Researchers: immediately stop using pgp due to leaks – update

Several German researchers and the Electronic Frontier Foundation warn that users should stop using pgp immediately. There are critical and unsealed email encryption flaws that can make past emails readable.

The Electronic Frontier Foundation says that stopping PGP should be a temporary measure until the impact of the leaks is more clear and there may be ways to safely use PGP again. Until then, the organization recommends using Signal for encrypted communication.

One of the discoverers of the vulnerabilities, security researcher Sebastian Schinzel, says also that users should stop using pgp immediately, as the vulnerabilities allow decryption of message content.

There are no details yet. Gnupg founder Werner Koch says the vulnerability is in the HTML parsing of PGP emails in mail clients. Disabling the ability to show HTML in emails would therefore prevent attackers from exploiting the vulnerability. Koch says he saw the paper in a posting where NOS journalist Joost Schellevis referred to.

The researchers, who are affiliated with the Fachhochschule Münster, among others, will publish the details of the leaks, which they have called #fail, in a paper on Tuesday. The vulnerabilities are in both pgp and s/mime and there are currently no patches for them.

Update, 13:21: #fail’s site and paper are online sooner than the researchers said. Indeed, the researchers made use of showing HTML from external sources in emails to get hold of content from PGP emails.