Photo : AP

If you use PGP or S/MIME for email encryption you should immediately disable it in your email client. Researchers have discovered a critical vulnerability they’re calling EFAIL that exposes the encrypted emails in plaintext, even for messages sent in the past.


“Email is no longer a secure communication medium,” Sebastian Schinzel, a professor of computer security at Germany’s Münster University of Applied Sciences, told the German news outlet Süddeutsche Zeitung.

The vulnerability was first reported by the Electronic Frontier Foundation (EFF) in the early hours of Monday morning, and details were released prematurely just before 6am ET today after Süddeutsche Zeitung broke a news embargo. The group of European researchers are warning people to stop using PGP entirely and say that, “there are currently no reliable fixes for the vulnerability.”


From the researchers:

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago. The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.

You can read more about what the researchers are calling the EFAIL vulnerability at https://efail.de/.

Sebastian Schinzel, a co-author of the new study, had planned to wait until the early morning hours of Tuesday to release their findings, but the embargo was broken. In the long term, the standards need to be drastically updated, which researchers warn will take a considerable amount of time.


PGP (Pretty Good Privacy) is an encryption program that’s considered the gold standard for email security and was first developed in 1991. Encrypted email, often sold as a kind of invisibility shield by too many irresponsible security experts, became more mainstream after whistleblower Edward Snowden revealed the scope of the U.S. government’s electronic surveillance in June of 2013. But encrypted email isn’t perfect, just as no security system ever will be.

For its part, the privacy community is insisting that this vulnerability is overblown and that people are overreacting. Werner Koch, principal author of GNU Privacy Guard, writes that the two ways to mitigate this attack are to simply not use HTML emails, and to use authenticated encryption, something noted in the paper.


“They figured out mail clients which don’t properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation,” GNU Privacy Guard said on Twitter.

“If used correctly” seems to be the magic phrase for so many security companies these days. Others have begun to notice just how silly this argument can be.


The EFF has guides for how to disable PGP in Apple Mail, in Outlook, and in Thunderbird. What should you use as an alternative? The EFF says that there are no reliable email alternatives, and recommends using Signal for end-to-end encrypted texts and phone calls. But be aware that nothing is foolproof.


You can read the full paper, authored by Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk over at EFAIL.de.

[EFF and Süddeutsche Zeitung]