Email Encryption Vulnerabilities Come To Light

Blog

Thought Leadership

Email Encryption Vulnerabilities Come To Light

Teresa Zwierzchowski

Think that encrypted email is safe from prying eyes? You may want to think again - especially if you've been using PGP or S/MIME to send your secure emails.

On Monday, a professor of computer security at Munster University of Applied Sciences warned of a vulnerability with Pretty Good Privacy (PGP) encryption program and Secure/Multipurpose Internet Mail Extensions that reveals the plaintext of encrypted emails - including emails that were sent in the past.

The Electronic Frontier Foundation (EFF) has confirmed the immediate risk of this vulnerabilities, dubbed Efail attack, to anyone using these tools for email communication.

The Efail attacks are conducted by attackers sending HTML emails that have active content similar to a URL or an image that is loaded from an external source. Sending an email exploiting these active components - and having a copy of the email user's ciphered text - the attacker can get the user's email client to decrypt the ciphered text and send the plaintext message to the attacker.

For more details on the mechanics of this attack, you can see the available research here: https://efail.de

Currently, the Efail plaintext exfiltration is vulnerable on 25 of 35 email clients tested by researchers. To help mitigate the issue, researchers are recommending using a separate application other than your email client to decrypt messages and disable HTML rendering in your email client. However, these are short-term solutions that may help but are temporary and inconvenient.

To fully fix this issue, email vendors using PGP or S/MIME would need to to patch their clients and for the standards of PGP and S/MIME to be updated to fix these exploitable flaws. These solutions could take quite a while to implement and are not guaranteed to happen.

YOU CAN READ MORE HERE: Attention PGP Users: New Vulnerabilities Require You To Take Action Now

APPRIVER & CIPHERPOST PRO

AppRiver does not use PGP or S/MIME to encrypt customers' emails. Our CipherPost Pro® email encryption product is not only invulnerable to this exploit but offers true mailbox-to-mailbox encryption helping to keep your confidential information secure.

CONNECT WITH US

Like us today on FacebookTwitter, YouTube and LinkedIn.

YOU MAY ALSO LIKE

https://blog.appriver.com/2018/03/appriver-live-hackers-getting-personal/