Warning: Serious #Efail vulnerabilities allow attackers to view PGP encrypted email content

May 15, 2018

Warning: Serious #Efail vulnerabilities allow attackers to view PGP encrypted email content

Users of PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extension) have been warned about a number of critical vulnerabilities relating to those technologies.

The discovery was made by a team of European researchers, including Damian Poddebniak, Christian Dresen, Fabian Ising, and Sebastian Schinzel from Munster University of Applied Sciences; Jens Müller, Juraj Somorovsky, and Jörg Schwenk from Ruhr University Bochum; and Simon Friedberger from KU Leuven.

Dubbed eFAIL by the researchers, the flaws allow attackers to decrypt the contents of emails secured with PGP and S/MIME technologies making them viewable to attackers in plaintext. Moreover, emails sent in the past are also impacted.

This means that those emails are potentially not secure. People rely on these technologies to secure their email contents and protect their confidential and sensitive information. There is great cause for concern as this information is now vulnerable to attack. This has massive implications for those that use these technologies to protect their information.

It is believed that the vulnerabilities exist in the way encrypted email clients handle HTML emails and external resources, like loading of images, styles from external URLs.

There are currently no reliable fixes and users of the technologies have been advised by numerous groups and academics to uninstall PGP and S/MIME with immediate effect and to stop sending and opening PGP-encrypted emails. Additionally, use an alternative end-to-end encryption solution.

The Electronic Frontier Foundation (EFF), has confirmed that the vulnerabilities exist in these encryption technologies.

“EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages,”

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.”

The EFF has advised users to disable plugin/tools including Thunderbird with Enigmail, Apple Mail with GPGTools and Outlook with Gpg4winn with immediate effect.

The researchers have advised users to adopt authenticated encryption for sensitive communication.

Galaxkey is a fitting solution as it incorporates strong identity-based encryption with data containerisation. The technology uses strong authentication and end-to-end security to secure all communications. 

 

The Hacker News:

https://thehackernews.com/2018/05/pgp-smime-email-encryption.html

Ars Technica:

https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/

BBC News:

http://www.bbc.co.uk/news/technology-44107570