Popular encrypted e-mail standards unsafe

Adjust Comment Print

A group of security researchers have discovered "critical vulnerabilities" in the common email encryption tools PGP and S/MIME, prompting calls for users to disable email plugins until a fix is developed.

"Attacking S/MIME is straightforward and an attacker can break multiple (in our tests up to 500) S/MIME encrypted emails by sending a single crafted S/MIME email to the victim", they said in their paper. In practice, an attacker could leverage these issues to redirect components of an encrypted message decrypted by the email client towards their own server, revealing the actual plaintext behind the targeted e-mail. From there, the actor manipulates the ciphertext of the email. The flaw, named EFAIL, reportedly affects both sent and received messages, including past correspondence.

One of the researchers, Sebastian Schinzel, who runs the IT security lab at the Münster University of Applied Sciences, tweeted: "There are now no reliable fixes for the vulnerability".

Email users who use PGP (based on OpenPGP) and S/MIME to encrypt and decrypt their communications are at "immediate risk". As there are "currently no reliable fixes for the vulnerability", the researchers are advising users to immediately disable the encryption within individual email clients and use other methods to send their secure data for now. In contrast, mainstream email clients simply process and store your messages using plain text.

According to the ABA's 2017 Legal Technology Research Survey, 36.4 percent of responding firms and solo practitioners used some form of email encryption.

More news: I won't hinder Rooney if he wants to leave Everton, insists Allardyce
More news: 'Deadpool 2' a dark, gruesome delight, from start to very amusing finish
More news: Malaysia: Ex-prime minister Najib faces new corruption complaints

EFF recommends using Signal by Open Whisper Systems while the PGP vulnerability is being fixed.

Most details are available over on the official site, but researchers added that Apple Mail, iOS Mail and Mozilla Thunderbird are the worst affected as they have "even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute". This is then encrypted with the sender's private "key" and decrypted by the receiver using a separate public key. Because the HTML rendering engine is enabled, this prompts the mail client to treat the message body as a URL, which it encodes and queries the malicious actor's server, thereby leaking the message.

Netizens took to Twitter to warn of major, but not so easily traceable PGP and S/MIME flaws which could covertly decipher encryption that secures personal message exchanges.

In 2017, the ABA Standing Committee on Ethics and Professional Responsibility released Formal Opinion 477 on "Securing Communication of Protected Client Information". Long term, comprehensively patching this particular vulnerability will require an update to the underlying email encryption standards.

European researchers have found that the popular PGP and S/MIME email encryption standards, famously used by Edward Snowden, are vulnerable to being hacked, leading them to urge people using them to disable and uninstall them immediately.