Enlarge (credit: Elsamuko / Flickr)

The past three days have highlighted the potential perils that can threaten people who rely on desktop computers to send encrypted messages. The events—which involve encrypted email and the desktop versions of the Signal and Telegram messaging programs—should in no way discourage people from using encryption. They do, however, provide important teaching moments about the often-overlooked limitations of these apps. More about that in a moment. First, a review of the vulnerabilities.

Monday brought word of decade-old flaws that might reveal the contents of PGP- and S/MIME-encrypted emails. Some of the worst flaws resided in email clients such as Thunderbird and Apple Mail, and they offer a golden opportunity to attackers who have already intercepted previously sent messages. By embedding the intercepted ciphertext in invisible parts of a new message sent to a sender or receiver of the original email, attackers can force the client to leak the corresponding plaintext. Thunderbird and Mail have yet to be patched, although the Thunderbird flaw has been mitigated by an update published Wednesday in the Enigmail GPG plugin.

Also on Monday, a different team of researchers disclosed a vulnerability in the desktop version of the Signal messenger. It allowed attackers to send messages containing malicious HTML and JavaScript that would be executed by the app. Signal developers published a security update on Friday, a few hours after the researchers privately notified them of the vulnerability. On Monday, Signal developers issued a new patch after discovering over the weekend that the first one didn’t fully fix the bug. (The incompleteness of the patch was independently and more-or-less simultaneously found by the researchers.)