Published: Tue, May 15, 2018
Research | By Derrick Holloway

Researchers Find 'eFail' Threat to Email Privacy

Researchers Find 'eFail' Threat to Email Privacy

In summary, the researchers said the Efail attacks abuse active content of HTML emails - for example, externally loaded images or styles - to exfiltrate plaintext through requested URLs.

PGP and S/MIME are said to have flaws that could be exploited to get access to any incoming or outgoing emails on platforms that use either of the two encryption tools. "This vulnerability might be used to decrypt the contents of encrypted emails sent in the past".

The vulnerabilities in PGP and S/MIME standards pose an immediate risk to e-mail communication, including the potential exposure of the contents of past messages, said the Electronic Frontier Foundation (EFF), a USA digital rights group.

Researchers at the Munster University of Applied Sciences discovered vulnerabilities in the Pretty Good Protection (PGP) and S/MIME technologies used to encrypt email.

Lewis Hamilton wins Spanish GP as Brendon Hartley recovers for 12th
You saw that it worked out for [Daniel] Ricciardo and Verstappen in Shanghai, I think this is what they were thinking. Yeah, you have to slow down, the tires are getting cold and it was my mistake, I came into the box maybe a bit hot.

The flaw works when an attacker already has access to a victim's encrypted emails. Long term, comprehensively patching this particular vulnerability will require an update to the underlying email encryption standards. Flaws in the way the programs handle e-mails with multiple body parts make it possible to embed invisible snippets of previously obtained encrypted text in new e-mails. Users are advised to disable the following email encryption add-ons: Gpg4win for Outlook, Enigmail for Thunderbird and GPGTools for Apple Mail.

"It's a lot of steps for sure, and one that honestly is more hypothetical than is it is risky", Dave Kennedy, the chief executive at security company TrustedSec, said. Numerous email clients also support S/MIME - Secure/Multipurpose Internet Mail Extensions - for sending encrypted communications and digitally signing messages.

The Electronic Frontier Foundation -which researchers contacted to help them broadcast their message to a broader audience- has published tutorials on how to disable email encryption plugins.

The discovery means that PGP shouldn't be relied upon to provide secure messaging, as it can be circumvented by exploiting this vulnerability, referred to as EFAIL.

Six in Pennsylvania sick from shell egg salmonella outbreak
Eleven people have been hospitalized for complications related to the infections, the CDC said, but no deaths have been reported. The CDC is warning customers to avoid eggs produced by Rose Acre Farms, the company behind April's massive egg recall.

The Gnu Privacy Guard (GnuPG) team responded to the EFF's warnings by saying the problem lies with how email clients implement OpenPGP, not with the protocol itself. Sebastian Schinzel, one of the researches who published the details about the vulnerability, had tweeted: "There are now no reliable fixes for the vulnerability".

Barton Gellman tweeted "The best advice TBH is just to stop using GPG / PGP (for most purposes) and start using Signal".

EFF said in a blog post that users should uninstall PGP until the flaw is patched.

In 2017, the ABA Standing Committee on Ethics and Professional Responsibility released Formal Opinion 477 on "Securing Communication of Protected Client Information".

Countries that continue to deal with Iran could face United States sanctions: Bolton
In a fact check of that remark, The New York Times deemed the claim "exaggerated". The other signees had urged Washington to remain in the deal.

Like this: