May 26, 2018

#Efail: Secure email program PGP under fire after researchers found vulnerabilities that could lead to decryption of emails

The most popular secure email program Pretty Good Privacy (PGP) is in hot waters as researchers at a German university allegedly found vulnerabilities in the secure email program that could possibly enable one to break into the system and read encrypted emails.

PGP is widely used across the world as a secure way of sending emails and used especially by journalists, human rights defenders or businesses for confidential communication.

However, the revelation by researcher Sebastian Schinzel, at Munster University of Applied Sciences has sent shockwaves. Initially, the researcher only revealed that vulnerabilities were found in PGP that could allow one to read encrypted emails. He also stated that since there was no fix of the vulnerability, people should disable it altogether.

The panic mode was turned on when a reputable organization Electronic Frontier Foundation said that they confirmed that the vulnerability was present and called for disabling PGP. They also listed a series of steps to disable the encrypted email system. In its blogpost, EFF said:

“EFF has been in communication with the research team and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages. In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication. Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.”

Initially, the researcher said that findings of the paper will be shared on May 15, only to later publish the paper on the website.

However, a digital security expert named Furhan Hussain talking to this scribe said that the matter was blown out of proportion and should not have been sensationalized in this manner. He said that there were definitely problems in the security feature of the secure email program but was not likely to affect users at mass level.

“Firstly, the researchers did not talk to the GPG and Enigmail. The issue is with email clients not with PGP itself. In any case, the PGP protocol will be upgraded in the long term. Also the vulnerability will not hit those people that were sending emails using PGP using plain text. HTML is vulnerable medium for sending emails and it was never advisable. Those sending emails using HTML using all the rich text could be affected by this vulnerability. But it is important to mention here that this vulnerability was not a mass exploit. It was targeted. You need the cipher text of that person who you want to exploit. The person willing to exploit the person has to inject into that email to exploit it otherwise it would not be possible for him to exploit the vulnerability. Also, the paper is out and after reading it, we have found out that this matter is not the end of the world. In fact, there is a defense built into the PGP system. When this defense is not used, then the vulnerability comes into play.”

Meanwhile the researcher Sebastian insisted on his twitter profile that they contacted the developers of the secure email.

The issue has been trending on twitter under #Efail. Some of the views on this matter are listed below:

 

 

 

Written by

Talal Raza is a Program Manager at Media Matters for Democracy. He has worked with renowned media organizations and NGOs including Geo News, The Nation, United States Institute of Peace and Privacy International.

No comments

leave a comment