PGP and MIME security flaw found to reveal encrypted emails.
The two most used methods for encrypting email, PGP and S/MIME, have critical security flaws that can reveal the plaintext of encrypted messages. There are no reliable fixes and it is advised anyone who uses either encryption standard for sensitive communications to remove them immediately from email clients. The security flaws may reveal the plaintext of encrypted emails, including encrypted emails you sent in the past. There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for sensitive communication, you should disable it in your email client for now. Electronic Frontier Foundation has been in communication with the research team that found the flaw, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages
Little is publicly known about the flaws at the moment. The EFF blog post stated they will be disclosed late Monday night, California time in a paper written by a team of European security researchers. The research team members have been behind a variety of other important cryptographic attacks, including one from 2016 called Drown, which decrypted communications protected by the transport layer security protocol. Other researchers behind the PGP and S/MIME research include Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Simon Friedberger, Juraj Somorovsky, and Jorg Schwenk. Besides Munster University, the researchers also represent Ruhr-University and KU Leuven University.
Given the track record of the researchers and the confirmation from EFF, it's worth heeding the advice to disable PGP and S/MIME in email clients while waiting for more details to be released Monday night. Ars will publish many more details when they are publicly available.