Critical PGP Vulnerability
EFF is reporting that a critical vulnerability has been discovered in PGP and S/MIME. No details have been published yet, but one of the researchers wrote:
We’ll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.
This sounds like a protocol vulnerability, but we’ll learn more tomorrow.
Vincent Archer • May 14, 2018 9:45 AM
The details were increasingly discussed so the full disclosure has been advanced:
https://efail.de/ (includes general discussion and full paper)
There’s two distinct attacks, a very basic one and a more sophisticated version. Table of vulnerable software at the end of the paper is important.