Published: Tue, May 15, 2018
Research | By Derrick Holloway

Researchers Find 'eFail' Threat to Email Privacy

Researchers Find 'eFail' Threat to Email Privacy

In summary, the researchers said the Efail attacks abuse active content of HTML emails - for example, externally loaded images or styles - to exfiltrate plaintext through requested URLs.

PGP and S/MIME are said to have flaws that could be exploited to get access to any incoming or outgoing emails on platforms that use either of the two encryption tools. "This vulnerability might be used to decrypt the contents of encrypted emails sent in the past".

The vulnerabilities in PGP and S/MIME standards pose an immediate risk to e-mail communication, including the potential exposure of the contents of past messages, said the Electronic Frontier Foundation (EFF), a USA digital rights group.

Researchers at the Munster University of Applied Sciences discovered vulnerabilities in the Pretty Good Protection (PGP) and S/MIME technologies used to encrypt email.

IN NUMBERS: Cleveland Cavaliers vs Boston Celtics
While Game 1 most certainly won't be the end-all for the Cavaliers or the Celtics, it will gauge much of this series. He also ranks second in three-pointers made (346), behind Ray Allen (385), and third in assists.

The flaw works when an attacker already has access to a victim's encrypted emails. Long term, comprehensively patching this particular vulnerability will require an update to the underlying email encryption standards. Flaws in the way the programs handle e-mails with multiple body parts make it possible to embed invisible snippets of previously obtained encrypted text in new e-mails. Users are advised to disable the following email encryption add-ons: Gpg4win for Outlook, Enigmail for Thunderbird and GPGTools for Apple Mail.

"It's a lot of steps for sure, and one that honestly is more hypothetical than is it is risky", Dave Kennedy, the chief executive at security company TrustedSec, said. Numerous email clients also support S/MIME - Secure/Multipurpose Internet Mail Extensions - for sending encrypted communications and digitally signing messages.

The Electronic Frontier Foundation -which researchers contacted to help them broadcast their message to a broader audience- has published tutorials on how to disable email encryption plugins.

The discovery means that PGP shouldn't be relied upon to provide secure messaging, as it can be circumvented by exploiting this vulnerability, referred to as EFAIL.

Top Philippines court ousts its own chief justice
The Constitution provides that there are special class of government officials that can only be removed through impeachment. Sereno complied with the demand, but abruptly cut her leave short on Wednesday.

The Gnu Privacy Guard (GnuPG) team responded to the EFF's warnings by saying the problem lies with how email clients implement OpenPGP, not with the protocol itself. Sebastian Schinzel, one of the researches who published the details about the vulnerability, had tweeted: "There are now no reliable fixes for the vulnerability".

Barton Gellman tweeted "The best advice TBH is just to stop using GPG / PGP (for most purposes) and start using Signal".

EFF said in a blog post that users should uninstall PGP until the flaw is patched.

In 2017, the ABA Standing Committee on Ethics and Professional Responsibility released Formal Opinion 477 on "Securing Communication of Protected Client Information".

Siddaramaiah says he is 'okay' if a Dalit becomes Karnataka CM
While Suvarna has echoed the India Today numbers, Dighvijay News has given the BJP the lead with 103-107 seats. However, we expect this number to increase, and hope it surpasses that of the previous elections", he said .

Like this: