• by Ray Schultz , May 14, 2018

A threatening flaw in email encryption was revealed Monday in a report from European researchers. If some sources are to be believed, it could spell the end of email as a secure channel.  

The new vulnerability is called EFAIL. It exposes the plaintext of encrypted emails for users of OpenPGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions, the two most prominent standards for end-to-end encryption of email, according to the report from the Electronic Frontier Foundation (EFF).

The findings are based on models, so it is unclear whether harm has actually occurred. But the authors state that they have “disclosed the vulnerabilities to all affected email vendors, and to national CERTs and our findings were confirmed by these bodies.”

They continue that in their model, the attacker is able to collect end-to-end encrypted emails, either through a man-in-the-middle attack on the network, by accessing a SMTP server, by accessing the IMAP account on the server, or by some other means. "He may store these emails for some time before he starts his attack.”

This is possible because of a basic flaw of end-to-end encryption, they add.   

“While transport security between mail servers is useful against some attacker scenarios, it does not offer reliable security guarantees regarding confidentiality and authenticity of emails,” the researchers state.

It is, for example, not enough to deter attacks by “nation state actors, large-scale breaches of email servers, revealing millions of email messages, or attackers compromising email accounts,” they explain. 

In this scenario, attackers send a “changed encrypted email” to the victim. And that person’s email client decrypts the email and loads external content, “thus exfiltrating the plaintext to the attacker.”

The researchers used CBC/CFB gadgets “to enject malicious plaintext snippets into encrypted emails that abuse existing and standard conforming backchannels, for example, in in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption.”

They add that EFAIL “abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.”

One of the researchers, Sebastian Schinzel, told Süddeutsche Zeitung that “email is no longer a secure communication medium,” according to Gizmodo. It remains to be seen if this is overhype.  

Meanwhile, the report suggests several strategies for preventing EFAIL attacks:

Short Term

No decryption in email client

Disable HTML rendering

Medium Term

Patching

Long Term

Update OpenPGP and S/MIME standards

The report was authored by Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky and Jörg Schwenk.