This week, security researchers released information about vulnerabilities in PGP email clients that could expose past or future content, even if it was encrypted, dubbing the flaw “Efail.” Please take the time to read this quick note about what the PGP email threat is and how to take action.
The Electronic Frontier Foundation, in a report this week, warned users of major email clients to disable or uninstall PGP plugins and switch to another secure communication method. The list of email clients includes Thunderbird with Enigmail, Mac OS, and Gpg4win for Windows.
There’s a robust discussion within the security community about the ramifications of this vulnerability and what users need to do in response. From our perspective, it’s best to be conservative and avoid using encrypted email until these issues are resolved.
Use Signal. Secure messaging services like Signal are easier, more common, and therefore more reliable, than encrypting email. If you’re sending sensitive information, do it in a secure message instead of an email.
For now, disable PGP in your mail app. EFF suggests disabling PGP email clients to prevent them automatically decrypting messages, which could make the content vulnerable. As the EFF says, this is “a temporary, conservative” stopgap. It does not mean that PGP encryption is insecure, or that you should send sensitive information in an unencrypted email.
Consider your personal threat model. If you are at high risk of sophisticated, targeted attacks on encrypted email content, the conservative stopgap of disabling PGP is particularly important.
If you choose to continue using email, encrypting it using PGP is still much better than not encrypting it at all. But do the following:
Update! Make sure all the software you are running is up to date. Install new updates immediately. (You’ll be doing this anyway if you’ve read Umbrella’s malware lesson.)
Use plain text only. Viewing emails as HTML should be disabled or unchecked (in Thunderbird, that’s done by going to View > Message Body As > Plain Text). That’s because the attack assumes a hacker can already access your encrypted email, and add in HTML code that pulls in some content, like images, from a remote server. That change could let them see the entire email without encryption if the email client has not implemented the right update yet.
Don’t load remote content. Check the settings in your email client for an option to disable “Load remote content in messages.”