Experts have warned of the danger to encrypt emails

15 May, 2018, 16:21 | Author: Devin Moran
  • PSA PGP and S  MIME are broken and leaking encrypted emails – stop using them right now

A post on EFF's website says that users of PGP, which stands for "Pretty Good Privacy", should "pause" their use until the vulnerability is fixed.

"We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC". Encrypting messages is still safer than not encrypting them-EFAIL basically just lets attackers read messages they've already compromised in some other way-but it's still not enough to truly protect the contents of those emails. By also including the Web address of an attacker-controlled server, the newly sent emails can cause the programs to send the corresponding plaintext to the server.

They continue that in their model, the attacker is able to collect end-to-end encrypted emails, either through a man-in-the-middle attack on the network, by accessing a SMTP server, by accessing the IMAP account on the server, or by some other means.

The security flaw may also also represent more of a problem with PGP implementation than any bug with the encryption standard.

Indeed, El Reg recommends opening PGP-encrypted emails in a text editor on a secured virtual machine, host, or container, depending on your level of paranoia, rather than allow encrypted HTML messages to be parsed and rendered.

According to the researchers, EFAIL affects clients that use a graphical user interface, including Thunderbird with Enigmail, Apple Mail with GPGTools and Outlook with Gpg4win.


"It's a lot of steps for sure, and one that honestly is more hypothetical than is it is unsafe", Dave Kennedy, the chief executive at security company TrustedSec, said. By injecting malformed images or styling resources into encrypted plaintext, the attacker has a one in three chance of success at decoding the remainder of the target email.

The researchers clearly state: "The Efail attacks require the attacker to have access to your S/MIME or PGP encrypted emails".

Experts contacted by the human rights organisation "electronic frontier Foundation", which has published instructions for disabling the encryption in the email. The PGP CFB gadget attack was assigned CVE-2017-17688, while the S/MIME CBC vulnerability was given CVE-2017-17689.

"This is bad because the people who use PGP use it for a reason", he told the BBC.

Anyone who actively wants their email communication to be secure and private - and uses common email security plugins - should take notice.

"EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages", the organization says in a blog post.

Recommended:



Popular

Wildcats selected to host NCAA regional, 14 seed in tournament
But, if Mississippi State can claim enough wins to take the regional, then they'll advance on to the Super Regional Round. The Lady Vols rebounded to close the regular season with four straight series victories.

Lars Von Trier's Trump-inspired horror sparks mass walkout at Cannes
Set in Washington in the 70s and 80s, it follows 12 years in the life of a "highly intelligent" serial killer . We experience the story from Jack's point of view, while he postulates each murder is an artwork in itself.

May challenges Trump on impact of Iran sanctions in phone call
The reduction is partially the result of hedging in anticipation of President Trump's withdrawal from the Iran deal. Brent crude oil closed on the day of that message at $74.06, compared with around $77.30 early Friday in NY .

White House Goes Silent on Remark about McCain
McCain was captured in the fall of 1967 and held as a prisoner of war spanning more than five devastating years. Sanders was asked repeatedly if President Trump bears responsibility for setting the tone in the White House.

Vulnerable Democrat announces support for Trump's controversial Central Intelligence Agency pick
He also said that Haspel had assured him she would be "responsive to Congressional oversight". Trump by the greatest margin, has also voiced his support for Haspel.

JERUSALEM | Israel calls on Syria's Assad to 'get rid' of Iranian forces
Israeli missiles were fired late on Tuesday at a target outside the capital, Damascus, Syria's state-run Sana news service said. A report in The Jerusalem Post says "Israel struck 50 Iranian targets in Syria after 20 rockets were fired towards Israel".

Franchises "Destroyed" By Post-Decision LeBron James
Rozier has shown flashes of being one of the team's primary scoring options, but has proven he is not the same player on the road. He did against Toronto and IN , shooting 55 percent from the floor and averaging 34 points per game IN each series.

Conte accepts Chelsea's UCL hopes fading fast
We spent a lot of energy against Liverpool . "But congratulations to Huddersfield, the players and the manager and the club, for them".

Netflix is interested in picking up Brooklyn Nine-Nine
Producer Universal Television had been in talks with Hulu to keep the series afloat, but the streaming service ultimately passed. It'd be a great business move for any network willing to take on this series for the right price.

BJP will win 130 seats in K'taka: Shah
Of them more than 2.52 crore aremen while roughly 2.44 crore are women and 4,552 transgenders. The EC today ordered postponement of polling to the Rajarajeshwari Nagar seat to May 28.