1. Home
  2. Forums Index
  3. WebmasterWorld / Website Security for Webmasters 12:48 am May 12, 2026

Forum Moderators: open

Message Too Old, No Replies

Vulnerability Warning Affecting PGP and S/MIME

"immediately disable and/or uninstall tools..."

         

engine

1:58 pm on May 14, 2018 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



PGP and S/MIME vulnerability could mean email content is exposed. A paper is being published on Tuesday explaining details, and early notification today helps to reduce the short term risk.

The warning indicates users should stop using these tools and use an alternative until suitable solutions are found.


is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

Velnerability Warning Affecting PGP and S/MIME [eff.org]

keyplyr

9:37 am on May 15, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



So use GPG instead? Just curious. I'm not encrypting email myself.

motorhaven

3:02 am on May 16, 2018 (gmt 0)

10+ Year Member Top Contributors Of The Month



Per the linked article, it includes GPG.

keyplyr

3:15 am on May 16, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



All I saw was the warning to disable PGP plugins if you use Apple Mail with GPGTools and Outlook with Gpg4win. I use neither, but have worked in the past with GPG as a stand alone encryption tool with mail servers.

So still wondering if the vulnerability found in Symantec's propriety PGP affects the open source GPG. They're not the same.

It's highly likely both are affected, but as I said above, just curious (thinking about contacting a couple people.)

motorhaven

3:31 pm on May 16, 2018 (gmt 0)

10+ Year Member Top Contributors Of The Month



I use Enigmail in Thunderbird, and it requires GPG to be installed.

bill

5:36 am on May 22, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Turns out this wasn't such a big deal for PGP itself. It was more of an implementation issue by the e-mail clients and the plug-ins according to the GunPG people [lists.gnupg.org...]
The countermeasure Werner mentions is called a Modification Detection
Code, or MDC. It's been a standard part of GnuPG for almost eighteen
years. For almost all that time, any message which does not have an MDC
attached has caused GnuPG to throw up big, clear, and obvious warning
messages.

Of course the mail client and plug-in vendors are now asking why such a longstanding, well known issue wasn't addressed in GnuPG itself...

S/MIME on the other hand is turning out to be a big issue.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Website Security for Webmasters 12:48 am May 12, 2026