Tech & Science

PGP: Encryption Program Used by Edward Snowden 'Can Leak Secret Messages'

Computer encryption
The Electronic Frontier Foundation (EFF), a digital liberties campaign group, released guides on how to temporarily disable PGP plug-ins in three email clients. Glenn Carstens-Peters/Unsplash

The cybersecurity community is bracing for impact after a team of researchers revealed on Sunday that critical vulnerabilities in the encrypted email program PGP (Pretty Good Privacy) could be exploited to expose secret messages in plain text.

Sebastian Schinzel, professor of computer security at Germany’s Münster University of Applied Sciences, alongside a team of eight researchers, revealed on Twitter that there are currently no stable fixes for the issues and said the service should not be used until a patch is released. The Electronic Frontier Foundation (EFF), a digital liberties campaign group, released guides on how to temporarily disable PGP plug-ins in three email clients.

“We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past,” Schinzel tweeted, sparking immediate concern from users.

“There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now,” he added.

PGP, which is used to scramble the content of sensitive messages and believed to be one of the most secure methods of protecting private email communications, was once used by National Security Agency (NSA) whistleblower Edward Snowden to contact journalists.

In its blog post, the EFF wrote: “A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME.

“EFF has been in communication with the research team and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages. In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication. Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.”

The blog post concluded: “Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.”

Reacting to the news, Matt Blaze, a cryptography expert at the University of Pennsylvania, tweeted: “Our collective inability to design and deploy a useable secure email system at scale is one of the most embarrassing failures of the applied cryptography community.”

Edward Snowden Edward Snowden speaks via video link during a news conference in New York City, U.S. September 14, 2016. REUTERS/Brendan McDermid

Editor's Pick