S/MIME and PGP Email Encryption Flaws Affecting Millions Discovered by EFF

Daniel Sambraus—EyeEm  Getty Images

The new critical vulnerability is dubbed as EFAIL, and the researchers say that there is no permanent fix available now.

The researchers suggest to disable HTML for email, and security experts agree that this is good practice, as connecting to remote servers and downloading unknown code from them poses a significant risk.

The researchers also note that there is no fix for the vulnerability just yet and it is better to not sign off your emails using PGP or S/MIME standards. According to the European researchers, "EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs". The newly found vulnerability has the potential to reveal encrypted emails in plaintext, including emails sent in the past. Long term, comprehensively patching this particular vulnerability will require an update to the underlying email encryption standards. Copy and paste the encrypted text into separate programs to decrypt the text.

University researchers from Muenster and Bochum in Germany, and Leuven in Belgium, discovered the flaws in the encryption methods that can be used with popular e-mail applications such as Microsoft Outlook and Apple Mail.

"It's a lot of steps for sure, and one that honestly is more hypothetical than is it is risky", Dave Kennedy, the chief executive at security company TrustedSec, said. Some have criticized the researchers for teasing the vulnerability before publishing their full paper on it, while others have jumped straight to disabling PGP in their email clients.

Sebi, exchanges step-up vigil before Karnataka Assembly elections results
A total of 2,654 candidates are in the fray and 4.96-crore electorate, including 2.44 crore women, will cast their votes. We are 100 per cent sure of forming the government on May 17", he said. "Congress will get the clear majority".

The Electronic Frontier Foundation, on the other hand, is urging users to disable or uninstall PGP email plugins until the EFail threat is more widely understood. The attacks rely on the attacker to be in possession of the encrypted emails and can trick either the sender or the recipient to open an invisible snippet of the intercepted messages in a new email.

Sebastian Schinzel, lead of the IT security lab at the Münster University of Applied Sciences, said the paper would be published ahead of a scheduled date later this week after the embargo was broken.

It recommended that users switch for the time being to secure messaging app Signal for sensitive communications. Created by computer scientist Phil Zimmerman in 1991, Symantec bought PGP in 2010 and is still the program's official developer.

"This is bad because the people who use PGP use it for a reason", he told the BBC.

Cluley also pointed out that it is not a new problem - the root problem of mail clients attempting to display corrupted S/MIME messages has been known about since 2000.

Related:

Comments

Latest news

Hawaii volcano eruption costs tourism industry millions
Geological Survey, a lava flow moves across Makamae Street in the Leilani Estates subdivision near Pahoa on the island of Hawaii. The volcanic vents, or fissures, have gobbled up dozens of homes and vehicles, with 37 structures so far destroyed.

Nadal, Thiem on Early Collision Course in Rome; ATP Preview
Thiem has split his last eight final appearances overall and is 7-4 in final appearances on clay court. I mentioned yesterday that Zverev's level this week has been stunning, and of a world-class level .

France slams Iran over alleged rocket attack on Israeli positions
On Tuesday evening, an attack was carried out against Iranian missile depots at the Syrian army's Al-Kiswa base south of Damascus. Rouhani did not mention of Israel's strikes in Syria, or those against the Israeli-occupied Golan Heights.

For Mackenzie Dern, All The Bad Was Worth It At UFC 224
The UFC is investing in me, and I'm going to work with them to not ever have that happen again". Not that it's not important to me, but I believe in what they're offering me.

Ivanka Trump arrives in Israel ahead of USA embassy move
Since March 30, the Palestinians have been organizing protests, demonstrations and rallies calling it "the Great March of Return". Furthermore the name change, despite President Trump's historic decision to move the US Embassy, comes under intense scrutiny.

Where would this season's Premier League be without Manchester City?
Manchester City boss Pep Guardiola is angry youngsters Phil Foden and Brahim Diaz will not receive Premier League winner's medals. Swansea's seven-year stay in the top flight appears to be over ahead of Sunday's final round of fixtures.

A few strong storms possible this evening
The National Weather Service said 1 to 2 inches of rain is possible in Madison before the rain ends on Mother's Day . The area of high pressure that's been our dominant weather feature through the week will start to break down a bit.

Bank of England to hold rates after data downturn
The announcement comes just weeks after observers seemed nearly unanimous in their predictions of a May rise in interest rates. Two members of the committee, Ian McCafferty and Michael Saunders, voted to increase rates to 0.75 per cent.

One hurt in USA school shooting
The man was transported to a hospital where he was pronounced dead, according to Schrader. Officials did not say what kind of gun was used.

Nunes successfully defends after stoppage
At the end of the fourth round, Pennington literally told her corner she was "done" with the fight. But Nunes was never in trouble and continued to attack a tired Pennington throughout.

Surabaya bombings: Christian leaders tell congregation 'not to fear'
After the explosions, the East Java Police instructed all churches in Surabaya to close down pending the police's investigation. As of 10.30 a.m., police reported that at least nine people had been killed, while at least 40 had been injured in the attacks.

Juventus Defeats AC Milan To Win Fourth Consecutive Italian Cup
Medhi Benatia set the Turin giants on their way with a header from a corner early in the second half. Juventus crushed AC Milan 4-0 in the Coppa Italia final to move to the brink of a domestic double.

NASA announces a tiny helicopter will travel to Mars in 2020
In order to fly in Mars' thin atmosphere, the space helicopter has to be super light, yet as powerful as possible. Mars 2020 is scheduled now to launch sometime in July 2020 with a landing slated for February 2021.

Klopp to focus on Brighton game
It is not the same injury". "A week was exactly what we needed, we had a few players with some problems and had time to recover". One of the final issues yet to be sorted in the top-flight is the fourth and final Champions League spot.

Malaysia's king agrees to pardon jailed Anwar Ibrahim after opposition's stunning victory
After being sworn in as new prime minister, Dr Mahathir said he would seek the return of millions of dollars lost in the scandal . Mahathir said his government would look into measures to stabilise the ringgit, and talk to departments on what could be done.

Other news