USA TODAY International Edition
Researchers explain why encrypted emails may be at risk
If you use a tool to encrypt your email messages, it may be at risk from flaws uncovered by European researchers.
A paper posted by German and Belgian researchers to the website Efail details how tools used to secure sensitive email messages can be exposed in plain text.
“There are currently no reliable fixes for the vulnerability,” said Sebastian Schinzel, one of the researchers who helped write the Efail paper, in a post on Twitter.
Here’s what you should know about the vulnerability:
What is Efail?
It breaks down flaws found in two key tools for email encryption: PGP and S/ MIME.
PGP (Pretty Good Privacy) and S/ MIME (Secure/Multipurpose Internet Mail Extensions) are tools used to secure sensitive email messages. While most email clients offer baseline levels of security for email, users who want an extra layer of protection will add PGP extensions to encrypt messages. In the case of S/MIME, the standard is often used in corporate versions of email clients to secure messages.
The Efail flaws break encryption “by coercing clients into sending the full plaintext of the emails to the attacker,” says a post from researchers.
“PGP in its current form has served us well, but ‘pretty good privacy’ is no longer enough,” says a blog post from the Electronic Frontier Foundation. “We all need to work on really good privacy, right now.”
Why does it matter?
People like journalists or whistleblowers who rely on encrypted messaging to send and receive sensitive information find themselves at great risk of exposure.
“Powerful attackers such as nation state agencies are known to eavesdrop on email communications of a large number of people,” Efail researchers said.
How should I protect myself?
Researchers advise decrypting your messages outside of your email client using a third-party application. The EFF said it would cut back on sending messages via PGP for both internal and external messages.
The group said dropping PGP entirely is too challenging.
“There is no other email encryption tool that has the adoption levels, multiple implementations, and open standards support that would allow us to recommend it as a complete replacement for PGP,” it wrote.
EFF also suggests considering using encrypted messaging apps including Signal.
If you use PGP plug-ins for your email accounts, you should consider disabling them. EFF has posted tutorials on how to remove them from clients such as Mozilla’s Thunderbird and Apple’s Mail.