PGP isn't broken and you don't need to disable it, says inventor

Phil Zimmerman and ProtonMail criticise EFF's advice that users delete PGP to deal with EFAIL

ProtonMail and the inventor of Pretty Good Privacy (PGP) have released a strong statement dispelling recent reports that the encryption program should be disabled because of alleged vulnerabilities.

The developers of the email encryption program, including its creator Phil Zimmermann, have come together to set the record straight, taking aim at the Electronic Frontier Foundation (EFF) for promoting advice that users disable PGP to deal with the EFAIL issue.

Advertisement - Article continues below

"EFF recommended that users disable PGP plugins or stop using PGP altogether. This is akin to saying, 'Some locks can be broken; therefore we must remove all doors.' This is particularly dangerous because it can put at risk individuals who rely on PGP encryption for security," Andy Yen of ProtonMail, PGP inventor Phil Zimmerman, Enigmail founder Patrick Brunschwig and Thomas Oberndorfer, founder of Mailvelopestatement, said in a joint statement.

The EFF promoted a research paper earlier this month from Professor Sabastian Schinzel, of Germany's FH Munster University of Applied Sciences, which claimed PGP and S/Mime email encryption had critical vulnerabilities.

The professor initially tweeted about the EFAIL issue, which he found exposes encrypted emails in plaintext, before alerting the EFF about the problem.

"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email," an EFF spokesperson advised at the time.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

However, Zimmerman and his cohorts yesterday said such advice is misleading and potentially dangerous, as the EFAIL vulnerabilities are not flaws with the OpenPGP protocol, but are actually errors created during implementation of the program.

As an open standard, PGP can be implemented by anyone, which can lead to some security weaknesses, Zimmerman and the others said, adding that this does not mean that PGP itself is broken.

"Both our recommendations and EFF's require user action on the part of the sender and recipient of messages, but our recommendation provides better security," they stated. "If you receive PGP email, following our recommendations protects you from EFAIL, while still allowing you to easily decrypt PGP messages."

Their recommendation to combat the EFAIL vulnerability is for users to update their PGP software to the latest version and ensure that the user at the other end of the communication line is also using an unaffected implementation, or updated its PGP software, before sending any sensitive information.

Advertisement - Article continues below

Among the most commonly used software based on PGP, only Enigmail and GPGtools were vulnerable, but ProtonMail said the issues are easy to mitigate by upgrading Enigmail to version 2.0.5 and only use simple HTML or plaintext viewing models in Thunderbird.

If you use GPGTools, it is advised you disable loading remote content.

14/05/2018: EFAIL: PGP has a huge security flaw  

A professor of computer science has warned users of Pretty Good Privacy (PGP) that the encryption program has vulnerabilities and should be immediately disabled.

The critical vulnerability, dubbed EFAIL by Professor Sabastian Schinzel of Germany's FH Munster University of Applied Sciences, exposes encrypted emails in plaintext, even for messages sent in the past.

Professor Schinzel posted on Twitter that the university would publish its findings in the early hours of Tuesday morning, before alerting the Electronic Frontier Foundation (EFF), who first reported the vulnerability. However, the embargo was broken by German news outlet Suddeuteschen Zeitung who posted the findings in the early hours of Monday.

"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email." an EFF spokesperson advised.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"The flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email."

EFAIL works by targeting 'active content' of HTML emails - namely loaded images or styles - to exfiltrate plaintext through requested URLs. It's not that simple, though - before doing that a hacker must find the encrypted emails they want by spying on network traffic and then compromising email accounts, servers, backup systems or client computers.

"The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim," the EFF's spokesperson explained. "The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker."

Pretty Good Privacy (PGP) was generally considered the gold standard for email security, placing coded layers of security on top of text content, so that the text is scrambled if it's ever intercepted. Created by computer scientist Phil Zimmerman in 1991, Symantec bought PGP in 2010, but the EFAIL issues relate to the open PGP standard.

Advertisement - Article continues below

Morten Brogger, CEO of Wire, a B2B end-to-end encryption firm, said: "Today's announcement from the EFF highlights the danger in relying on email for sensitive communication. Email protocol was never built with security in mind. Efforts to make email safer haven't seen widespread adoption because these solutions are "hacks" on top of legacy infrastructure, causing an error prone and clunky user experience.

It's clear that companies must invest to secure their internal and external communications. This investment in time and money must go into new future-proofed platforms that are built from the ground-up with security in mind. In 2018, businesses must re-evaluate how they communicate, opting to phase out email for secure communications solutions that are open-source, independently audited and end-to-end encrypted."

Picture: Shutterstock

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Most Popular

Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020