Home » Topics » Cybersecurity » Email under threat as issues with PGP and S/Mime protocols surface

Email under threat as issues with PGP and S/Mime protocols surface

Avatar photoby Andrew Ross

The Internet’s two most popular forms of encryption over the net - PGP and S/MIME—are leaving email vulnerable to hacks that can reveal the plaintext of encrypted messages, according to researcher Sebastian Schinzel, a professor of computer security with Münster University of Applied Sciences.

Email Vulnerable: The internet’s two most popular forms of encryption over the net – PGP and S/MIME—vulnerable to hacks that can reveal the plaintext of encrypted emails and messages, according to researcher Sebastian Schinzel, a professor of computer security with Münster University of Applied Sciences.

After breaking the news on Twitter on Sunday night he added: “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

What is PGP?

PGP, which stands for Pretty Good Privacy,  is one of the most popular encryption programs, it is a two-factor authentication system. Although it was first developed in 1991 by a software engineer named Phil Zimmermann, it became mainstream after whistleblower Edward Snowden revealed the scope of the US government’s surveillance programme. While PGP is today owned by Symantec, an open source implementation called GNU Privacy Guard (GPG) has been widely adopted by the security community in a number of contexts, this is referred to as OpenPGP.

>See also: Darknet Market still open for business 

The Efail Report

The discovery was made as part of wider research which has just been released. While the security community react to the research and assess it, for now, Schinzel is keeping the public updated on social media. The EEF, who have seen the research in full, have issued a warning.

>See also: 5 tips for keeping corporate email secure 

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email,” the EFF wrote in its blog post.

Furthermore, separate guides have been provided to disable PGP plugins in Thunderbird, Apple Mail, and Outlook. Anyone who wants their email communication to be secure and private should take notice.

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future

Related Topics

Email Security

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise