Those who use PGP and S/MIME to send secure emails are being advised to cease using and disable the tools with immediate effect following a major security scare.
Researcher Sebastian Schinzel, a professor of computer security with Münster University of Applied Sciences, claims to have identified a security flaw that “might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.” One of eight researchers from three European universities working on identifying the issue, he added that there is no fix right now.
The research itself is scheduled to be released in full at 7:00 a.m. UTC on Tuesday, but for now Schinzel is spreading word on Twitter while the EFF has also posted a warning after apparently seeing the findings in full.
“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email,” the EFF wrote in a blog post, which offers tutorials on how to disable popular plug-ins for Thunderbird, Apple Mail and Outlook.
The EFF isn’t one to casually stoke fear without reason, so you’d be advised to follow its instructions until the full situation is revealed.
We’ll have more information once it is available.
Note: The original version of this article was updated to correct that the researchers are from three European universities, not three German universities.