Attention PGP Users: New Vulnerabilities Require You To Take Action Now

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. From a report: EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages. The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific).

In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication. Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email. Further reading: People Are Freaking Out That PGP Is 'Broken' -- But You Shouldn't Be Using It Anyway (Motherboard).

Or any other encryption

[jbmartin6]

The problem is the clients decrypt, then process any external requests for content. So if you can re-send an encrypted email with an external content request added to it, the client will happily decrypt then send the content request with your precious decrypted content. If you globally disable fetching any external content you don't have to worry. The encryption protocols all work fine, it is the behavior of the clients after the decryption that is the problem. So S/MIME would be affected too, or potentially any other encryption tool. Refusing to load any external content under any circumstances is good advice anyway.

Re:Or any other encryption

[xxxJonBoyxxx]

^^^ THIS ^^^ - PGP and SMIME are still fine. It's that dumb-ass software put secure (decrypted) and non-secure content into the same pot, and let the non-secure content broadcast the secure content out.

This site has the actual details (and paper): https://efail.de/

"EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago. The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker."

Re:Holy shit!

Isn't this supposed to be a peer reviewed protocol that was guaranteed to be secure? How long has this program existed? Holy shit.

The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.

Some advice is worth what you paid for it

[ugen]

Yes, indeed, some advice there. Because there is some potential for bad actors to possibly decrypt some of the PGP encrypted messages, if said messages include HTML with links to 3rd party sites (which your email client must display automatically), you need to **completely disable** email encryption. Then all of your email becomes clear text and, fully readable by anyone without effort, and thus you are completely safe from that vulnerability. SMH.

That wonderful advice is brought to you by researchers in no way sponsored by NSA or any other 3 letter agency.

For those worried - make sure your email client does not automatically display any embedded HTML links (or, better yet, just turn off HTML formatted email). I believe this is the default for Enigmail encrypted email anyway. Use plaintext, and you are as safe as cryptography allows. (I believe Enigmail authors posted a message to that effect).

Re:Final straw. Computers are NOT secure. I'm done

[Carewolf]

PGP is broken now? It's only had fairly infrequent and minor issues over time. If this is broken now, then it's the final sign that anyone who thinks computers can be secured is wrong. If you want something secure, write it down in a notebook. It'll be about 100x more secure than putting it on a computer simply by not being networked. Even if someone steals and reads your notebook it's better than someone having it on their phone (or PGP, now I guess) for the ENTIRE WORLD to come along and steal. Computers are great for games, everything else is debatable.

PGP is not broken. The way a few bad email clients are using it is broken. If you are not using Thunderbird you are safe with PGP. While S/MIME is comprised in every email client except modern Outlook, KMail, and mutt.

Re:Holy shit!

[Carewolf]

Isn't this supposed to be a peer reviewed protocol that was guaranteed to be secure? How long has this program existed? Holy shit.

The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.

And only for HTML emails, and only in Thunderbird, Apple Mail, Postbox and Airmail. So if you are using a better email client especially a non-Mac one you are fine.

Re:Holy shit!

[OtisSnerd]

The problem is in how email program plugins handle the mail after it's been decrypted, not in the underlying PGP/SMIME code.

And only for HTML emails, and only in Thunderbird, Apple Mail, Postbox and Airmail. So if you are using a better email client especially a non-Mac one you are fine.

According to the EFF notice, it also affects Outlook with the GPG4win plugin. Outlook also has builtin S/MIME checking, and oddly, that's been throwing errors on the signed emails I'm getting from the ClamAV list this morning...

Re:Weird Advice

[cryptizard]

Nope, the problem is that an adversary can send you a carefully crafted email, which inside of it has an old encrypted email that they want to break into, and due to automatic decryption and rendering of HTML elements the plaintext of that encrypted email gets exfiltrated to a target server. The core issue is actually in the way MIME works with multi-part emails where you are allowed to have some unencrypted HTML and some encrypted segments together in the same email.

Re:Holy shit!

[unrtst]

This all goes back to really stupid features being added to email. There is no good reason to load external resources into an email. Want to include an image in your email? Go for it, but include it in the email. Why the hell would an external image get automatically loaded in an email that I downloaded for offline reading?!?! If it's external, just provide a link to it. Hell, just get rid of HTML email altogether!

The CBC "gadget" vulnerability seems kinda scary (see https://efail.de/), but I'm fairly certain that a signed and encrypted message would identify these (modifying the encrypted message via CBC gadget will break the message signature). While one *can* send an encrypted message that is not signed, that's never actually done. So, if you get an encrypted message that is not signed, that set off an alarm in the email client and lock down that message (sandbox it).

This is 100% the fault of the email client implementations. FWIW, if you still use mutt or pine or alpine etc, you're safe for now. They did mention other backchannels, but didn't name any... maybe more will be disclosed on that later?