A group of European researchers supposedly found a set of vulnerabilities in PGP and S/MIME. You can read the full report at efail.de.

However, we need to get a few facts straight:

  • PGP is not broken
  • Only one type of PGP emails are vulnerable (Secure Email doesn’t support them)
  • Secure Group does not use S/MIME
  • Even with this discovery, do not disable PGP. You are still far safer with it.

To exploit the vulnerability, an attacker needs to send you an email with embedded external content (like an image) and a PGP block. An email client with PGP enabled that automatically downloads external content would then send the decrypted version of that PGP block to the external host.

Secure Email does not support embedded external content, so this attack would simply not work.

This is still an issue that needs to be fixed in clients that support this type of PGP emails. But this group of researchers and the journalists reporting on Efail are not serving anyone by exaggerating the magnitude of the issue.

Email users are still far safer using PGP. Users should NOT, in any case, disable PGP but you should always disable automatic downloading of external content.

Download Whitepaper