‘Pretty good’ is not good enough. The PGP (Pretty Good Privacy) software package that provides end-to-end encryption for emails has been found to be vulnerable. However, according to Phil Zimmermann, creator of PGP and cryptography teacher for the Cyber Security master at TU Delft, we shouldn’t be alarmed – this was only an academic experiment and the problem can be fixed.
Share
PGP was created in 1991 as a human rights tool to communicate safely. This encryption system is widely used by journalists and activists, but also by several companies. Now researchers from the IT Security Lab at the Münster University of Applied Sciences (Germany) have found a security bug, dubbed E-Fail, that makes it possible to reveal the content of encrypted emails.
How serious is the threat?
“I don’t think we should panic and head for the exits. It is not an attack on cryptography itself and I don’t think anybody did this attack in the wild. This was an academic paper, they discovered this vulnerability and proved it.”
How does the attack work?
“In the early days of email, everything looked like it was typed on a typewriter, but now emails can have embedded pictures, fancy fonts, italics, and underlines. This works with HTML notation, so to show an embedded photo in the body of the message for example, there is a directive that says ‘get this file from a server and display it right here’.
Now, suppose I send you an encrypted message that you can decrypt, but somebody intercepts the message and modifies it before it reaches you. They put a directive at the start of the message saying ‘fetch the following file name from the server’, and what follows is the whole message. When you receive it and automatically decrypt it, the directive will give the order to send the text to a server masquerading as a file name. It does not break the cryptography, it steals the message after it has been decrypted.”
‘Most people don’t even use email encryption’
Can it be fixed?
“I actually watched a Dutch company fix its mail software when it got news about this, and they did it all in one day. There are a lot of platforms and some of them are not too careful about what happens with the HTML, but I hope they will fix it.”
It’s been written that anyone using PGP should stop immediately and uninstall the plugins until it is completely fixed by all mail platforms. Is this your advice too?
“No, uninstalling PGP is extreme. I would recommend disabling HTML and then checking if your mail platform was affected and has fixed the problem.”
PGP was created 25 years ago. Do you think there is a need for a new encryption system, or is PGP still good and up to date?
“For email encryption, PGP is your best bet. There have been occasional security bugs, but not very often compared to other software. The reason why everybody makes such a big deal of this vulnerability is that PGP is held to a high standard. Both S/MIME (a similar protocol used in Microsoft products) and PGP are affected by the exact same vulnerability and PGP has some mechanisms built in that make the attack more difficult. The biggest competitor of PGP is nothing. Most people don’t even use email encryption.”
Should we all use encryption on our emails?
“Yes, we should do it for the people who really need to encrypt their messages. What if everybody sent postcards and nobody used envelopes except when it was really important? Anytime someone used an envelope it would draw suspicion. So it is better if everyone uses envelopes, if everybody encrypts their emails.”
What other channels would you recommend for secure communications?
“A lot of people today use text messaging. Some products like WhatsApp and Signal have encryption and are a way to communicate securely. But there is still a need for encrypted email, and that is what PGP is for.”
Maria Rubal / science editor
Comments are closed.