Danny O’Brien and Gennie Gebhart write:
A group of European security researchers have released a warningabout a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.
The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.
Read more on EFF, who provide directions on how to disable plugins.
You can read more about the vulnerability here, on https://efail.de. And the full technical paper in draft form can be found here:
Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels [v0.9 Draft][PDF]
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk.
27th USENIX Security Symposium, San Diego, August 2018.
Update:on Twitter, a spokesperson for Enigmail advised users not to believe all the hype.
Speaking for Enigmail: don’t believe the hype. Don’t panic. Make sure you’re running the latest version of Enigmail. Yes, we have seen the paper. Out of deference to the paper authors, we will forego further comment until publication. https://t.co/I5crWs8fYI
— Robert J. Hansen (@robertjhansen) May 14, 2018
He later added, “The flaw can be completely mitigated by watching for packets with missing or invalid MDCs and reacting appropriately. Most email clients already do this. If you’re one of them, you’re safe.”
The flaw can be completely mitigated by watching for packets with missing or invalid MDCs and reacting appropriately. Most email clients already do this. If you’re one of them, you’re safe.
— Robert J. Hansen (@robertjhansen) May 14, 2018
You may wish to read the entire thread on Twitter, beginning with GNUPG’s statement.