Email security is unsafe and cannot be easily fixed, researchers say

Even old messages could be exposed by the bug, say experts

Andrew Griffin
Monday 14 May 2018 09:08 EDT
Comments
Video: Ken Clarke predicts 3 million unemployed
Video: Ken Clarke predicts 3 million unemployed (Getty)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The security used to protect emails so they can't be read is broken and cannot be reliably fixed, security researchers have revealed.

The major security flaw could reveal the contents not only of new emails but of those sent in the past, too. As such it undermines one of the central parts of privacy on the internet.

Experts including the Electronic Frontier Foundation have warned people to stop relying on secure emails either to send or read messages. Instead, they should switch to other secure channels like the messaging app Signal, the EFF said.

The problem was discovered in PGP and S/MIME, two popular technologies that are used to make sure that emails can only be read by the people sending and receiving them. Those methods have been advocated by privacy experts including Edward Snowden, as ways of sending messages that can't be intercepted.

Many people use the technology to ensure that sensitive information can't be read as it passes between users. It can be used with many of the biggest email clients – including Outlook and Apple Mail – but the EFF suggested that it should be removed from those programs until the problem is fixed.

“There are currently no reliable fixes for the vulnerability,” said lead researcher Sebastian Schinzel, professor of applied cryptography at the Muenster University of Applied Sciences. “If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

Germany's Federal Office for Information Security (BSI) said in a statement that there was a risk that attackers could read the contents of someone else's email once they had decrypted it to read on their own computer. But it said that the two important protocols themselves were safe if they were used and updated properly.

The security bug was hidden in secrecy by the researchers who found it, who announced they had found a problem with PGP but did not disclose the details until later. Some had initially feared that PGP itself had been broken – a development that would undermine much of the world's secure communications – but the newly discovered problem is actually to do with the ways that the email clients themselves decrypt the messages.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in