In this instance, the all-caps in the headline aren’t hyperbole – they’re an emergency. “Email is no longer a secure communication medium,” according to researchers at Germany’s Münster University of Applied Sciences. A new vulnerability, dubbed EFail, can allow attackers to remove encryption from PGP messages – including messages sent prior to the bug’s discovery. In other words, your entire archive of secure mail may now be at risk.
How Does EFail Work?
The silver lining in the cloud created by EFail is that the encryption that underlies PGP is safe. The bad news, however, is that your email client probably isn’t. That’s because your email client probably allows HTML content to display inside of a message, and HTML is the avenue that an attacker can use to breach PGP.
Let’s say that you’ve set up your email client to automatically encrypt and decrypt your email messages. So far, so convenient. If an attacker steals your email credentials, however, the result is much less convenient. Ordinarily, PGP encryption would mean that an attacker couldn’t read your emails – even if your credentials were stolen. By taking advantage of EFail, however, the attacker can modify the HTML content of your encrypted emails in a way that forces your email client to decrypt them automatically.
Is there a way to Avoid EFail?
It took fifteen days, during which all PGP users were advised to disable their plugins and stop using the encryption program, but PGP is now useable. Be warned, there are caveats – the fix will work for some users, but not all, and only covers some parts of PGP.
Per the Electronic Frontier Foundation (EFF), users of Thunderbird with the Enigmail plugin can simply update to an Enigmail version later than 2.0.6 and turn on the “View as Plain Text” setting. (The linked article has detailed instructions on how to do this safely.) GPGTools and Apple Mail remain vulnerable, however.
If you’re using other email clients, you should be extremely cautious. If your email client cannot be configured to avoid using, do not use PGP with it – use an external client instead. Most importantly, you should be sure to confirm that anyone you correspond with is also using a safe version of PGP.
EFail is Probably the Nail in the Coffin for PGP
Although some tentative fixes are available for EFail, they don’t apply to every PGP plugin in every email client. While users can switch to an external PGP application instead, this generally adds several inconvenient steps to the process of sending an email. Furthermore, these precautions may be rendered moot if the person you’re sending emails to fails to protect themselves against EFail as well.
Is there still a point to using PGP? If you’re an individual user, you absolutely need to use secure email, and you absolutely trust the person you’re communicating with, the answer may still be yes. For everyone else, however – people who need to use secure email every day with a variety of correspondents they may not trust very much – it may be prudent to seek more convenient options.
Safe-T’s Secure Email and File Access is more secure than PGP, because it works even if the person on the other end of the conversation isn’t using it. There’s no software to install or keys to exchange. It can be used with nearly any email client, including both Outlook and Gmail.
Lastly, unlike PGP, there’s no file size restriction on attachments. In a world where PGP has become so difficult to use, Safe-T makes email security effortless. For more information, sign up for a free trial today!