S/MIME and PGP Email Encryption Flaws Affecting Millions Discovered by EFF

S/MIME and PGP Email Encryption Flaws Affecting Millions Discovered by EFF

Critical unpatched vulnerabilities in widely-used email encryption tools PGP and S/MIME have been discovered by a team led by Sebastian Schinzel, professor of Computer Security at the Münster University of Applied Sciences.

They continue that in their model, the attacker is able to collect end-to-end encrypted emails, either through a man-in-the-middle attack on the network, by accessing a SMTP server, by accessing the IMAP account on the server, or by some other means.

Researchers have discovered a vulnerability in the OpenPGP and S/MIME protocols that allows for the exfiltration of plaintext messages. The flaw, named EFAIL, reportedly affects both sent and received messages, including past correspondence.

In the meantime, digital privacy rights group Electronic Frontier Foundation, which has reviewed the researchers' findings, confirmed that the bugs pose a risk to anyone using PGP and S/MIME and as a "temporary, conservative stopgap" recommends disabling any email plug-ins that automatically decrypt such messages. They do note, however, that disabling HTML rendering won't completely stop EFAIL attacks.

According to the ABA's 2017 Legal Technology Research Survey, 36.4 percent of responding firms and solo practitioners used some form of email encryption. Created by computer scientist Phil Zimmerman in 1991, Symantec bought PGP in 2010 and is still the program's official developer.

Furthermore, separate guides have been provided to disable PGP plugins in Thunderbird, Apple Mail, and Outlook.

ESU baseball team earns at-large bid for NCAA Tournament
The Titans received one of the two Pool B bids as the WIAC does not have an automatic qualifier this season. The Seminoles will face off against the Jacksonville State Gamecocks on Friday afternoon at 2:30 p.m.

Cleric al-Sadr leads in early vote results
The sources added that Suri was "in charge of recruiting attackers and dispatching them to Iraq to carry out bomb attacks there". Nevertheless, the terrorist group appears to still maintain an active presence in certain part of northern and western Iraq.

Pochettino vows to celebrate Spurs success
The early season form seems to be back, with the Foxes only overturning a five-game winless run with the midweek win over Arsenal. Dier didn't have a good time, although to be fair it's Pochettino's choice to play him at centre-back and not in midfield.

Also, Robert Graham at Errata Security, examined the flaws and came away with a different take: "It only works if you've enabled your email client to automatically grab external/remote content", he said in a post.

"EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs". While the researchers say each mail client vendor can come up with individual mitigations, they suggest that the underlying specification for OpenPGP and S/MIME will need to be fixed over the long-term.

"[The researchers] figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails".

It recommended that users switch for the time being to secure messaging app Signal for sensitive communications.

Titling the exploit "Efail", they wrote that they had found two ways in which hackers could effectively coerce an e-mail client into sending the full plaintext of messages to the attacker.

The actual encrypted message using PGP or S/Mime. The expert said that the attackers using these programs can "access" not only to intercepted letters, but all are ever sent.

Related Articles