A group of European security researchers have discovered vulnerabilities that could be exploited to “reveal the plaintext of encrypted emails,” including those sent in the distant past, CSO reported.
With this in mind, users who exploit Pretty Good Privacy (PGP) plugins or S/MIME for sensitive communication are advised to disable them in their email clients. Electronic Frontier Foundation, the nonprofit organization defending civil liberties in the digital world, has confirmed the report and approved the list of recommendations.
The critical flaws spotted in PGP and S/MIME have been named EFAIL, and it essentially abuses active content of HTML emails, externally loaded images or styles in particular, to retrieve plaintext by "hijacking" URLs.
Matthew Green, professor and all-around expert on cryptography, is one of the tech activists who fired off a series of tweets about EFAIL. He billed it an "extremely cool attack and kind of a masterpiece in exploiting bad crypto, combined with a whole lot of sloppiness on the part of mail client developers." He not only shared details on the way the malware functions, but gave his "golden tips" on how to prevent attacks from happening:
"The best way to prevent EFAIL attacks is to only decrypt S/MIME or PGP emails in a separate application outside of your email client. Start by removing your S/MIME and PGP private keys from your email client…Then disable HTML rendering," he wrote.