Secure Encrypted Email Platform PGP Is Not Secure

Uploaded on 2018-05-21 in TECHNOLOGY-Key Areas-Social Media, NEWS-Cybersecurity News, FREE TO VIEW

The cybersecurity community is bracing for impact after a team of researchers revealed recently that critical vulnerabilities in the encrypted email program PGP (Pretty Good Privacy) could be exploited to expose secret messages in plain text. 

PGP, which is used to scramble the content of sensitive messages and believed to be one of the most secure methods of protecting private email communications, was used by National Security Agency (NSA) whistleblower Edward Snowden to contact journalists.

Sebastian Schinzel, professor of computer security at Germany’s Münster University of Applied Sciences, alongside a team of eight researchers, revealed on Twitter that there are currently no stable fixes for the issues and said the service should not be used until a patch is released. 

The Electronic Frontier Foundation (EFF), a digital liberties campaign group, released guides on how to temporarily disable PGP plug-ins in three email clients.

“We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past,” Schinzel tweeted, sparking immediate concern from users.

“There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now,” he added

In its blog post, the EFF wrote: “A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME.

“EFF has been in communication with the research team and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages. 

“In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication. Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.”

The blog post concluded: “Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.”

Reacting to the news, Matt Blaze, a cryptography expert at the University of Pennsylvania, tweeted: “Our collective inability to design and deploy a useable secure email system at scale is one of the most embarrassing failures of the applied cryptography community.”

Newsweek

You Might Also Read: 

Top Tips To Protect Email Accounts From Hackers:

Security & Encryption After Edward Snowden:
 

« Ex-Employee Suspected Of Leaking CIA Hacking Tools
The Swiss Bank Where Robots Replace Employees »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Zurich

Zurich

Zurich is a leading multi-line insurer providing a wide range of property and casualty, and life insurance products and services in more than 210 countries and territories.

ShmooCon

ShmooCon

ShmooCon is an annual east coast hacker convention offering three days of demonstrations and discussions of critical infosec issues.

AEI Cybersecurity

AEI Cybersecurity

AEI brings together companies, Research Centres, Universities, and other organizations interested in promoting new cybersecurity technologies.

Apricorn

Apricorn

Apricorn provides hardware-based 256-bit encrypted external storage products to companies and organizations that require high-level protection for their data at rest.

Blueskytec (BST)

Blueskytec (BST)

Blueskytec has applied its experience of over three decades of working in the field of embedded systems and encryption to provide a scalable and appropriate technology for cyber-physical devices.

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI) is an independent, global think-tank. We bring together the world’s top global researchers to undertake ground-breaking research on blockchain technology.

SparkLabs Cyber + Blockchain

SparkLabs Cyber + Blockchain

SparkLabs Cyber + Blockchain accelerator is located in Washington D.C. which is one of the world's top cybersecurity ecosystems.

Chicago Quantum Exchange (CQE)

Chicago Quantum Exchange (CQE)

Chicago Quantum Exchange is an intellectual hub and community of researchers with the common goal of advancing academic and industrial efforts in the science and engineering of quantum information.

HARMAN International

HARMAN International

HARMAN designs and engineers connected products and solutions for automakers, consumers, and enterprises worldwide.

Threat Con

Threat Con

Threat Con is a one of its kind event in Nepal, a series of annual international security conventions similar to the famous Black Hat and DEF CON conferences.

Prompt Security

Prompt Security

Prompt Security provides an LLM agnostic approach to ensure security, data privacy and safety across all aspects of Generative AI.

Control D

Control D

Control D is a modern and customizable DNS service that blocks threats, unwanted content and ads - on all devices.

Keyrus

Keyrus

Keyrus is a global consultancy that develops data and digital solutions for performance management.

Abstract Security

Abstract Security

Abstract Security has created a revolutionary platform, equipped with an AI-powered assistant, to better centralize the management of security analytics.

Jitterbit

Jitterbit

Jitterbit integrates critical business processes and enables application development to deliver the experiences and insights needed by enterprises of all sizes to accelerate their digital journey.

CoNetrix

CoNetrix

CoNetrix is a full service computer networking, software development, and security and compliance firm built on the principles of integrity, innovation, and initiative.