Hackers have a better chance of getting into encrypted email than previously thought, according to a new paper released Monday by a team of European cybersecurity researchers.
Efail, as the vulnerability is called, potentially cracks OpenPGP and S/MIME, two widely used end-to-end encryption technologies in plaintext email.
The vulnerability, according to the paper, is a threat to journalists, political activists and others who rely on encrypted email to protect them from the prying eyes of government intelligence agencies.
The Electronic Frontier Foundation recommends that people “immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. It provided instructions for disabling PGP plug-ins in Thunderbird, Apple Mail and Outlook.”
In addition, the researchers recommended people “use alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted mail.”
The makers of secure email service ProtonMail said their service is not subject to the vulnerability and spoke out against the manner in which the issue was disclosed.
Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.
— ProtonMail (@ProtonMail) May 14, 2018
Cybersecurity experts were still assessing the scope of the threat Monday morning, and the EFF called the safety measures a “[temporary, conservative stopgap] until the immediate risk of the exploit has passed and been mitigated against by the wider community.”