If you’re using encrypted email (PGP and S/MIME) to exchange sensitive data with others, you should consider other alternatives until you hear they’re safe again. A security flaw would allow attackers to turn encrypted emails in plaintext.
For the time being, there’s no fix so your best bet would be to remove these encryption standards from their email communications.
Security researchers in Europe discovered the security flaws, posting on Twitter about the issue.
We’ll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
— Sebastian Schinzel (@seecurity) May 14, 2018
Sebastian Schinzel, professor of computer security at Münster University of Applied Sciences, said the flaws “reveal the plaintext of encrypted emails, including encrypted emails you sent in the past,” which sounds just as scary as you imagine.
The Electronic Frontier Foundation (EFF) published a blog post on the matter, saying that it can confirm “these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”
The full details will be published in a paper on Tuesday morning (European time), so you have some time to act:
Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.
The EFF also published guides on disabling PGP plugins in Thunderbird, Apple Mail, and Outlook.
As Ars Technica explains, the threat is real and should be dealt accordingly until a permanent fix is in place.