Two of the most commonly used systems for encrypting email - PGP and S / Mime - are vulnerable to attacks that can read encrypted content. This was revealed last night by some European researchers who will publish all the technical details tomorrow. In the meantime, however, they urge users not to use these encryption methods from their email clients. The vulnerabilities identified by the researchers, led by Sebastian Schinzel, a professor of computer security at Munster University of Applied Sciences, "could reveal the plaintext of encrypted emails, including encrypted emails that you have sent yourself in the past." Furthermore, the professor wrote on Twitter, āat this moment there are no reliable solutions for the detected vulnerability. If you use PGP / GPG or S / MIME for very sensitive communications, you should disable them in your email client as soon as possible ā.
In addition to Schinzel's tweets, there is an article by the Digital Frontier Foundation's Digital Rights NGO, which has been in contact with researchers and "confirms that these vulnerabilities pose an immediate risk to those who use these tools for email communication, including the possible exposure of contents of past messages ". The advice of the EFF and the researchers is to immediately disable or uninstall the tools that automatically decrypt the emails encrypted with PGP. The reference is to plugins of Thunderbird (Enigmail), macOS Mail (GPGTools), and Outlook (Gpg4win) that integrate PGP into mails. And as long as the vulnerabilities described in the paper published tomorrow will not be better analyzed and understood, the researchers' advice is to use other encrypted channels like Signal.
Insights
S / MIME is analogous to PGP and offers the same services, but adopts different and incompatible formats. Unlike PGP, which uses a web of trust system for the distribution of public keys, correspondents using S / MIME require a Certification Authority, which performs various authentication and validation operations of the applicant until a digital certificate is issued.
Two key features are the digital signature and the "digital envelope" (digital envelope): the symmetric key used to encrypt the message is encrypted with the recipient's public key and sent along with the message itself. In addition to ensuring the integrity and confidentiality of the message, S / MIME provides authentication of the owner of a public key through digital certificates.