Encrypted Emails May Be Readable


In a website devoted to the issues, which the researchers called eFail, they said the attacks exploit problems with the OpenPGP and S/MIME standards and can expose the plaintext of encrypted emails. This attack relies on a three-part message being sent.

Encryption used by most email software - from Outlook and Windows Mail to Thunderbird and Apple Mail - can be intercepted by hackers who can read at least parts of the written text, a German-led research team announced on Monday. The digital privacy watchdog also suggested the use of alternatives, such as Signal, for the time being as the implications of the vulnerabilities described in the paper are better understood, and hopefully mitigated, by the cybersecurity community. It's important to note that this exploit is only useful if an unscrupulous individual already has access to the encrypted S/MIME or PGP emails.

Sebastian Schinzel, professor of computer science at Münster University investigated the flaw, tweeting that full details of the vulnerability will be available from 15 May. In the meantime, they are recommending that users stop using OpenPGP and S/MIME for now.

EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

Users are advised to disable email encryption to avoid any attackers from recovering past encrypted emails after the paper's publication. The Efail attacks rely on external communication and if a user is decrypting emails in a standalone application, the risks are somewhat muted.

Academics from the Electronic Frontier Foundation have discovered critical vulnerabilities in two email encryption protocols.

Security researchers, backed up the EFF, have issued a warning over PGP and S/MIME encryption.

They then would have to send the contents of that encrypted email back to its owner - the victim - in a carefully crafted way to make email clients think it's HTML. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.

It added, however, that it considered the encryption standards themselves to be safe if correctly implemented and configured.

A vulnerability exists in programs PGP, GPG and S/MIME. In addition the mails would need to be in HTML format and have active links to external content to be vulnerable.