PGP/GPG & S/MIME Decrypted, says infosec Professor

Users advised to stop using and/or uninstall plugins ASAP to stop Pretty Grievous Pwnage

A professor of Computer Security at the Münster University of Applied Sciences‏ has warned that popular email encryption tool Pretty Good Privacy (PGP) might actually allow Pretty Grievous P0wnage thanks to bugs that can allow supposedly encrypted emails to be read as plaintext.

Professor Sebastian Schinzel took to Twitter with the news early on Monday, European time.

A second Tweet warns “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

Schnizel and his fellow researchers have alerted a few folks about the problem, among them the Electronic Frontier Foundation which has assessed his research and agreed that PGP has flaws.

An EFF advisory says “these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email,” the EFF’s post said. It also name dEnigmail for Thunderbird, GPGTools for Apple Mail and Gpg4win for Outlook as worthy of disablement, and offers instructions on how to do so.

“Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email,” the advisory says.

Schnizel has promised full details on Tuesday morning at 0700 UTC.  We will update the article or release another post when the professor reveals all.