[Companion-announce] On PGP

Soraya Okuda soraya at eff.org
Mon May 14 09:55:01 PDT 2018

Hey friends,

Many of you likely received the email from my colleague, Danny, at 11pm 
last night. In case you haven't, I wanted to include it below. Please 
pass it on in your networks—we're worried that folks who need PGP most 
may be exposed to this vulnerability.

I've also included a link to our newest blog post that goes into the 
vulnerability in depth: 

My colleagues and I are hustling on explainers for what to do about 
E-Fail within the next day. Check our site soon.

Hope you all are well,





Dear Colleagues,

A group of European security researchers have released a warning about a
set of vulnerabilities affecting users of PGP and S/MIME. EFF has been
in communication with the research team, and can confirm that these
vulnerabilities pose an immediate risk to those using these tools for
email communication, including the potential exposure of the contents of
past messages.

The full details will be published in a paper on Tuesday at 07:00 AM UTC
(3:00 AM Eastern, midnight Pacific). In order to reduce the short-term
risk, we and the researchers have agreed to warn the wider PGP user
community in advance of its full publication.

Our advice, which mirrors that of the researchers, is to immediately
disable and/or uninstall tools that automatically decrypt PGP-encrypted
email. Until the flaws described in the paper are more widely understood
and fixed, users should arrange for the use of alternative end-to-end
secure channels, such as Signal, and temporarily stop sending and
especially reading PGP-encrypted email.

Please refer to these guides on how to temporarily disable PGP plug-ins in:

Thunderbird with Enigmail:

Apple Mail with GPGTools:

Outlook with Gpg4win:

These steps are intended as a temporary, conservative stopgap until the
immediate risk of the exploit has passed and been mitigated against by
the wider community.

We will release more detailed explanation and analysis when more
information is publicly available.

Please feel free to forward this message to those who may be affected.

Thank you,

Danny O’Brien
Electronic Frontier Foundation

Learn more about digital security at https://ssd.eff.org/.
Want to teach digital security? Check out the Security Education Companion at https://sec.eff.org/.
Check out tools for encrypting the web at https://www.eff.org/encrypt-the-web

More information about the Companion-announce mailing list