BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News PGP and S/MIME Encrypted Email Vulnerable to Efail Attack

PGP and S/MIME Encrypted Email Vulnerable to Efail Attack

This item in japanese

A group of German and Belgian researchers found that PGP and S/MIME are vulnerable to an attack, dubbed Efail, that leaks the plaintext of encrypted emails. The Electronic Frontier Foundation (EFF) confirmed the vulnerability and suggested to use alternative means to exchange secure messages. Yet, the vulnerability is not in PGP itself, according to GnuPG creator Werner Koch, who also said EFF comments were overblown.

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.

Exploiting this vulnerability is not trivial, though, since it first requires access to the encrypted message. This can be gained for example by compromising an email account, backups, or eavesdropping on network communication. When the attacker gains access to an encrypted email, they can change the email and then send that modified encrypted email to the receiver. When the victim decrypts the email and loads external content, the plaintext of the message is leaked to the attacker. The Efail paper goes into detail describing two flavors of Efail attacks. The researchers claim they succeeded in breaking up to 500 S/MIME encrypted emails by means of a single crafted S/MIME message sent to the victim. With PGP their claimed success rate is much lower, with only one attack in three attempts succeeding, due to PGP compressing the plaintext before encrypting it.

The team of researchers behind Efail also identified possible short-term mitigations. One possible mitigation consists in decrypting received emails only outside of the mail client and disable any encryption plugin that automatically handles that for you. This will prevent the possibility that the email client opens exfiltration channels to the attacker. More simply, you could disable HTML rendering in your email client, since HTML presentation is the easiest exfiltration channel to exploit.

The announcement of Efail sparked a lot of debate, both on the Web and in the press. The EFF officially endorsed the findings of the Efail research team:

Unfortunately, we cannot recommend using PGP in email clients until they have been patched, both on your device and your recipient’s device. […] We recommend disconnecting PGP from your email client until the appropriate mitigations have been released.

In particular, notes the EFF, the key point in any mitigation approach is that it should involve all parties of an encrypted communication. It only suffices, for example, that one recipient of your email does not disable HTML rendering in their client, for the vulnerability to be exploitable on that system.

After Efail was announced, it did not take long before the people behind GnuPG, a popular implementation of PGP, provided an official statement. According to Robert J. Hansen, the Efail paper only addresses vulnerabilities caused by bugs in email clients, mostly due to ignoring warnings. In fact, he says, GnuPG includes a specific countermeasure to the kind of attacks described in the Efail paper, which is called Modification Detection Code (MDC). MDC is a form of authenticated encryption and you can be safe by just checking that your PGP plugin does not use an “ancient” version of GnuPG (the 1.0 series) and it handles the MDC warnings correctly, according to Hansen. Koch additionally stressed that authenticated encryption is not implemented for S/MIME, so the only short-term mitigation for S/MIME is disabling HTML rendering.

Rate this Article

Adoption
Style

BT