Details on a New PGP Vulnerability | Schneier on Security

You might have seem some of the hullabaloo around the web about the discovery of a security flaw in PGP or S/MIME. From Bruce Schneier, the vulnerability is not in the encryption itself, rather the exploit is carried out in transit.

The vulnerability isn't with PGP or S/MIME itself, but in the way they interact with modern e-mail programs. You can see this in the two suggested short-term mitigations: “No decryption in the e-mail client,” and “disable HTML rendering.”

The suggested workaround is solid advice. Email has never been a sensible means for secure communication.

Why is anyone using encrypted e-mail anymore, anyway? Reliably and easily encrypting e-mail is an insurmountably hard problem for reasons having nothing to do with today's announcement. If you need to communicate securely, use Signal. If having Signal on your phone will arouse suspicion, use WhatsApp.