Secure Encrypted Email Platform PGP Is Not Secure
The cybersecurity community is bracing for impact after a team of researchers revealed recently that critical vulnerabilities in the encrypted email program PGP (Pretty Good Privacy) could be exploited to expose secret messages in plain text.
PGP, which is used to scramble the content of sensitive messages and believed to be one of the most secure methods of protecting private email communications, was used by National Security Agency (NSA) whistleblower Edward Snowden to contact journalists.
Sebastian Schinzel, professor of computer security at Germany’s Münster University of Applied Sciences, alongside a team of eight researchers, revealed on Twitter that there are currently no stable fixes for the issues and said the service should not be used until a patch is released.
The Electronic Frontier Foundation (EFF), a digital liberties campaign group, released guides on how to temporarily disable PGP plug-ins in three email clients.
“We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past,” Schinzel tweeted, sparking immediate concern from users.
“There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now,” he added
In its blog post, the EFF wrote: “A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME.
“EFF has been in communication with the research team and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.
“In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication. Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.”
The blog post concluded: “Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.”
Reacting to the news, Matt Blaze, a cryptography expert at the University of Pennsylvania, tweeted: “Our collective inability to design and deploy a useable secure email system at scale is one of the most embarrassing failures of the applied cryptography community.”
You Might Also Read:
