Video: Ken Clarke predicts 3 million unemployed
Video: Ken Clarke predicts 3 million unemployed

Email security is unsafe and cannot be easily fixed, researchers say

Even old messages could be exposed by the bug, say experts

Andrew Griffin
Monday 14 May 2018 14:08
comments

The security used to protect emails so they can't be read is broken and cannot be reliably fixed, security researchers have revealed.

The major security flaw could reveal the contents not only of new emails but of those sent in the past, too. As such it undermines one of the central parts of privacy on the internet.

Experts including the Electronic Frontier Foundation have warned people to stop relying on secure emails either to send or read messages. Instead, they should switch to other secure channels like the messaging app Signal, the EFF said.

The problem was discovered in PGP and S/MIME, two popular technologies that are used to make sure that emails can only be read by the people sending and receiving them. Those methods have been advocated by privacy experts including Edward Snowden, as ways of sending messages that can't be intercepted.

Many people use the technology to ensure that sensitive information can't be read as it passes between users. It can be used with many of the biggest email clients – including Outlook and Apple Mail – but the EFF suggested that it should be removed from those programs until the problem is fixed.

“There are currently no reliable fixes for the vulnerability,” said lead researcher Sebastian Schinzel, professor of applied cryptography at the Muenster University of Applied Sciences. “If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

Germany's Federal Office for Information Security (BSI) said in a statement that there was a risk that attackers could read the contents of someone else's email once they had decrypted it to read on their own computer. But it said that the two important protocols themselves were safe if they were used and updated properly.

The security bug was hidden in secrecy by the researchers who found it, who announced they had found a problem with PGP but did not disclose the details until later. Some had initially feared that PGP itself had been broken – a development that would undermine much of the world's secure communications – but the newly discovered problem is actually to do with the ways that the email clients themselves decrypt the messages.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments