Encrypted Emails May Be Readable

Encrypted Emails May Be Readable

In the first exploit, hackers can "exfiltrate" emails in plaintext by exploiting a weakness inherent in Hypertext Markup Language (HTML), which is used in web design and in formatting emails. While the researchers say each mail client vendor can come up with individual mitigations, they suggest that the underlying specification for OpenPGP and S/MIME will need to be fixed over the long-term. The reason is that a team of European researchers has found critical flaws in the encryption standards and now there are no fixes available. "They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past".

It's believed that the vulnerabilities exist in the email clients themselves, rather than the PGP encryption protocol.

That the vulnerability also affects S/MIME, however, may be more significant because S/MIME is much more widely deployed by businesses to secure their email communications.

Germany's Federal Office for Information Security (BSI) put out a statement saying there were risks that attackers could secure access to emails in plaintext once the recipient had decrypted them.

Sebastian Schinzel, one of the researchers, promised in a Tweet to provide more details of the vulnerabilities on May 15. Obviously, the URL's domain is controlled by the attacker to achieve this; "efail.de" in this example.

Near Earth an asteroid about the size of the Statue of Liberty
Nearly eight years later, astronomers realized that an asteroid they temporarily called ZJ99C60 was actually 2010 WC9 returning. Astronomers did not have enough information about 2010 WC9's orbit to keep track of it until it reappeared this month.

Another attack method that is detailed by the researchers is a relatively simple approach that exploits the interaction of HTML with S/MIME and OpenPGP.

Patching efforts from multiple vendors are now underway, but in the near term, there are multiple mitigation steps suggested by the researchers to help minimize the potential risk of exploitation via the Efail attack methods.

PGP works using an algorithm to generate a "hash", or mathematical summary, of a user's name and other information. "Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking Efail". The attacker would then have to get the sender or one of the receivers of the previously obtained message to open a new attacker-sent email. The Efail attacks rely on external communication and if a user is decrypting emails in a standalone application, the risks are somewhat muted.

Users are advised to disable email encryption to avoid any attackers from recovering past encrypted emails after the paper's publication. Long term, comprehensively patching this particular vulnerability will require an update to the underlying email encryption standards.

Related Articles