The vulnerability report, which came with its own website, efail.de, has attracted a lot of headlines such as the one below, along with recommendations to disable the usage of PGP plugins. This was not helped by the fact that until earlier today, the full details of the “vulnerability” were not disclosed to the community. However, now that the information is public and we have completed our analysis, we can say that these headlines are wrong, and recommendations to stop using PGP plugins are misguided. We have published our own recommendations below as well.
First, ProtonMail is not impacted by the Efail PGP vulnerabilities. This includes our web and mobile applications, and also our ProtonMail Bridge software for desktop. In the second part of this post, we have included a full technical analysis explaining why ProtonMail is not vulnerable.
It is equally important to state that, other than one minor exception (discussed later),