What is PGP encryption? How to protect against the PGP vulnerability

German researchers have found a major vulnerability in PGP (Pretty Good Privacy), a popular email encryption program, which could reveal past and present encrypted emails.

Sebastian Schinzel, professor of computer science at Münster University investigated the flaw, tweeting that full details of the vulnerability will be available from 15 May.

He said: "they might reveal the plaintext of encrypted emails, including encrypted emails sent in the past."

Since its release in 1991, PGP has been considered the standard for encrypted messages, holding place as one of the most popular methods of sending private emails.

Although, an obvious tail off came with the adoption of private messaging apps such as Signal or Telegram, offering end-to-end encryption.

The Electronic Frontier Foundation(EFF), a San Francisco-based digital rights group has reviewed the possible flaws and could confirm in a blog post that "these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages."

Details about the vulnerability have been released by the Suddeutsche Zeitung newspaper before its scheduled embargo.

How to protect against PGP flaw?

The advice of the EFF and Schinzel mirror one another: disable any plug-ins using PGP, stop sending and reading PGP-encrypted email and use other channels using end-to-end encryption like Signal for the time being.

The EFF has issued detailed tutorials on how to disable PGP encryption in the major email clients such as Outlook and Apple Mail.

If you use Thunderbird with Enigmail, Apple Mail with GPGTools or Outlook with Gpg4win the EFF has step-by-step tutorials to temporarily disable their PGP plug-ins.

It's believed that the vulnerabilities exist in the email clients themselves, rather than the PGP encryption protocol.

According to encryption software GNU Privacy Guard (GnuPG), the problem comes from email programs that fail to check for decryption errors properly and follow links in emails that included HTML code.

Werner Koch, principle author of GnuPG, described the issue as "overblown" by the EFF in a blog post today. He also noted that he was not contacted about the issue directly.

Right now there is no fix for the flaw, so taking extra precautions and using an alternative secure messaging service is the best temporary way to navigate the situation.


Copyright © 2018 IDG Communications, Inc.

9 steps to lock down corporate browsers
Shop Tech Products at Amazon