Published: Mon, May 14, 2018
Industry | By Jeannie Evans

Encrypted Emails May Be Readable

Encrypted Emails May Be Readable

Attackers having access to encrypted emails can use these vulnerabilities to exfiltrate emails in plaintext by embedding invisible snippets of text in new emails and getting email plaintexts open in on an attacker-controlled server.

Sebastian Schinzel, a professor of computer security at Münster University of Applied Sciences, claimed that the latest issues affecting tools that use PGP and S/MIME impact not just new emails but also exposes the encrypted emails sent in the past.

The new critical vulnerability is dubbed as EFAIL, and the researchers say that there is no permanent fix available now. They released their findings under the banner "Efail" in a paper published today.

The PGP encryption is mostly used by political activists, journalists, and whistleblowers as an extra layer of encryption.

Although further details on the encryption flaws were expected to go public by May 15th, they have leaked early.

Mikko Hypponen, a global security expert, pointed out that even if users follow the EFF advice this does not necessarily do anything to protect older email messages.

If you are asked for the admin password, enter it to confirm the action.

But on Monday, Munich newspaper Süddeutsche Zeitung appeared to break that embargo.

After changing an encrypted email in a particular way, attackers will send this modified encrypted email to the victim. Instead, the flaw is in various email programs that failed to check for "decryption errors properly before following links in emails that included HTML code".

The second vulnerability partially incorporates the first, and relies on an attacker being able to guess parts of the encrypted communication, which is generally possible due to the nature of the protocol involved.

Green already recommended not using PGP. "Poking through an OpenPGP implementation is like visiting a museum of 1990s crypto", he warned.

More details to come.

The Electronic Frontier Foundation -which researchers contacted to help them broadcast their message to a broader audience- has published tutorials on how to disable email encryption plugins. But the EFF did say this is a "temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against". They also advised users to stop using the encryption tools S/MIME and OpenPGP.

But some think the vulnerability warning is overblown. In one attack method, the researchers take advantage of Cipher Feedback Mode (CFB) in OpenPGP and Cipher Block Chaining (CBC) in S/MIME.

"Don't use HTML mails".

Like this: