, professor of applied cryptography at the Münster University of Applied Sciences, said in a tweet on Monday that currently "no reliable fixes for the vulnerability" were available.
In a statement, US digital rights group, Electronic Frontier Foundation (EFF), confirmed that the standards posed an "immediate risk" to email communication including the potential exposure of the contents of past messages.
Risk to whistleblowers
PGP — short for Pretty Good Privacy — works using an algorithm to generate a 'hash,' or mathematical summary, of a user's name and other information. This is then encrypted with the sender's private 'key' and decrypted by the receiver using a separate public key.
The use of PGP for secure communications has been advocated, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the US National Security Agency (NSA) before fleeing to Russia.
To exploit the weakness, a hacker would need to have access to an email server or the mailbox of a recipient. In addition, the mails would need to be in HTML format and have active links to external content to be vulnerable.
Germany's Federal Office for Information Security (BSI) put out a statement saying there were risks that attackers could secure access to emails in plain text once the recipient had decrypted them.
Disable and uninstall
BSI, EFF and others now advise users to disable the use of active content, such as HTML code and the loading of external content, and to secure their email servers against external access. They recommend that users switch for the time being to secure messaging app Signal for sensitive communications.
The group of researchers announced that they would publish a research paper detailing the vulnerability on Tuesday.
Robert Hansen, who works on the popular Enigmail plugin for Thunderbird which allows for reading and sending OpenPGP-signed emails, recommends updating the app to stay secure.
More details are starting to drip out, but the warning is that leaving encryption active will increase the danger and so for now, using something safe is the best course of action.
The EFF points out that this action represents "a temporary, conservative stop-gap" until the security team has released full details of the problem.
uhe/bb (Reuters, dpa)