Do you use PGP/GPG and S/MIME email encryption? They’re vulnerable (updated)

A major vulnerability has been revealed, and will be detailed very shortly, affecting mail encryption using PGP/GPG and S/MIME. If you use these, urgent action is recommended to limit risk of your messages being decrypted.

These are not standard features of mail clients, but are common add-ins used to ensure the privacy of messages. For example, if you have this available in Apple’s Mail app, then there will be a plugin, either in ~/Library/Mail/Bundles or /Library/Mail/Bundles, named GPGMail.mailbundle.

If you have this installed in Apple’s Mail, its equivalent in Microsoft Outlook, or any other mail client, the researchers who identified this vulnerability and the EFF are strongly recommending that you disable encryption and remove the plugin now. The EFF has, for example, shown here how to do this for Apple’s Mail.

Interestingly, the EFF are recommending that users switch temporarily to using a different secure end-to-end channel such as Signal – which has had its own vulnerability recently!

More details will be made available at 0700 UTC on 15 May 2018.

Postscript: draft version 0.9.0 of the paper detailing the Efail vulnerability to be disclosed in full tomorrow is available in PDF from here.

Looking through it, this is not a single, simple vulnerability which is going to be easily fixed. Apple’s Mail 11.2, with GPGTools installed, appears one of the most vulnerable implementations. Although the recommendation above appears drastic, I can understand why it has been made. It’s your choice, but the longer that you continue to use a vulnerable system like this, the greater are your chances of having your encryption broken.

Note: there’s a new article with more details following full disclosure.