PGP vulnerabilities

The Electronic Frontier Foundation (EFF) and group of European security researcher have issued a warning about a set of vulnerabilities that affect PGP and and S/MIME.

The vulnerabilities if exploited could pose a risk to organizations that use encryption tools for email communications. Threats include exposure of data contents in current or past messages. 

EFF issued guidance to users in a blog post on Sunday: 

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.”

More details will be released Tuesday, but organizations should deploy short term stop gap measures until permanent fixes for the vulnerabilities are made available.