New encryption vulnerability means email is no longer secure

Florence Fletcher
May 14, 2018

EFAIL can enable hackers to unscramble users' encrypted messages and freely read their contents.

PGP, which stands for Pretty Good Privacy, is one of the most popular encryption programs, it is a two-factor authentication system. It does not encrypt metadata and is very far from easy to use, but it is nevertheless widely regarded as by far the safest way to send secure emails.

The most serious vulnerabilities have resided in Thunderbird, macOS Mail, and Outlook for more than 10 years and remain unfixed at the moment, the researchers said. Researchers are advising users to rely on end-to-end encrypted messaging apps instead, in the meantime.

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails.

In addition, the researchers recommended people "use alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted mail". Dubbing the series of flaws that make this attack possible as eFail, researchers said that some of these security vulnerabilities are a decade-old. The security loopholes are claimed to expose the plaintext of encrypted emails to attackers and put even those emails at risk that were sent in the past. The first method will directly send the decrypted information to the attacker by exploiting how images are embedded into emails. The vulnerabilities allow attackers to exfiltrate e-mail plaintexts by embedding the previously obtained cipher text into unviewable parts of an e-mail and combining it with HTML coding.

Champions Cup final: Dan Carter on bench in Champions Cup final
While Ireland stand-off Johnny Sexton starts at 10 for Leinster , Carter has fallen down the pecking order at his Parisian side. Sexton and Iribaren traded penalties but also both traded misses from the half way line, Sexton twice.


Former Malaysian PM Najib resigns as party chief, barred from leaving country
Najib has said the deposit was a donation by an unnamed member of the Saudi royal family which had been largely returned. Mahathir has indicated that Mohamed Apandi would be fired for hiding evidence of wrongdoing.


Bank of England keeps rates unchanged
Practically, this largely involves the Bank adjusting interest rates to try and keep inflation at, or as close to, a target of 2%. In a Reuters poll published on Wednesday, all but three of 62 economists polled between May 3 and 8 expected no change in rates.


UPDATE 2: Because some researchers started disclosing details about the vulnerability ahead of schedule, the efail.de website is now live, along with the research paper, both containing more info on the EFAIL vulnerability.

University researchers from M√ľnster and Bochum in Germany, as well as Leuven in Belgium, discovered the flaws in the encryption methods that can be used with popular email applications such as Microsoft Outlook, Apple Mail and Enigmail for Thunderbird, which all offer to decrypt emails on the fly. Some have criticized the researchers for teasing the vulnerability before publishing their full paper on it, while others have jumped straight to disabling PGP in their email clients.

"You need to take action now", says Alan Woodward, a professor of computer science at the University of Surrey.

Click on the hamburger menu and select Add-ons from the right panel of the menu.

On the second screen, keep everything as it but uncheck "GpgOL" from the options.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER