PGP: ‘Serious’ flaw found in secure email tech
Emails! What will we do without emails? After social network applications and search engines, emails have to be the next most important and most used feature in our everyday lives.
From sending out curriculum vitae’s to checking up on friends, to sending classified and important documents, to the dispensing of information or just the plain cold pitches and follow-ups, the use of emails cannot be understated.
This very reason of importance is the same reason why like social networks, and emails must be secure enough for usage. Users want their information private and secure. Unfortunately, while we have gotten this security feature all these years, it is now under threat because of a serious flaw recently found.
Researchers have announced the technology people rely on to send encrypted emails has a serious flaw. The flaw was found in PGP/GPG and S/MIME email encryption software and it potentially lets others view sent messages in plain text.
PGP (Pretty Good Privacy) is known as a data encryption method sometimes added to programs that send and receive email.
The Suddeutsche Zeitung newspaper released details about the vulnerability prior to a scheduled embargo.
The Electronic Frontier Foundation (EFF) had however previously advised users to immediately disable email tools that automatically decrypted PGP.
Sebastian Schinzel and his colleagues at Munster University of Applied Sciences had earlier investigated the problem. They went on to publish their research revealing how the attack on PGP email worked after the embargo on releasing details about the vulnerability was lifted.
A website dedicated to explaining the issue has now been made available to the public.
It’s however important to note that the PGP flaw isn’t one of the core protocols of PGP, according to BBC. The flaw instead is in the various email programs that fail to properly check for decryption errors before following links in emails that included HTML code.
This was made available after there had been a growing concerning among cyber-security researchers that the issue probably affected the core protocol of PGP – which meant that all uses of the encryption method, file encryption included could be made vulnerable.
Werner Koh, of GnuPG, said the issue had been overblown by the EFF.
His colleague Robert Hansen argued on Twitter that the issue isn’t new and had been known about for some time. He went on to add that it wasn’t really a vulnerability in the OpenPGP system but rather in email programs designed without appropriate safeguards.
Real Secrets Revealed
Mikko Hypponen, a Security expert at F-Secure, said the vulnerability could, in theory, be used to decrypt a cache of encrypted emails sent in the past, if an attacker had access to such data, according to his own understanding.
He told BBC that it is bad because the people who use PGP use it for a reason. He said people don’t use it for fun but because they have real secrets, like business secrets or confidential materials.
“It does have some big implications as it could lead to a channel for sneaking data off devices as well as for decrypting messages”, Allan Woodward, at the University of Surrey also added.
The researchers offered that the users of PGP email can disable HTML in their mail programs in order to stay safe from attacks caused by the vulnerability. Emails with PGP decryption tools separate from email programs can also be decrypted.
While the issue might be waved as being blown out of proportion by the groups like GnuPG, users of this encrypting service would want this issue to be sorted out as soon as possible.