The man credited with inventing PGP has teamed up with other key developers to assure users that the popular encryption program is not insecure, despite some reports to the contrary earlier this month.
Some outlets and the Electronic Frontier Foundation (EFF) mis-reported the findings of new research detailing several new ‘vulnerabilities’ in PGP and recommended users disable the service, they said.
The post late last week added the following:
“These statements are highly misleading and potentially dangerous. PGP is not broken. The vulnerabilities identified by eFail are not flaws with the OpenPGP protocol itself but rather flaws in certain implementations of PGP, including in Apple Mail, Mozilla Thunderbird, and Microsoft Outlook. Many other commonly used software based upon PGP are not affected by the eFail vulnerability in any way, as the researchers themselves point out in their paper.”
The authors of the post – including Phil Zimmerman and the developers of Enigmail, Mailvelope and ProtonMail – recommended users switch to PGP implementations that are not impacted by eFail, or update their PGP software to the latest version.
“Ensure that everyone you communicate with is also using unaffected implementations or has updated their PGP software,” they added. “Be sure to get a verified confirmation from your contacts before sending sensitive information to them.”
The quartet are particularly scathing of the EFF, claiming its advice for users to disable PGP plugins or stop using PGP altogether “is akin to saying, ‘some locks can be broken; therefore we must remove all doors’,” and therefore could put individuals at risk if they rely on PGP for security.
Infosecurity reported at the time that security experts had criticized the EFF’s warnings as “pretty overblown” and that OpenPGP tools would continue to function without any issues.
The other signatories are ProtonMail founder, Andy Yen, Enigmail founder Patrick Brunschwig and Mailvelope founder Thomas Oberndörfer.