Technology News

PGP, S/MIME Encrypted Emails Can Be Revealed by Client Vulnerabilities, Researchers Say

By Gadgets 360 Staff | Updated: 14 May 2018 20:21 IST
PGP, S/MIME Encrypted Emails Can Be Revealed by Client Vulnerabilities, Researchers Say
Highlights
  • Vulnerabilities found in tools that decrypt PGP and S/MIME encryption
  • They can reveal the plaintext of encrypted emails to attackers
  • No reliable fixes have surfaced so far, researchers say
Advertisement

Security researchers claim to have discovered a set of vulnerabilities (collectively called Efail) that affect users of certain email clients that utilise PGP (Pretty Good Privacy) and S/MIME (Secure/ Multipurpose Internet Mail Extensions) - two widely used methods for encrypting emails. The security loopholes are claimed to expose the plaintext of encrypted emails to attackers and put even those emails at risk that were sent in the past. Users are advised to stop using tools that decrypt PGP or S/MIME encrypted emails. Researchers say that for now, no reliable fixes are available for the vulnerability.

Sebastian Schinzel, a professor of computer security at Münster University of Applied Sciences, claimed that the latest issues affecting tools that use PGP and S/MIME impact not just new emails but also exposes the encrypted emails sent in the past. "There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now," Schinzel wrote in a tweet.

Schinzel, alongside his fellow security experts at Münster University of Applied Sciences as well as the researchers at Ruhr University Bochum and KKU Leuven, jointly published their research detailing the flaws. "We use CBC/CFB gadgets to inject malicious plaintext snippets into encrypted emails that abuse existing and standard-conforming backchannels, for example, in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption. The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker. The attack has a large surface, since for each encrypted email sent to n recipients, there are n + 1 mail clients that are susceptible to our attack," the abstract of the research paper reads.

Electronic Frontier Foundation (EFF) in a separate blog post recommended users to immediately disable email tools that automatically decrypt PGP-encrypted email. "Our advice, which mirrors that of the researchers, is to immediately disable and/ or uninstall tools that automatically decrypt PGP-encrypted email," the EFF team said, adding, users should use alternative end-to-end secure channels, such as Signal, and temporarily stop sending and "especially reading" PGP-encrypted email. Furthermore, separate guides have been provided to disable PGP plugins in Thunderbird, Apple Mail, and Outlook.

Germany's Federal Office for Information Security (BSI) put out a statement saying there were risks that attackers could secure access to emails in plaintext once the recipient had decrypted them.

It added, however, that it considered the encryption standards themselves to be safe if correctly implemented and configured. Werner Koch of GnuPG, a popular provider of GPG encryption, said the vulnerability was not in the encryption protocols, but rather, in the email clients used to decrypt them. Specifically, if they handle MDC (modification detection code) errors correctly, Koch's colleague Robert J. Hansen said, and the above-named clients appear to be some of those that are vulnerable.

The use of PGP for secure communications has been advocated, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the US National Security Agency before fleeing to Russia.

PGP, for example, works using an algorithm to generate a 'hash', or mathematical summary, of a user's name and other information. This is then encrypted with the sender's private 'key' and decrypted by the receiver using a separate public key.

To exploit the weakness, a hacker would need to have access to an email server or the mailbox of a recipient. In addition the mails would need to be in HTML format and have active links to external content to be vulnerable, the BSI said.

It advised users to disable the use of active content, such as HTML code and the loading of external content, and to secure their email servers against external access.

Written with inputs from Reuters

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: PGP, S MIME, email encryption, Email, Encryption
Gadgets 360 Staff
Gadgets 360 Staff
The resident bot. If you email me, a human will respond. More
Sony Audio Systems With Built-In DVD Players Launched in India, Prices Start at Rs. 31,990
Panasonic Lumix FT7 Rugged Camera With Dedicated EVF, 4K Video Recording Launched: Price, Specifications

Related Stories

PGP, S/MIME Encrypted Emails Can Be Revealed by Client Vulnerabilities, Researchers Say
Comment
Share on Facebook Gadgets360 Twitter Share Tweet Snapchat Share Reddit Comment google-newsGoogle News
 
 

Advertisement

Featured
Follow Us
Latest Videos
More Videos
Tech News in Hindi
More Technology News in Hindi

Advertisement

Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. OnePlus 11R Solar Red With 8GB RAM, 128GB Storage Debuts in India: See Price
  2. OTT Releases This Week: Rebel Moon Part 2, Article 370 and More
  3. Samsung Galaxy Z Flip 6 Reportedly Listed on Geekbench With This SoC
  4. Samsung Galaxy F15 5G Gets new 8GB RAM Variant in India: Price, Offers
  5. Xiaomi's HyperOS Is Now Coming to the Redmi Note 13 Series in India
  6. Nothing Phone 2 Gets NothingOS 2.5.5 Update With ChatGPT Integration
  7. Vivo V30e to Debut in India on This Date; Key Features, Colours Revealed
  8. Xiaomi 14 Series May Soon Get an 'AI Treasure Chest' With Several AI Tools
  9. Meta Claims Its Newly Launched Llama 3 AI Outperforms Gemini 1.5 Pro
#Latest Stories
  1. Xiaomi 14 Series 'AI Treasure Chest' With Several AI Tools in Testing, Could Debut This Year: Report
  2. Redmi Note 13 5G Series HyperOS Update Based on Android 14 Begins Rolling Out in India
  3. YouTube Reportedly Rolling Out Support for 8K Resolution Videos on the Meta Quest
  4. Lenovo Yoga Slim 7 (2024) Design Spotted in Leaked Renders; Could Debut as First Snapdragon X Elite Laptop
  5. Samsung Galaxy Z Flip 6 With Snapdragon 8 Gen 3 SoC for Galaxy Allegedly Surfaces on Geekbench
  6. Itel S24 India Launch Teased; Confirmed to Come With 108-Megapixel Main Camera, MediaTek Helio G91 SoC
  7. BWA Lays Down Self-Regulatory Guidelines on Token Listings for Indian Crypto Exchanges
  8. Samsung Galaxy F15 5G With 8GB RAM, 128GB Storage Launched in India: Price, Offers
  9. OnePlus 11R 5G Solar Red Variant With 8GB RAM, 128GB Storage Launched in India
  10. Adobe Express Mobile App With Firefly AI Is Now Available Globally
Gadgets 360 is available in
Follow Us
Download Our Apps
App Store App Store
Available in Hindi
App Store
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »