PGP and S/MIME decryptors can leak plaintext from emails, says infosec Professor

Edward Snowden

PGP and S/MIME decryptors can leak plaintext from emails, says infosec Professor

The researchers have already contacted email service providers through the Electronic Frontier Foundation.

Users in dire need of using encryption to protect their communications channels were advised to use an instant messaging client that supports end-to-end encryption, the EFF recommended.

A more detailed explanation and analysis will be forthcoming once the research is formally released tomorrow, but the vulnerabilities are thought to affect both PGP and the S/MIME public key encryption standard.

Sebastian Schinzel, lead of the IT security lab at the Münster University of Applied Sciences, said the paper would be published ahead of a scheduled date later this week after the embargo was broken. A critical vulnerability has been exposed by some German researchers and they have tweeted that there are no fixes available, and their immediate suggestion is to stop using PGP altogether.

Werner Koch, principle author of GnuPG, described the issue as "overblown" by the EFF in a blog post today. By injecting malformed images or styling resources into encrypted plaintext, the attacker has a one in three chance of success at decoding the remainder of the target email.

Another way would be to use authenticated encryption via tools such as OpenPGP, he argued. "There is a real attack that can be exploited by people that allows them to decrypt a lot of encrypted email".

Though researchers are warning users of the seriousness of the vulnerability, many believe it is being hyped too much.

PGP or Pretty Good Privacy was developed in 1991 by Phil Zimmermann. The importance of email encryption went mainstream after whistleblower Edward Snowden revealed the extent of the USA government's electronic surveillance in 2013. "In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation", the expert said.

In separate news, the researchers have come up with a new technology that could make hacking impossible. In cloning, hackers replicate nodes in a network, and then use it to exploit a vulnerability within that network. The core technology behind this chip is the memristor, or memory resistor.

US top court paves way for legalized sports betting
MI5 thwarting monthly terror attacks in UK, warns spy chief