23.05.2018

PGP wasn`t as secure as you may have thought

A widely used email data encryption method from PGP (Pretty Good Privacy) wasn’t as secure as first thought when Sebastian Schinzel from Munster University of Applied Sciences investigated. 

After an embargo on releasing details about the vulnerability was lifted, Mr Schinzel and colleagues published their research revealing how the attack on PGP emails worked.

There was initially concern among cyber-security researchers that the issue affected the core protocol of PGP - meaning that all uses of the encryption method, including file encryption, could be made vulnerable.

The issue concerned email programs that failed to check for decryption errors properly before following links in emails that included HTML code.

Security expert Mikko Hypponen, at F-Secure, said his understanding was that the vulnerability could in theory be used to decrypt a cache of encrypted emails sent in the past, if an attacker had access to such data.

"This is bad because the people who use PGP use it for a reason".

"People don't use it for fun - people who use it have real secrets, like business secrets or confidential things."

Alan Woodward, at the University of Surrey, agreed, adding: "It does have some big implications as it could lead to a channel for sneaking data off devices as well as for decrypting messages."

The researchers have said that users of PGP email can disable HTML in their mail programs to stay safe from attacks based on the vulnerability.

It is also possible to decrypt emails with PGP decryption tools separate from email programs.

More information on this issue can be read here: efail.de

Source: BBC News website