Convenience is often the enemy of security. OpenPGP offers end-to-end email encryption, and its authors are quick to point out their software is secure. But early today researchers announced a vulnerability in how PGP is used, which could expose email content in plain text.

Who Is Vulnerable?

Users who ignore best practices may be affected by the described attack. This includes: 1) upon receipt of encrypted email, decrypting it automatically in the email client, and 2) rendering HTML content in the email client.

An attacker with access to email (e.g. by eavesdropping on network traffic, compromising email accounts, or gaining remote access to a device) could add malicious code to an encrypted message. If the recipient's email client automatically decrypts the message to plain text, the malicious code collects that content and sends it to the attacker. This can be accomplished with a simple HTML image tag designed to load external content.

Keep It Simple

OpenPGP itself is not vulnerable to attack, but users who ignore best practices for the sake of convenience put themselves and their conversation partners at risk. As a general rule, we recommend users decrypt messages manually, or in an application other than their email client.

Published May 14, 2018

Update May 15, 2018

We reached out to SecureDrop to confirm their systems are not affected by the EFAIL vulnerability. Whistleblowers can continue to safely use their services.

We depend on the support of readers like you to fund research initiatives and product development.