Security experts are warning PGP users to disable tools that automatically decrypt PGP-encrypted email after the discovery of a critical vulnerability which could help attackers read protected emails.
The new research will be revealed in a paper on Tuesday morning, but those behind it and the Electronic Frontier Foundation (EFF) are warning the user community in advance.
The latter said in a brief statement:
“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.”
A more detailed explanation and analysis will be forthcoming once the research is formally released tomorrow, but the vulnerabilities are thought to affect both PGP and the S/MIME public key encryption standard.
The info was also posted on Twitter by professor Sebastian Schinzel, who leads the ITS group at Münster University of Applied Sciences.
He said the vulnerabilities “might reveal the plaintext of encrypted emails, including encrypted emails sent in the past” and that there are no current fixes available.
However, Werner Koch, free software developer and author of the GNU Privacy Guard, posted information on Monday which claims the warnings from EFF are “pretty overblown.”
He said attacks exploiting the vulnerabilities can be mitigated if users eschew HTML emails, or at least if they read them using a “proper MIME parser and disallow any access to external links.”
Another way would be to use authenticated encryption via tools such as OpenPGP, he argued.