For many years now, advertising a “public key” has been a badge of online savvy. The pages-long blocks of randomized text signify that a journalist or activist can send and receive encrypted messages using the Pretty Good Privacy, or PGP, technology.
But as links to public keys became as common as blue Twitter verification check marks, PGP’s magical cloak was pierced this month with research identifying ways hackers can decrypt messages that are supposed to be readable only by sender and recipient. The research also identified a vulnerability with S/MIME encryption used by the government and corporations.
The findings, dubbed “Efail” by report authors, show novel ways that government spy agencies can defeat strong end-to-end encryption on the Internet. The broadening use of strong encryption has frustrated hackers, but also counterterrorism and criminal investigations.
The identified vulnerabilities also undermine a sense of security for journalist-source communications and among human rights groups that turned en masse to the technologies at the urging of privacy activists such as Edward Snowden.
It’s a wake-up call that some experts believe is overdue. “If you want confidential communications, you can’t use email period,” said Nicholas Weaver, a computer science professor at the University of California at Berkeley, though he believes few people can exploit the vulnerabilities.
The Department of Homeland Security’s U.S. Computer Emergency Readiness Team said in a warning last week that the vulnerabilities affect email vendors from Apple to Microsoft and that the office “is currently unaware of a practical solution to this problem.”
One newly discovered vulnerability neuters PGP if a hacker can intercept an email and create an “exfiltration channel” that sends decrypted email plain text to a server controlled by the hacker.
A second vulnerability affects both PGP and S/MIME — which the government uses — using so-called “malleability gadgets.” These gadgets can defeat S/MIME and PGP protection by manipulating a captured message’s plaintext and then guessing small parts of the original message, defeating the entire email’s protection.
Users can avoid risk by turning off automatic decryption functions on email platforms and plugins, and instead using a separate application to decrypt messages.
Report co-author Sebastian Schinzel, a computer security expert at Münster University of Applied Sciences, acknowledged “the challenge is to get access to the encrypted emails in the first place. So the attacker needs to break into your email account, email server, backups, etc.”
But, Schinzel said, “A skilled security expert should then be able to execute the attack.”
The vulnerability was shown to affect only some PGP email tools, but Schinzel said that doesn’t mean others are invulnerable. “In the future, researchers may find other vulnerabilities,” he added.
PGP has been around since the 1990s, but its use spread widely with browser plugins that eliminated the challenges of using decryption applications. Free email platforms such as ProtonMail automatically use PGP encryption on emails sent among its accounts.
Many email services, such as Google’s Gmail, offer encryption, but hold the keys, meaning that governments can demand the content or hackers can steal it from companies. In the U.S., authorities don’t need a warrant for emails older than 180 days. PGP, by contrast, allows users to hold the keys themselves. Plugins can add PGP protection to platforms such as Gmail.
In theory, PGP was nearly invincible. Snowden forced reporter Glenn Greenwald to learn how to use PGP before he would communicate, and in seeming proof of its power, a leaked top-secret document from 2012 declared “no decrypt available for this PGP encrypted message” sent between Yahoo accounts.
ProtonMail, which allows users to communicate among @ProtonMail.com accounts without the hassle of handling keys (communicating with non-ProtonMail accounts using PGP requires additional steps), pushed back on fear of the new research’s implications, declaring that “the media got it wrong (again)” and that “proper implementation of crypto matters.”
“If a vulnerability is discovered in your operating system, you don’t throw away your computer,” the company said. “Instead, you update it and patch it. When it comes to vulnerabilities in PGP implementations, the same principle applies.”
The big-picture takeaway remains unsettled.
Johns Hopkins University computer science professor Matthew Green said secure email “isn’t a fantasy, but vendors need to work a lot harder at it than they are now.”
Bruce Schneier, a prominent computer security expert, said PGP and other tools are “software written by human beings” and therefore likely to contain vulnerabilities. He notes that Microsoft routinely updates its software to improve security.
Still, Schneier said he recommends against using PGP. “I tell people, use Signal,” he said, referring to the end-to-end encrypted messaging app popular among smartphone users.
“You don’t have to figure it out. You can’t screw it up. It just works,” he said. “Email is a very complex thing. Signal is just a communications platform, so it’s much easier to secure.”
