Security experts from Europe are warning users who encrypt their email with PGP and S/MIME, saying they are no longer safe to use.
The critical flaw found in the two allows hackers to pull plaintext from encrypted emails. In other words, they can break the security measure and reveal the private contents of users' emails.
The Issue: EFAIL
Dubbed "EFAIL," the flaw affects the popular email clients Apple Mail, Microsoft Outlook, and Thunderbird.
Sebastian Schinzel, a Münster University of Applied Sciences professor of computer security, explains the scope of the potential danger in a tweet:
<>We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4 <>— Sebastian Schinzel (@seecurity) May 14, 2018
What To Do Now
Schinzel says that there isn't a reliable fix available at the moment, but there is one way to mitigate the risk. According to the Electronic Frontier Foundation, users must look for alternatives to PGP or S/MIME and turn off any software that automatically decrypts email encrypted with PGP.
"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email," it says.
The EFF also took to Twitter to warn users of the threat:
For now, do not decrypt encrypted PGP messages that you receive using your email client. Instead, use non-email based messaging platforms, like Signal, for your encrypted messaging needs. — EFF (@EFF) May 14, 2018
PGP and S/MIME are two of the most used email encryption methods on the internet, though the former isn't that popular (its creator reportedly doesn't even use it). At any rate, what this means is that there are a lot of users out there who are at risk.
For the record, PGP stands for "Pretty Good Privacy," while S/MIME is for Secure/Multipurpose Internet Mail Extensions.
The researchers have published a paper on how encrypted emails can be turned into plaintext.