“European researchers have found that the popular PGP and S/MIME email encryption standards are vulnerable to being hacked and they urge users to disable and uninstall them immediately,” Douglas Busvine reports for Reuters. “University researchers from Muenster and Bochum in Germany, and Leuven in Belgium, discovered the flaws in the encryption methods that can be used with popular email applications such as Microsoft Outlook and Apple Mail.”
“‘There are currently no reliable fixes for the vulnerability,’ lead researcher Sebastian Schinzel, professor of applied cryptography at the Muenster University of Applied Sciences, said on Monday. ‘If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now,'” Busvine reports. “Titling the exploit ‘Efail https://efail.de’, they wrote that they had found two ways in which hackers could effectively coerce an email client into sending the full plaintext of messages to the attacker.”
“In a blog post, the EFF recommended that PGP users uninstall or disable their PGP email plug-ins while the research community evaluates the seriousness of the flaws reported by the European research team,” Busvine reports. “It also said that users should switch for the time being to non-email-based secure messaging apps such as Signal for sensitive communications.”
Read more in the full article here.
MacDailyNews Take: Mac users of PGP-encrypted email should immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. iOS users should disable “Load Remote Images” in Mail settings. See the article below for more details.
SEE ALSO:
How to protect yourself from the EFAIL vulnerability on Mac and iOS – May 14, 2018
As 9to5 Mac has pointed out:
Security flaws found in Apple Mail can reveal encrypted email as plaintext
If you are worried about being targeted by this, you can disable the loading of remote content as a mitigation
In Apple Mail…
ONCE, just once, I would love to see a press release showing that somebody inside Apple discovered and fixed a security flaw in internet standards before other companies discover them.
But under Cook, I doubt it will happen. Apple isn’t setting new standards, they are complacent and using what always worked, never going back to improve or uncover flaws in what they have done in the past. Apple doesn’t do continuous innovation.
Apple releases a piece of software, makes only the most minor updates belatedly to emulate features that Snap or Facebook or Google offer first, and then suddenly pull the plug and offer a less capable iOSified version of the software. Not only are the interfaces increasingly hard to use (Mail, iTunes, Photos, or Music in iOS, etc), but it doesn’t feel like Apple is truly walking the talk with regard to security. If Apple did, then the Apple Mail program would be improved and Apple wouldn’t be relying on Derek to inform users how to secure the program!!! Frankly, Apple does a horrid job of explaining to users how to set up its programs and get the most out of the hidden undocumented features, let alone alerting users when the much-hyped Apple security advantage evaporates into thin air. Apple software today feels no better than Microsoft on average. If you don’t believe it, do an honest direct comparison for yourself. That’s how badly Apple has degraded.