#EFAIL vulnerability: What PGP and S/MIME users need to do right now

By Rene Ritchie
published

A team of European researchers claim to have found critical vulnerabilities in PGP/GPG and S/MIME. PGP, which stands for Pretty Good Privacy, is code used to encrypt communications, commonly email. S/MIME, which stands for Secure/Multipurpose Internet Mail Extension, is a way to sign and encrypt modern email and all the extended character sets, attachments, and content it contains. If you want the same level of security in email as you have in end-to-end encrypted messaging, it's likely you're using PGP / S/MIME. And, right now, they may be vulnerable to hacks.

See more

Danny O'Brien and Gennie Genhart, writing for The EFF:

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

And:

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

Dan Goodin at Ars Technica notes:

Both Schinzel and the EFF blog post referred those affected to EFF instructions for disabling plug-ins in Thunderbird, macOS Mail, and Outlook. The instructions say only to "disable PGP integration in e-mail clients." Interestingly, there's no advice to remove PGP apps such as Gpg4win, GNU Privacy Guard. Once the plugin tools are removed from the Thunderbird, Mail or Outlook, the EFF posts said, "your emails will not be automatically decrypted." On Twitter, EFF officials went on to say: "do not decrypt encrypted PGP messages that you receive using your email client."

Werner Koch, on the GNU Privacy Guard Twitter account and the gnupg mailing list got a hold of the report and retorts:

The topic of that paper is that HTML is used as a back channel to create an oracle for modified encrypted mails. It is long known that HTML mails and in particular external links like are evil if the MUA actually honors them (which many meanwhile seem to do again; see all these newsletters). Due to broken MIME parsers a bunch of MUAs seem to concatenate decrypted HTML mime parts which makes it easy to plant such HTML snippets.

There are two ways to mitigate this attack

  • Don't use HTML mails. Or if you really need to read them use a proper MIME parser and disallow any access to external links.
  • Use authenticated encryption.

There's a lot to sift through here and the researchers aren't releasing their findings to the public until tomorrow. So, in the meantime, if you use PGP and S/MIME for encrypted email, read the EFF article, read the gnupg mail, and then:

  • If you feel the least bit concerned, temporarily disable email encryption in Outlook, macOS Mail, Thunderbird, etc. and switch to something like Signal, WhatsApp, or iMessage for secure communication until the dust settles.
  • If you're not concerned, still keep an eye on the story and see if anything changes over the next couple of days.

There will always be exploits and vulnerabilities, potential and proven. What's important is that they're disclosed ethically, reported responsibly, and addressed expeditiously.

We'll update this story as more becomes known. In the meantime, let me if you use PGP / S/MIME for encrypted email and, if so, what's your take?

Rene Ritchie
Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

7 Comments
  • What about IOS mail, can anything (should anything) be done?
  • Can anyone explain why turning off the encryption is more important? Not sure how this can be worse than standard email... Either way, bitmessage may be better. Or signal on all open devices. Or ProtonMail or alike, but they've had issues too.
  • The guidance isn't to turn off encryption. It is to, "immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email." In other words, disable the automatic decrypting of encrypted messages. Also to seek out other methods of end to end secure communication.
  • "modern email" is really an oxymoron. The fact that you require an external service to encrypt email (which not everyone has) is really showing the age of email. On a serious note, if you want to send an important or private message, use an actual "modern" messaging system
  • If I am sending plain text email that is even worse that encrypted text email that has a vulnerability. Talk about making it easy for the bad actors.
  • it is not: since you know they are plain text and you act consequently, minding what you write in your messages.
  • The issues that the researchers exploit with these attacks, such as the problem with the way the OpenPGP protocol handles feedback, have been known for some time. Also, there are specific mitigations already in place in some mail clients and in the OpenPGP protocol that can prevent this attack from succeeding. Specifically, the use of Modification Detection Codes (MDC), which are warnings about the integrity of an encrypted message, will let users know that a message is not authenticated. “This is at its heart a malleability attack on OpenPGP's cipher feedback mode. These attacks aren't new. The IETF OpenPGP Working Group first knew about them in 1999. By September 2000, GnuPG had a defense. The defense is called a Modification Detection Code, or MDC. Originally MDCs were optional. Today they're the default. The Efail attack requires an MDC either be missing or be invalid,” Robert J. Hansen, who works on the Enigmail encrypted email plugin for Thunderbird, wrote on Twitter Monday.