PGP and S/MIME vulnerability - Critical

[ikeke]

https://efail.de/

https://twitter.com/i/web/status/995906638556155904

https://arstechnica.com/information...s-can-reveal-encrypted-e-mails-uninstall-now/

The Internet’s two most widely used methods for encrypting email—PGP and S/MIME—are vulnerable to hacks that can reveal the plaintext of encrypted messages, a researcher warned late Sunday night. He went on to say there are no reliable fixes and to advise anyone who uses either encryption standard for sensitive communications to remove them immediately from email clients.
The flaws “might reveal the plaintext of encrypted emails, including encrypted emails you sent in the past,” Sebastian Schinzel, a professor of computer security at Münster University of Applied Sciences, wrote on Twitter. “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

 

[RejZoR]

Some clarification from experts in this field:
https://protonmail.com/blog/pgp-vulnerability-efail/

It seems everyone is banking on drama factor, just like the AMD's "vulnerabilities" fiasco. What seems to be the case here are flaws in PGP implementation and not flaws in PGP itself. So, nothing to see her folks, PGP is still as secure as ever, just check that services or programs using it have it properly implemented.

 

[ikeke]

Yes, it's written in the article, disable automatic decryption in email client.