In the most popular encryption method found a hole

Nichole VegaMay 15, 2018

A research team of nine academics from the Electronic Frontier Foundation has discovered critical vulnerabilities in two email encryption tools.

The most serious vulnerabilities have resided in Thunderbird, macOS Mail, and Outlook for more than 10 years and remain unfixed at the moment, the researchers said. Secure/Multipurpose Internet Mail Extensions (S/MIME) is an alternative end-to-end encryption standard that is used to secure corporate email communication.

PGP (Pretty Good Privacy) is a data encryption method sometimes added to programs that send and receive email. The Foundation which has been in communication with the researchers has advised users to "temporarily stop sending and especially reading PGP-encrypted email".

Full details of the Efail flaw have now been made public ahead of the original schedule.

Mikko Hypponen, a global security expert, pointed out that even if users follow the EFF advice this does not necessarily do anything to protect older email messages. That won't fully close the flaw, but it will cut off the primary way of exploiting it. It's not that simple, though - before doing that a hacker must find the encrypted emails they want by spying on network traffic and then compromising email accounts, servers, backup systems or client computers. However, the embargo was broken by German news outlet Suddeuteschen Zeitung who posted the findings in the early hours of Monday. According to the researchers, both CFB and CBC enable an attacker to reorder, remove or insert ciphertext blocks, or to perform meaningful plaintext modifications without the encryption key.

The researchers said on a website devoted to this vulnerability that "EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs".

"[The researchers] figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails". Then the emails are changed in a particular way and sent to a victim.

In the wake of the new research, Green tells Süddeutsche Zeitung: "This is another bullet hole in an already perforated vehicle".

"These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community", the EFF said.

But some think the vulnerability warning is overblown.

EFF's recommendation: If you use PGP or S/MIME, disable them, and uninstall the tools that decrypt them. That's because EFAIL can be stopped by using authenticated encryption; OpenPGP started to support authenticated encryption in 2001.

"This is bad because the people who use PGP use it for a reason", he told the BBC. CounterMail, Hushmail and Mailfence all use OpenPGP.

It wasn't that long ago that OEMs were being warned to share details of vulnerabilities in their chips via PGP so hackers couldn't evesdrop. Erm.

Related Articles:

« Previous article
Next article »

Popular Pages

Webb Simpson Runs Away From Contenders At The Players
South African Charl Schwartzel (67) and Americans Xander Schauffele (67) and Jimmy Walker (67) tied for second on 14-under. He led the field in putting during his four-shot victory at The Players Championship, and that wasn't just one great week.

How Rockets Can Upset Warriors
And yet despite what looks like relative parity, there doesn't seem to be much question about who will emerge from the two series. Still, Curry and the Warriors destroyed Chris Paul when he was on the Clippers and could certainly do the same in this series.

Apple hit with lawsuit over 'butterfly' keyboard
The new mechanism replaced the scissors-shaped one, which is the default key switch mechanism for most laptop keyboards. If that fails to solve the problem of non-responsive keys or repeated keystrokes, the only remaining option is fix .

Eurovision star SuRie left with bruises after encounter with stage invader
Or maybe the British Eurovision team thought SuRie being rudely interrupted in that way might score some sympathy votes. SuRie has discussed her decision not to perform again following the stage invasion at Saturday's (12 May) Eurovision .

Early results announced for Iraq election
But despite improved security, Iraq was still struggling to rebuild itself after four years of war against IS, the report said. Winning the largest number of seats does not automatically guarantee that Sadr will be able to hand-pick a prime minister.

OnePlus 6 Mirror Black and Midnight Black variants leaked
The Phone comes with a fresh design, which uses glass on the back and will possibly have a large 6.28-inch screen . As we all were expecting, the phone is costlier than OnePlus 5T because the phone was launched starting at €499.

NES Classic to return to stores in June
The deal was part of a one-off limited edition run for Nintendo, who has devoted most of their time to their new Switch system. Nintendo announced in September 2017 that it would bring back the NES Classic and continue production of the SNES Classic .

Petrol, diesel prices hiked after 19-day pre-poll hiatus
The increase in oil prices comes after several weeks, shattering hopes of a normalisation with regards to rising oil prices. State-run oil companies said that the price revision was necessary because of increasing global oil rates, PTI reported.

Arsenal will find it hard to replace Wenger - Gilberto Silva
With his 22 years at Arsenal soon to conclude, it's perhaps too early for the Frenchman to think about the future. The north London outfit haven't won the Premier League title since 2003-04.

Yemen, UAE Agree on Deal Over Socotra
Saudi Arabia has announced Sunday that they are deploying troops to the Yemeni island of Socotra. There was no immediate confirmation of the report from Saudi authorities.