PGP Email has Critical Flaw

Facebook messenger icons are seen on an iPhone in Manchester, Britain

It's important to note that this exploit is only useful if an unscrupulous individual already has access to the encrypted S/MIME or PGP emails. (Both protocols are used to secure end-to-end encrypted emails.) They dubbed the vulnerability "EFAIL" because it effectively breaks these emails' protections.

PGP works using an algorithm to generate a "hash", or mathematical summary, of a user's name and other information. The idea is that attackers shouldn't be able to read your messages even if they intercept them or somehow gain access to your accounts. It does not encrypt metadata and is very far from easy to use, but it is nevertheless widely regarded as by far the safest way to send secure emails.

Keith Lee, the founder of a LawyerSmack, an online legal community, says: "The most [lawyers] are doing is using GSuite or some equivalent and relying on that in transit encryption, but are rarely (if ever) actually encrypting the text/content of emails".

In the first exploit, hackers can "exfiltrate" e-mails in plaintext by exploiting a weakness inherent in hypertext markup language (HTML), which is used in Web design and in formatting e-mails.

PGP is often used to encrypt messages in popular email programs such as Outlook, Apple Mail, Thunderbird, and Enigmail.

An HTML image tag that uses a src attribute that is opened with quotes but not closed.

PGP is a type of email encryption.

The message is send to the target. The attacker would then simply need to find the URL request in their web server logs to see the decoded message. He also noted that "PGP clients are vulnerable because 17 years after a vulnerability was known, the mitigation was not made a default in GnuPG and defense was instead left to PGP clients, which also make a convenient scapegoat when it goes pear-shaped".

What can you do to protect yourself?

With this in mind, users who exploit Pretty Good Privacy (PGP) plugins or S/MIME for sensitive communication are advised to disable them in their email clients. Copy and paste the encrypted text into separate programs to decrypt the text. You can also disable HTML rendering in your email messages.

Thunderbird users may want to check out our guide Switch Between HTML And Plain Text Emails In Thunderbird to enable plaintext email messages in the client.

GPGTools tweeted "'Efail": "as a temporary workaround against "efail" ..., disable "Load remote content in messages' in Mail → Preferences → Viewing. The reason is that a team of European researchers has found critical flaws in the encryption standards and now there are no fixes available.

But if you're still anxious, you can always opt for plain-text over HTML emails - or just use Signal like everyone else.

Related News:



Most liked

Preliminary Results Show Sadr ahead of Abadi in Iraq Elections
Voter turnout was 44.52 per cent, the Independent High Electoral Commission said , significantly lower than in previous elections. In 2004, Sadr's Mahdi Army fought a brutal, bloody insurgency against coalition forces, demanding they withdraw from the country.

Federer to usurp Nadal as world number one
I think I really hurt him with them... "I don't have any doubt he's going to be back up at the highest level". Thiem has lost six straight matches against Anderson, but the two have never met on clay.

Oil at $100 is a possibility next year, Bank of America says
They will grumble and accept it. "There is no one who will realistically choose Iran over the U.S. ", said energy consultancy FGE. The other nuclear states are Russian Federation , the U.S, France, China, the U.K., Pakistan, India and North Korea.

9 dead, dozens injured as multiple blasts hit eastern Afghan city
Taliban militants and fighters of Islamic State outfit have presence in the province, some 120 km east of Afghan capital of Kabul. However, the Taliban is now taking part in its annual spring offensive and has launched a number of attacks in recent weeks.