Old vulnerabilities in PGP and S/MIME, two widely used email encryption methods, make it possible for attackers to view and capture the text of encrypted messages. A team of German and Belgian researchers posted their findings on the exploit for these vulnerabilities, which they dubbed EFail.
The researchers have highlighted how email encryption is necessary not just for users’ privacy, but also for the security of those who use it. Extreme examples would be journalists and activists whose safety depends on private avenues of communication. With this exploit, attackers can extract the plaintext of encrypted messages, which is the worst-case scenario for the privacy-conscious users of encrypted email.
According to the researchers, the attacker has to have access to an encrypted email and then modify how the email client handles HTML elements. They then send the modified encrypted email to its intended recipient. Once the victim’s email client decrypts the email and loads external components (like images and multimedia), the plaintext of the message can be sent to the attacker.
The researchers tested 35 S/MIME email clients and found that EFail affected 25. It affects 10 out of 28 OpenPGP clients as well. Apple Mail, iOS Mail, and Mozilla Thunderbird had more severe implementation flaws that were identified and detailed in the report. To definitively show that these attacks can be executed, the researchers also uploaded demonstration videos showing how an attacker could exploit vulnerable email clients.
Suggested mitigation tactics and solutions
The research team suggested different mitigation strategies for those using clients vulnerable to EFail. The strategies include short-term solutions like disabling the encryption on your email client and using a separate program outside the mail client to perform the encryption, as well as simply waiting for updates to the PGP and S/MIME standards. The Electronic Frontier Foundation (EFF) has also recommended disabling or uninstalling tools that automatically decrypt PGP-encrypted email, and posted how-to guides for the different mail clients on their site. Some experts said that disabling encryption may be an overreaction; other available email clients are unaffected by the flaw.
The researchers disclosed their findings to the affected clients. So far, Apple and the Thunderbird Council, which maintains Mozilla’s email app, have plans to patch the vulnerabilities within the week. Users should remember to update their applications regularly, especially those that manage valuable communications and data. Patching is an important part of maintenance and security that protects users against most known vulnerabilities and exploits.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.