'EFAIL' Vulnerability Undermines PGP, S/MIME Email Encryption

PGP is leaking your emails in plaintext and there's no known fix

Critical unpatched vulnerabilities in widely-used email encryption tools PGP and S/MIME have been discovered by a team led by Sebastian Schinzel, professor of Computer Security at the Münster University of Applied Sciences.

Experts contacted by the human rights organisation "electronic frontier Foundation", which has published instructions for disabling the encryption in the email. The flaw, named EFAIL, reportedly affects both sent and received messages, including past correspondence.

German researchers have warned those using a popular form of email encryption that serious flaws mean their messages could be decoded by attackers. "You are thus only affected if an attacker already has access to your emails". He later added that "There are now no reliable fixes for the vulnerability". Thunderbird, Apple Mail, and Outlook are the three major email providers who need to be wary of the exploit as they use PGP encryption.

This turning into another Heartbleed is unlikely given that this level of encryption is, for most, belt and braces - nobody cares what you had for dinner - but for those who rely on PGP for genuine confidentiality? Secure/Multipurpose Internet Mail Extensions (S/MIME) is an alternative end-to-end encryption standard that is used to secure corporate email communication.

More news: Radar reveals North Korea's nuclear test moved a mountain

The research paper details a method whereby the simple omission of not closing the URL with quotes can enable an attacker to get access to the decrypted email contents.

While the requirement that attackers have access to previously sent e-mails is a an extremely high bar, the entire objective of both PGP and S/MIME is to protect users against this possibility. The researchers say new and archived emails are vulnerable to attack. As there are "currently no reliable fixes for the vulnerability", the researchers are advising users to immediately disable the encryption within individual email clients and use other methods to send their secure data for now. On the other hand, S/MIME is used mainly in enterprise infrastructure.

In their paper, researchers noted that "while it is necessary to change the OpenPGP and S/MIME standards to fix these vulnerabilities, some clients had even more severe implementation flaws allowing straightforward exfiltration of the plaintext". Mozilla referred questions to the Thunderbird Council, the third-party open-source software group that maintains the Thunderbird email app. Ryan Sipes, a Thunderbird community manager, said in a statement that a patch is being developed and will be distributed as an update by the end of the week.

Related News:



Most liked

Trump's Nominee For CIA Director Tells Senators That Torture Doesn't Work
Joe Manchin (D-W.Va.), said Haspel has "great character" and is "supremely qualified" to lead the Central Intelligence Agency . Even if they all oppose her and Flake joins the opposition, Haspel should have 50 votes for her confirmation.

Sanders scolded staff for leak of White House official's 'dying' McCain comment
The Hill first reported the comment later confirmed by The Associated Press. "No one is condoning the remark", a source in the room argued.

Zarif says Russian Federation confirmed readiness to honor Iran deal despite U.S. pullout
Zarif's visit to the Russian capital Moscow is part of his global tour, as an effort to save the Iran nuclear deal. He will also have similar discussions with France, Germany and Britain on Tuesday.

Guardiola reveals who he thinks will challenge for EPL title next season
The point about Ederson's quality in possession is particularly telling. "It was such a hard game, they defended very well. However, Mourinho also has to get more out of the marquee signings of his reign in Paul Pogba and Alexis Sanchez.

Neymar to resume training with a ball Sunday
Neymar , meanwhile, has admitted he still has fears over missing the World Cup due to the broken right foot he suffered in March. Neymar said this season has been the least he's ever played, so he is rested for the World Cup that begins on June 14 in Moscow.

Record-breaking lap gives Lewis Hamilton pole position in Spain
The lap was good. "We have found some pace, there is still a bit more to find, but overall a pretty good end to a Friday". Valtteri Bottas set the pace with Mercedes in the first practice session for this weekend's Spanish Grand Prix.

Ireland's Very First Ball In Test Cricket Was A Dramatic One
Rankin eventually tempted Shafiq to pull to square leg on 62, giving him, Murtagh and Stuart Thompson two wickets apiece. Shafiq square-cut Kane for four, with left-hander Haris glancing Thompson for a legside boundary.

Eurovision Song Contest 2018 results: Israel wins
That's not much time to get the props off stage, though the commercial breaks offer more breathing space for the crew. The 25-year-old won season five of the Israeli reality show HaKokhav HaBa, an X Factor-style singing competition.

Lightning-Capitals: Can Tampa Bay produce another Game 2 bounce back?
Evgeny Kuznetsov - The Capitals centre added two assists in Game One at Tampa Bay, giving him 16 points (7 G, 9 A) in 13 games. Even their misses, like Ovechkin's whiff on the power play, ended up in the back of the net thanks to the net presence of T.J.

Political stars gather for Tej Pratap's wedding
More than 150 cooks from Uttar Pradesh, Punjab and different districts in Bihar prepared 80-odd exquisite dishes for the guests. While addressing the press, Nitish had said he was not able to work under the grand alliance due to the ideological rift.

Highland High School Shooting: Victim Shot in Arm, 14-Year-Old Detained
Initial reports of a possible school mass shooting drew immediate attention from major news outlets and cable TV networks. Darran Harris tells KTTV Friday that the student was taken into custody and a gun was recovered at the scene.

Top three teams are in a league of their own, says Alonso
McLaren has never hidden the fact that its aim for 2018 was to top the midfield and close the gap on the top three teams. They reset what has happened in the first races and they come here and they expect you to win and deliver the result.

NASA is sending an autonomous helicopter to Mars in 2020
The result of the team's four years of design, testing and redesign weighs in at little under four pounds (1.8 kilograms). After the helicopter is placed on the ground the rover will be directed to drive to a safe distance to relay commands.

Ebola vaccines to be shipped to Congo, WHO chief says
The virus is transmitted to people from wild animals and spreads in the human population through human-to-human transmission. Worldwide health agencies are acting fast to contain a confirmed Ebola outbreak in the Democratic Republic of the Congo.

Noura Hussein sentenced to death for killing rapist husband
Shahd Hamza, 20, was among those who came to support Hussein in court, after hearing about her case in a group chat on WhatsApp. After the teenager refused to consummate the marriage, her husband's relatives allegedly held her down while he raped her.