The alarms went off this week about EFAIL, a guaranteed destroyer of email. But EFAIL is not as bad as it sounds, according Dennis Dayman, chief privacy and security officer of Return Path.
“The sky isn’t falling,” he says.
To recap: Using models, a group of academic researchers in Europe found that EFAIL exposes the plaintext of encrypted emails sent by users of OpenPGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions — the most prominent encryption standards.
But only the most sophisticated hackers — someone on the level of the NSA itself — would be able to exploit these vulnerabilities, Dayman adds.
“The hacker has to have possession of an encrypted message, and to basically be eavesdropping on your network, to have a compromised email account or server or someone’s computer,” he says.
In addition, the bad actor would “have to break into one of these things and intercept email and in doing so modify the encrypted message in such a way that the person opening the message would not know the message was intercepted and not encrypted.”
Dayman argues that it was “a little irresponsible” of the researchers to tell people to abandon any security protocols until the problem is solved.
What does it mean for email marketers? “Honestly, probably nothing,” Dayman says. “They’re sending brand messages, not highly encrypted emails. It’s not something that the average everyday user would ever need to use.”
Have Return Path’s clients called up in alarm?
“Not one,” Dayman answers.
Dayman and his group learned about the threat report last Sunday night. But he contends that “these flaws have existed for a decade. Who knows if anyone has taken advantage of it? It would probably be done against a government agency and larger-scale enterprise. They’re not going to worry about a Mom & Pop dry-cleaning store.”
That said, Dayman sees the need for improvement in OpenPGP.
“We’re using an infrastructure that’s 35-plus years old,” he says. It was set up for “trading info between universities and governments,” he adds. “It’s been overwritten by personal email, the me generation, mass emails, and all this crazy stuff.”
The result? “We’ve taken a protocol and layered fix upon fix upon it. PGP needs to be hardened and fixed,” or replaced with something better, Dayman says.
So what should companies do to protect themselves
“Make sure you’re using the latest versions of your email technology and clients,” Dayman advises. “Keep your patches up to date.