Disable email encryption tools immediately, say researchers who found 'critical vulnerabilities'

Disable email encryption tools immediately, say researchers who found 'critical vulnerabilities'

Disable email encryption tools immediately, say researchers who found 'critical vulnerabilities'

The researchers meant to hold off on full publication until Tuesday, May 15, though the white paper was published earlier due to the embargo being broken.

In the short term, the researchers and the Electronic Frontier Foundation (EFF) recommend users disable PGP plugins and use non-email based messaging platforms to decrypt messages until a long-term solution is developed.

The critical vulnerability, dubbed EFAIL by Professor Sabastian Schinzel of Germany's FH Munster University of Applied Sciences, exposes encrypted emails in plaintext, even for messages sent in the past.

Werner Koch, the principal author of the cryptographic software GNU Privacy Guard, called EFF's warnings about the vulnerability "pretty overblown".

Whistleblowers, political activists and others who depend on encrypted email could all be compromised by the bug, the researchers said in a blog post. PGP has been a popularly adopted standard for email encryption.

The second vulnerability partially incorporates the first, and relies on an attacker being able to guess parts of the encrypted communication, which is generally possible due to the nature of the protocol involved.

Users are advised to disable email encryption to avoid any attackers from recovering past encrypted emails after the paper's publication.

Titling the exploit "Efail", they wrote that they had found two ways in which hackers could effectively coerce an email client into sending the full plaintext of messages to the attacker.

The client used by the target decrypts the email and loads external content that transmits the plaintext message to the attacker.

So clients like Apple Mail, iOS Mail and Mozilla Thunderbird would view the emails as HTML instead of an encrypted message, and display it as one plaintext email instead of three hashed messages.

EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

SZ described the findings as "so devastating that confidence in encrypted emails is likely to be lost, at least for the foreseeable future".

Also, Robert Graham at Errata Security, examined the flaws and came away with a different take: "It only works if you've enabled your email client to automatically grab external/remote content", he said in a post. They've disclosed the vulnerability to the companies providing email programs, so watch out for software patches.

But while that advice might be easier to implement for anyone who uses and configures their own PGP tools, it fails to address how secure webmail providers might address the flaws.

Related news