Published: Mon, May 14, 2018
Technology | By Christopher Mann

Users Warned of Critical Email Encryption Security Flaw

Users Warned of Critical Email Encryption Security Flaw

In a 21-page academic paper, the researchers from Munster University, Ruhr University Bochum and KU Leuven, detail the Efail attack which could potentially enable an attacker to read encrypted emails that have been encrypted with the OpenPGP and S/MIME standards.

"The Efail attacks exploit flaws and undefined behavior in the MIME, S/MIME, and OpenPGP standards", the researchers wrote.

PGP is often used to encrypt messages in popular email programs such as Outlook, Apple Mail, Thunderbird, and Enigmail.

Pretty Good Privacy (PGP) is an encryption tool used to sign emails, documents, directories, and even full hard disks.

'There are now no reliable fixes for the vulnerability, ' lead researcher Sebastian Schinzel, professor of applied cryptography at the Muenster University of Applied Sciences, said in a tweet on Monday.

More news: Steven Gerrard keen on £5m Scottish star along with Martin Skrtel

After breaking the news on Twitter on Sunday night he added: "There are now no reliable fixes for the vulnerability".

"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email", EFF said.

"They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", researchers said.

It recommended that users switch for the time being to secure messaging app Signal for sensitive communications.

More specifically, the vulnerability has been discovered in the PGP or S/MIME software for email encryption.

More news: Disturbance in Southeastern Gulf

We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC.

So clients like Apple Mail, iOS Mail and Mozilla Thunderbird would view the emails as HTML instead of an encrypted message, and display it as one plaintext email instead of three hashed messages.

Germany's Federal Office for Information Security (BSI) said in a statement there were risks that attackers could secure access to emails in plaintext once the recipient had decrypted them.

That the vulnerability also affects S/MIME, however, may be more significant because S/MIME is much more widely deployed by businesses to secure their email communications. This is then encrypted with the sender's private "key" and decrypted by the receiver using a separate public key. The Foundation which has been in communication with the researchers has advised users to "temporarily stop sending and especially reading PGP-encrypted email".

More news: The Tesla drone crashed into a truck at a red light

Like this: