Secure Email Standard May Not be So Secure After All

Pretty Good Privacy, better known as PGP, is an email encryption methodology that has served as the standard of email security over the past few decades, but researchers have recently found a flaw that could make it vulnerable to attacks by skilled hackers. According to a report published this week by the British Broadcasting Corporation, details are beginning to emerge about the vulnerability, which was found by researchers from a German university.

In the United States, the Electronic Frontier Foundation issued an alert urging users of PGP email tools to disable their decryption applications until a formal notice was disseminated to the press. In Germany, a newspaper decided to publish the embargoed press release ahead of time and in the interest of the public; the newspaper editors explained that many journalists around the world rely on PGP email communications, thus creating a serious need to break the embargo and publish the news.

Shortly after the flaw was made public, a website showing the methodology of the research and the nature of the flaw was unveiled. The vulnerability is related to handling of HTML code within encrypted messages, and the potential attack has been named EFAIL. It should be noted that the flaw is not related to the core programming of PGP; it only affects email applications that do not check encryption errors in messages that feature HTML code such as formatting and external links.

Since the OpenPGP protocol itself does not contain the aforementioned EFAIL vulnerability, email providers only need to update their GnuPGP versions or look into their application to ensure that MDC error checking is not compromising encryption. PGP email users can always stay safe by omitting HTML code in their messages; this has always been a recommended security measure. Aside from only using plain text and sending compressed attachments that are protected by passwords, PĜP email users can also run their encrypted messages through external decryption tools separate from their email applications.

Embedding HTML code within email messages is a common practice that the most careful security researchers recommend staying away from. Any digital file that contains links or other HTML features that connect to external servers can be exploited by sophisticated hackers who conduct espionage at the political, corporate or government levels. In the United States, law enforcement and intelligence agencies constantly look for encryption vulnerabilities that can be exploited for investigative purposes.

 

Dil Bole Oberoi