Security flaw could expose your encrypted emails, researchers warn

Security flaw could expose your encrypted emails, researchers warn

Security flaw could expose your encrypted emails, researchers warn

Users should immediately disable or remove any tools that automatically decrypt PGP-encrypted emails until the flaws are understood and fixed, EFF said.

In the short term, the researchers and the Electronic Frontier Foundation (EFF) recommend users disable PGP plugins and use non-email based messaging platforms to decrypt messages until a long-term solution is developed. The flaw found in PGP/GPG and S/MIME email encryption software potentially lets others view sent messages in plain text. "It provided instructions for disabling PGP plug-ins in Thunderbird, Apple Mail and Outlook". "There are now no reliable fixes for the vulnerability", he added. Thunderbird, Apple Mail, and Outlook are the three major email providers who need to be wary of the exploit as they use PGP encryption. It's this variety that attackers use to ambush users of OpenPGP and S/Mime by sending a slightly modified S/Mime email to the victim's address.

Morten Brogger, CEO of Wire, a B2B end-to-end encryption firm, said: "Today's announcement from the EFF highlights the danger in relying on email for sensitive communication".

They then would have to send the contents of that encrypted email back to its owner - the victim - in a carefully crafted way to make email clients think it's HTML. Users are advised to stop using tools that decrypt PGP or S/MIME encrypted emails. "The attack has a large surface, since for each encrypted email sent to n recipients, there are n + 1 mail clients that are susceptible to our attack", the abstract of the research paper reads. In a post Monday, he said his team wasn't contacted about the flaw and the attack could be mitigated by avoiding HTML emails or using authenticated encryption, which adds a layer of protection to confirm the message hasn't been changed.

Professor Schinzel is a member of a research team consisting of a long list of respected security researchers, and which has been responsible for uncovering a number of cryptographic vulnerabilities. Because a full block of plaintext-the researchers cite S/MIME emails starting with "Content-type: multipart/signed" as one-is known to the attacker, this allows the attacker to "repeatedly [append] CBC gadgets to inject an image tag into the encrypted plaintext. In 2018, businesses must re-evaluate how they communicate, opting to phase out email for secure communications solutions that are open-source, independently audited and end-to-end encrypted". On the other hand, S/MIME is used mainly in enterprise infrastructure.

Related news



[an error occurred while processing the directive]