Critical PGP and S/MIME bugs can reveal encrypted e-mails
The Internet’s two most widely used methods for encrypting e-mail–PGP and S/Mime–are vulnerable to hacks that can reveal the plaintext of encrypted messages, a researcher warned late Sunday night. He went on to say there are no reliable fixes and to advise anyone who uses either encryption standard for sensitive communications to remove them immediately from e-mail clients. Little is publicly known about the flaws at the moment.
Both Schinzel and the EFF blog post said they will be disclosed late Monday night California time in a paper written by a team of European security researchers. Schinzel’s Twitter messages used the hashtag #efail, a possible indication of the name the researchers have given to their exploit. Given the track record of the researchers and the confirmation from EFF, it’s worth heeding the advice to disable PGP and S/MIME in e-mail clients while waiting for more details to be released Monday night.
Ars will publish many more details when they are publicly available.