EFAIL \u2026 it is the reason you should stop using Pretty Good Privacy (PGP) plug-ins to decrypt your email, according to a group of researchers who discovered vulnerabilities that could be exploited to \u201creveal the plaintext of encrypted emails, including encrypted emails sent in the past.\u201dEFAIL is what the researchers call the critical flaws in PGP and S\/MIME. Sebastian Schinzel, professor of computer security at the M\u00fcnster University of Applied Sciences, warned, \u201cThere are currently no reliable fixes for the vulnerability. If you use PGP\/GPG or S\/MIME for very sensitive communication, you should disable it in your email client for now.\u201dThe EFF confirmed the vulnerabilities before urging users to take action now.Our advice, which mirrors that of the researchers, is to immediately disable and\/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.The EFF released three how-to guides for temporarily disabling PGP plug-ins in Thunderbird with Enigmail, Apple Mail with GPGTools and Outlook with Gpg4win.Robert Hansen of Enigmail called it a \u201ctempest in a teapot,\u201d adding that he wished \u201cthe EFF had reached out to us before running with an alarmist article.\u201dThe researchers had not intended to fully release the details just yet, but the Suddeutsche Zeitung newspaper broke an embargo to publish the \u201cscoop.\u201dShortly thereafter, the researchers made the EFAIL website live, as well as their research paper\u00a0titled, Efail: Breaking S\/MIME and OpenPGP Email Encryption using Exfiltration Channels\u00a0(pdf).How attackers exploit EFAILThe European researchers, who devised \u201cworking attacks for both OpenPGP and S\/MIME encryption,\u201d wrote:In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim\u2019s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.Matthew Green, professor and all-around expert on cryptography, fired off a series of tweets about EFAIL. He called it an \u201cextremely cool attack and kind of a masterpiece in exploiting bad crypto, combined with a whole lot of sloppiness on the part of mail client developers.\u201dThe real news here is probably about S\/MIME, which is actually used in corporate e-mail settings. Attacking and modifying encrypted email stored on servers could actually happen, so this is a big deal. 4\/\u2014 Matthew Green (@matthew_d_green) May 14, 2018Green noted the debate over it not being a PGP issue, but a mail client issue before adding:So let me just cut through some of that. If you were using GnuPG on the command line and checking your error results, it\u2019s absolutely true that you\u2019re fine. If you\u2019ve been using (one of several) GUI clients with PGP encryption, you were anything but fine. 7\/\u2014 Matthew Green (@matthew_d_green) May 14, 2018How to prevent EFAIL attacksAs for mitigations, the researchers advised several strategies to prevent EFAIL attacks:Short term: No decryption in email client. The best way to prevent EFAIL attacks is to only decrypt S\/MIME or PGP emails in a separate application outside of your email client. Start by removing your S\/MIME and PGP private keys from your email client, then decrypt incoming encrypted emails by copy&pasting the ciphertext into a separate application that does the decryption for you. That way, the email clients cannot open exfiltration channels. This is currently the safest option with the downside that the process gets more involved.Short term: Disable HTML rendering. The EFAIL attacks abuse active content, mostly in the form of HTML images, styles, etc. Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking EFAIL. Note that there are other possible backchannels in email clients which are not related to HTML but these are more difficult to exploit.Medium term: Patching. Some vendors will publish patches that either fix the EFAIL vulnerabilities or make them much harder to exploit.Long term: Update OpenPGP and S\/MIME standards. The EFAIL attacks exploit flaws and undefined behavior in the MIME, S\/MIME, and OpenPGP standards. Therefore, the standards need to be updated, which will take some time.