OpenPGP is the most widely used email encryption standard. It is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) as a Proposed Standard in RFC 4880.

Cure53 conducted a penetration test on OpenPGP (2014). This penetration test was carried out and coordinated by four testers and yielded an overall of 26 issues. Among these findings, Cure53 has classified 12 as vulnerabilities, with 2 issues rated ‘critical’ in regards to their severity.

This penetration test took an entirety of 15 days and was carried out and coordinated by four testers of Cure53. Part of the test was to check the code quality and seek for common JavaScript implementation pitfalls. Other components included close study of documents, such as RFC 4880 for OpenPGP, RFC 3447 for RSA, or FIPS 186-4, all guided by the efforts to validating the implementation. The test also compared code with other implementations of OpenPGP (e.g. GnuPG / libgcrypt, Bouncy Castle), as well as popular cryptographic libraries (openssl, polarssl). While interoperability issues and implementation completeness have been tested, focus has been put on possible vulnerabilities.

The full report and summary of findings can be found below.