Severe vulnerability that many contents of the inbox is read into many mail software is found, related to PGP and S / MIME

As an encryption protocol for enhancing e-mail security,PGP,S / MIMEIt is known. Sebastian Sinsel et al., Professor of Computer Security at Münster College, pointed out that the encryption protocols PGP and S / MIME are seriously vulnerable. This vulnerability is not a problem of the PGP, S / MIME protocol itself, but it is in software that implements this function.

Attention PGP Users: New Vulnerabilities Require You To Take Action Now | Electronic Frontier Foundation
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

Efail: Breaking S / MIME and OpenPGP Email Encryption using Exfiltration Channels
(PDF file)https://efail.de/efail-attack-paper.pdf

Critical PGP and S / MIME bugs can reveal encrypted emails-uninstall now [Updated] | Ars Technica
https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/

Researchers have found a vulnerability in two popular email encryption protocols - The Verge
https://www.theverge.com/2018/5/14/17351684/email-encryption-attack-thunderbird-apple-mail-malicious-code-vulnerable

The vulnerability reported this time utilizes the processing that the mail client software reads HTML mail. An attacker intercepts mail encrypted with PGP or S / MIME, inserts an incorrect HTML tag, and sends it to an arbitrary destination. When the destination mail client reads this illegal HTML tag, the whole contents of the inbox is stolen by the attacker.

Mr. Shinzel pointed out the existence of this vulnerability, "All mails that were sent and encrypted in the past may be cleared, and there is no way to fix this vulnerability. For high communication PGP /GPGIf you use S / MIME, you should invalidate these plug-ins with e-mail client, "I posted on Twitter and it is used for decrypting PGP or S / MIME encrypted mail We should refrain from using plug-ins.

If you use PGP / GPG or S / MIME for very sensitive communication, you should disable it in your email client for now.@ EFF'S blog post on this issue:https://t.co/zJh2YHhE5q#efail2/4

- Sebastian Schinzel (@seecurity)May 14, 2018

It is said that this vulnerability depends greatly on the implementation of the application rather than the problem of the PGP, S / MIME protocol itself. The table below shows the vulnerability of major mail client software by Shinsel et al. Research team. Orange is one in which all the inboxes are read when the user opens the problem mail, green is not vulnerable, white is not yet It is support. According to this table, we can see that most vulnerabilities exist in major mail clients such as Outlook and Thunderbird.


Electronic Frontier FoundationAs a measure until the vulnerability is resolved, "to invalidate or uninstall the tool to decrypt PGP encrypted e-mail", "end-to-end until this vulnerability is fixed" Exchange messages with Signal etc of Messenger application that performs encryption and temporarily stop sending Mail encrypted with PGP "is cited. Singel and colleagues' research team has set invalidation of HTML mail as one effective means, but in future it warns that there is a possibility that even if HTML mail is invalidated, it is possible that mails will be read I will.