Critical vulnerabilities in PGP and S / MIME allow reading encrypted email messages

Image: eff.org



German information security researchers have published information about serious PGP and S / MIME vulnerabilities that lead to the disclosure of information contained in encrypted emails. There are currently no fixes for these security bugs.

')

What is the problem

PGP (Pretty Good Privacy) is an encryption standard that is often used to secure email communications. S / MIME (Secure / Multipurpose Internet Mail Extensions) is another widely used email encryption tool.



As the researchers found out, both of these technologies contain vulnerabilities, using which attackers can gain access to the data that was encrypted. Worse, the messages sent in the past can also be decrypted.



The researchers published a detailed technical description of the detected errors, from which it becomes clear that the problems are not in the operation of encryption algorithms, but in the plugin mechanism for decrypting messages.

How to protect

The presence of “undisturbed” vulnerabilities was confirmed by representatives of the Electronic Frontier Foundation (EFF), recommending that users immediately disable plug-ins and email clients using vulnerable technologies, in particular:

• Thunderbird client with Enigmail tool;
• Apple Mail with GPGTools;
• Outlook with Gpg4win.