Sebastian Schinzel, a professor of Computer Security at the Münster University of Applied Sciences, this week issued a dire warning about a critical flaw in the S/MIME and OpenPGP encryption tools, which would allow attackers to read supposedly encrypted emails in plaintext form.
Schinzel and his team"s research has been corroborated by Electronic Frontier Foundation (EFF), and has been described in detail by the researchers in a paper published earlier today. The flaw, named EFAIL, reportedly affects both sent and received messages, including past correspondence.
According to Schinzel, no fixes currently exist for the vulnerability, and the best thing users can do for now is to disable the relevant encryption standards:
There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: https://t.co/zJh2YHhE5q #efail 2/4
— Sebastian Schinzel (@seecurity) May 14, 2018
EFF"s statement on the matter mirrored Schinzel"s, and also includes instructions on how to disable PGP plug-ins in Thunderbird with Enigmail, Apple Mail with GPGTools and Outlook with Gpg4win. The digital privacy watchdog also suggested the use of alternatives, such as Signal, for the time being as the implications of the vulnerabilities described in the paper are better understood, and hopefully mitigated, by the cybersecurity community.
Source: EFF via BleepingComputer