Critical flaw found in email encryption tools

EnlargeElsamuko

However, there is some debate as to how serious the issues are.

The security flaws in both the standard were discovered by a group of researchers in Europe.

Unlike PGP, S/MIME (Secure/Multipurpose Internet Mail Extensions) is an email-only encryption program.

A research team of nine academics from the Electronic Frontier Foundation has discovered critical vulnerabilities in two email encryption tools. While doing so, the client loads any external content, thus, exfiltrating the plaintext to the attacker.

According to a tweet from Schinzel, the vulnerabilities "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past". "This creates a single encrypted body part that exfiltrates its own plaintext when the user opens the attacker email". This new vulnerability allows hackers and attackers the ability to read encrypted HTML emails in plaintext files. Explore practical tips you can implement to reduce the risk of a successful email attack in this whitepaper. Attacks using the EFAIL vulnerability take advantage of "active content" in HTML emails, such as externally loaded graphics, to extract the plain text through those requested URLs. They warn that the flaw won't be fully fixed until the IT community updates the PGP and S/MIME standards. If it's not, GnuPG returns an alert.

A threatening flaw in email encryption was revealed Monday in a report from European researchers.

This is possible because of a basic flaw of end-to-end encryption, they add.

Hamilton ends Vettel's pole run in Spain
Vettel gave away his position when Ferrari made a decision to go for an extra stop and give the German driver fresher tires. But the decision did not work out and cost Vettel what could be a crucial six points in his title fight with Hamilton.

Koch says some MUAs' failure to block hidden HTML links are the problem.

His colleague Robert Hansen said on Twitter that the issue had been known about for some time.

Users of platforms that use S/MIME and PGP encryption have been advised to disable email encryption to avoid the chances of an attack. "It seems to not be easily reproducible in all cases".

An attacker could gain access to encrypted emails by monitoring network traffic, compromising email servers or the computers of users, or gaining access to backup servers. "Given the current state of our research, the CFB gadget attack against PGP only has a success rate of approximately one in three attempts".

Indeed, El Reg recommends opening PGP-encrypted emails in a text editor on a secured virtual machine, host, or container, depending on your level of paranoia, rather than allow encrypted HTML messages to be parsed and rendered.

"Email is no longer a secure communication medium", Sebastian Schinzel, a professor of computer security at Germany's Münster University of Applied Sciences, told the German news outlet Süddeutschen Zeitung. "In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation", the expert said. They have published guides for Thunderbird, Apple Mail, and Outlook.

Email users who use PGP (based on OpenPGP) and S/MIME to encrypt and decrypt their communications are at "immediate risk".

Related News:



Most liked

Govt seeks Aramco, Adnoc backing for $44 billion oil refinery
ADNOC's new strategy is expected to create more than 15,000 jobs and contribute 1% to UAE GDP growth. India-UAE Relations have zoomed to the highest possible level under Indian PM Narendra Modi .

Rafael Nadal breaks John McEnroe's 34-year-old record
Rafael Nadal's 21-match unbeaten run on clay has come to an end thanks to a surprise defeat to Dominic Thiem at the Madrid Open . Thiem will take on South African big man Kevin Anderson who finally broke his duck and made his first Masters semifinal.

Petrol, diesel prices touch record high: 10 points
Indian OMCs disposed of the daily revision in fuel prices that was being carried out from June 2017. Also, the rupee has weakened to Rs 67 per USA dollar from Rs 66.62, making imports costlier.

Sunny Monday expected, possible thunderstorms in the evening
There is a slight chance of showers and storms for the KVOE listening area by late afternoon with a better chance around sunset. According to the National Weather Service in Hastings, Grand Island received 0.28 of an inch of rain from the storm.

US To Help North Korea Upon Nuclear Surrender - Pompeo
One told reporters that being free was "like a dream; we are very, very happy". Singapore also has a track record for hosting worldwide summits.

A Sports Book Is Coming To A Betting Parlor Near You
In 2011, voters in New Jersey approved a ballot measure legalizing sports betting, hoping to revive their state's gaming industry. Critics have raised fears that legalized gambling could make "points shaving" or other forms of corruption more prevalent.

Zverev, Thiem To Fight For Masters 1000 Glory
He was adamant the result of Rome won't affect his preparation for the French Open. "Of course I am disappointed", Nadal said. Zverev also won four consecutive times last week at the BMW Open by FWU in Munich to celebrate his first title of the year.

Trump scrambles to save Chinese phone company hurt by his export ban
He returned to the topic more than five hours later by blasting past trade agreements between the two countries. But Mr Trump said he was optimistic about the future of the countries' trade relations.

BJP will win almost 130 seats in Karnataka, says Yeddyurappa
Meanwhile, Chief Minister Siddaramaiah has reiterated that he was confident of Congress retaining the power. Still, Polling to 222 Karnataka Assembly constituencies began at 7 AM and will continue till 6 PM.

Hamas Chief Visits Cairo a Day Before US Relocates Embassy to Jerusalem
Israel captured east Jerusalem in the 1967 Mideast war and annexed it in a move not recognized internationally. Since late March, 42 Palestinians have been killed in weekly clashes with Israel along the Gaza border.

Gove expresses doubts about Brexit customs plan
Business Secretary Greg Clark, Brexit Secretary David Davis and Northern Ireland Secretary Karen Bradley will look at max-fac. All EU members are part of the customs union which means there are no tariffs on goods transported between member states.

Pep identifies the team to watch in the league next season
Manchester City have their eyes on another century as they aim to wrap up their outstanding season with a flourish. City's 105 goals and 31 wins are also Premier League records that could be increased further this weekend.

Kelvin Gastelum Plans on Waiting for a Title Shot
The No. 5-ranked middleweight immediately called out for a title shot against the victor of UFC 225's Robert Whittaker vs. If I don't make a statement, I don't think I'll be able to contend for the title next.

Martinez Drives In 3, Sox Win
Gamblers can also bet on the game's runline with the odds standing at Red Sox -1.5 runs (+120) and Blue Jays 1.5 runs (-140). Blue Jays: Toronto selected RHP Deck McGuire from Triple-A Buffalo and optioned INF Lourdes Gurriel Jr.to Triple-A.

Michael Carrick shows class during Manchester United farewell
"It's hard because he is my friend, 17 years is a long time", Mourinho said after beating Watford . Michael Carrick will join Mourinho's staff after this season.