UPDATED 12:26 EDT / MAY 14 2018

INFRA

Researchers find critical flaws in the tech underpinning email encryption

The Electronic Frontier Foundation today issued a warning against using email for secure communications following the discovery of major flaws in the technology used to send encrypted messages.

The exploits, which are collectively referred to as EFAIL, were discovered by a team of cybersecurity experts from three European universities. The researchers have published an overview of their findings on a web page that went up early this morning.

EFAIL affects OpenPGP and S/MIME, the two go-to technologies for encrypting sensitive emails in situations where the default protections provided by email clients such as Outlook are insufficient. OpenPGP, the more widely used of the pair, traces its roots to before the creation of the modern internet. S/MIME is a popular alternative that’s used particularly by enterprises looking to protect business correspondence.

EFAIL can enable hackers to unscramble users’ encrypted messages and freely read their contents. According to the researchers behind the discovery, attacks could be executed in one of two ways. Both methods require the attacker to get their hands on the emails they wish to decrypt beforehand, for example by eavesdropping on the victim’s network.

The first technique involves modifying a stolen message with a malicious HTML element such a compromised image link. Upon receiving the email, the victim’s client is effectively tricked into sending the contents back to the hacker in a decrypted form.

This attack exploits vulnerabilities in the way that popular clients such as Apple Mail, iOS Mail and Mozilla Thunderbird implement encryption. As a result, the exploit should be fixed once companies begin rolling out patches, which should happen soon given the scope of the attack.

The other attack method likely won’t be nearly as straightforward to fix. It exploits flaws in the very design of OpenPGP and S/MIME, which the researchers explained will require modifying the standards themselves. They expect the process could take quite a while.

In the meantime, the researchers advise users to stop using the two encryption technologies. The Electronic Frontier Foundation echoed its warning in its memo and included guides for disabling email client plugins that use OpenPGP or S/MIME. The organization suggests that users send sensitive messages via alternative means such as the Signal encrypted chat app until the issue is resolved.

Image: Jana Runde/Ruhr-University Bochum

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.