'Efail' exploit exposes popular email encryption schemes

Adjust Comment Print

It is one of the most trusted encryption programs used for signing, encryption, and decryption of private texts and emails.

After breaking the news on Twitter on Sunday night he added: "There are now no reliable fixes for the vulnerability".

The EFAIL vulnerabilities, which now have no software patch, "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", according to researchers. "The attack has a large surface, since for each encrypted email sent to n recipients, there are n + 1 mail clients that are susceptible to our attack", the abstract of the research paper reads.

Werner Koch of GnuPG, a popular provider of GPG encryption, said the vulnerability was not in the encryption protocols, but rather, in the email clients used to decrypt them. The attacker would have to have access to the encrypted emails to begin with, meaning that the victim's account would need to be compromised as a starting point. "However, the very goal of PGP or S/MIME encryption is the protection against this kind of attacker".

More details are to be published by the researchers on May 15 who recommend not using the two encryption tools until they are fixed.

Another attack method that is detailed by the researchers is a relatively simple approach that exploits the interaction of HTML with S/MIME and OpenPGP.

"If you use PG or S/MIME for sensitive information then this is a big deal", Matt Green, a professor specializing in encryption at Johns Hopkins University, told Ars on Monday.

"The Efail attacks abuse active content, mostly in the form of HTML images, styles, etc", the Efail site states. Hopefully affected vendors have been contacted in advance, so make sure that when the inevitable product updates and mitigation patches are pushed out you install them as quickly as possible.

Another short term fix that the security researchers suggest is that OpenPGP and S/MIME users decrypt emails, outside of their primary email client. A website has also been set up that advises PGP user to disable HTML renderings in emails sent via PGP as that will close the most prominent way of taking advantage of the vulnerability.

The team's leader researcher, Sebastien Schinzel, admitted that: "E-mail is no longer a secure communication medium". The flaw, named EFAIL, reportedly affects both sent and received messages, including past correspondence.