PGP & S/MIME Email Vulnerable To Being Read By Third Parties Say Researchers

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. These are standards that prevent people from reading your email by securing and encrypting it. Except the researchers have shown that people can still read your email. Here’s the details from the EFF:

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.


Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

The flaws seem to affect Apple Mail with GPGTools, Mozilla Thunderbird with Engimail, and Outlook with Gpg4win. You’re going to note that all those email clients have to be used with a secondary application or plugin for PGP and S/MIME to work. That’s because the problem is in how email program plugins handle the mail after it’s been decrypted, not in the underlying PGP/SMIME code. And only for HTML emails, and only in the email clients noted above. So if you are using a different email client then you are fine. Probably. If you understand how PGP/SMIME works, and are willing to do some manula work, then you are still fine.

Well see what all the affected vendors do to address this as I suspect a response will be quick.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: