Update #2: The Washington Post has this: The Cybersecurity 202: Security community has its own encryption debate after discovery of new flaw.
Update: “Don’t panic,” is the message of an EFF post published subsequent to my post below, but avoid using PGP, at least temporarily until more is known. And computer security blogger Graham Cluley says “the sky is not falling,” but consider taking some common-sense precautions.
Lawyers are often urged to use encryption to protect the confidentiality of email communications with clients. In May 2017, the American Bar Association issued a major ethics opinion saying that, in every case, lawyers should evaluate the need for “particularly strong protective measures” such as encryption.
But encryption is no longer safe as a secure means of sending emails after European security researchers this morning published a warning that they have discovered critical vulnerabilities in PGP/GPG and S/MIME email encryption that can reveal the test of encrypted emails, including encrypted emails sent in the past.
“Email is no longer a secure communication medium,” Sebastian Schinzel, a professor of computer security at Germany’s Münster University of Applied Sciences, told the German news outlet Süddeutschen Zeitun, as reported by Gizmodo.
The Electronic Frontier Foundation issued an alert this morning urging immediate disabling or uninstalling of tools that automatically decrypt PGP-encrypted email.
It also issued guides on how to temporarily disable PGP plug-ins in:
EFF says users should stop sending encrypted email and instead use alternative end-to-end secure channels, such as Signal, a free and open source program that allows secure text and voice messaging via desktop, Android and iOS.