PGP apocalypse (and how to overcome it)


How can you outsmart a brutal attack on your encrypted emails

Specially if you are a journalist, a politician, and activist…

As recent as today (actually late last Sunday night), a major set of vulnerabilities in OpenPGP and S/MIME (end-to-end encryption technologies) were found that could endanger your sensitive communications via email. This is so critical that it may reveal the plaintext of your encrypted emails. EFAIL, as it has been dubbed, changes and already encrypted email in such a way that when the victim’s email client decrypts it and loads any external content, then it sends the plaintext to the attacker.

Since emails are plaintext communications, the initial encrypted email (encrypted via the two most widely used methods: PGP and S/MIME) can be sourced (stolen?) from your network traffic, attacking your email accounts or your email servers, and your compromised email doesn’t have to be of recent date, it could be from years prior). And it is a well known fact that governments, state institutions and similar ones make a habit of snooping emails from a variety of people, including you. The thing is that they now have a set of new vulnerabilities that they can use against you.

The European team that discovered the vulnerabilities stated that “the vulnerabilities pose an immediate risk to those using these tools (PGP and S/MIME) for email communication, including the potential exposure of the contents of past messages“.

The bad part of this news release is that according to the same team of researchers, there are no reliable fixes for the vulnerabilities. However, they do provide some tips for you to outsmart such a brutal attack:

  1. Do not use decryption in your email client (do it in a separate application outside of your email client).

How do you do that? Copy and paste ciphertext into a separate decryption application.

  1. Disable incoming HTML emails in your email client.

How do you do that? Check with your email client to do it. For example in Thunderbird (according to Rinzwind in AskUbuntu):

1) Check: View-Messages in plain text
2) Avoid using preview (use F8 to toggle on/off)
3) Go to Tools-Options-Advanced-Privacy-Block loading of remote images

Remember, these are only temporary fixes. We are waiting eagerly for the perfect mitigation in a near future, hopefully in a short period of time. In the mean time, you have been warned, so outsmart the attackers with the tools provided here.