Uninstall PGP: EFF warns of exploit that may reveal plaintext of encrypted emails

European researchers claim to have found a vulnerability that could reveal plaintext of encrypted emails, including those in the past.
Written by Chris Duckett, Contributor

Electronic Frontier Foundation (EFF) has said it has confirmed a set of vulnerabilities that have the potential to reveal the contents of email previously thought to be encrypted with PGP.

EFF said in a blog post that users should uninstall PGP until the flaw is patched.

"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email," EFF said.

"Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email."

In a tweet, the Foundation especially warned users not to decrypt PGP-encrypted messages in mail clients.

The full details of the flaw are set for release at 7am UTC on Tuesday, which is 3am on the US eastern seaboard, midnight Pacific time, 5pm in Sydney, and 12:30pm in Mumbai.

One of the researchers who discovered the exploit said in a tweet that there are no reliable fixes for the vulnerability.

The foundation has created guides for disabling PGP in Outlook using Gpg4win, Thunderbird and Enigmail, and Apple Mail with GPGTools.

Werner Koch of GnuPG said the warnings were "pretty overblown", and that GnuPG had not been contacted by the EFF.

"They figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols," the GnuPG account tweeted.

"In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation."

Robert Hansen of Enigmail said the call by the EFF was a "tempest in a teapot".

"We are not in the least bit worried. We wish the EFF had reached out to us before running with an alarmist article," Hansen said.

"tl;dr: as always, please use the latest Enigmail version, and do so with confidence."

Editorial standards