Encrypted Emails At Risk From Two New Attacks

15 May, 2018, 16:20 | Author: Cecelia Webb
  • Edward Snowden

Of Efail, the maintainers said that users "might be vulnerable if you're running an ancient version of GnuPG (the 1.0 series; the current is 2.2), or if your email plugin doesn't handle GnuPG's warning correctly".

"They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", researchers said. In a post on Monday, he said his team was not contacted about the flaw and the attack could be mitigated by avoiding HTML emails or using authenticated encryption, which adds a layer of protection to confirm the message has not been changed.

German and Belgian researchers have warned of potential attacks that break email encryption using Pretty Good Privacy (PGP) and secure multi-purpose internet mail extensions (S/MIME) by coercing clients into sending the full plaintext of the emails to the attacker. "You are thus only affected if an attacker already has access to your emails". Then the emails are changed in a particular way and sent to a victim. This is then encrypted with the sender's private "key" and decrypted by the receiver using a separate public key. So, users guides for email clients Thunderbird, Apple Mail and Outlook.

"It's a lot of steps for sure, and one that honestly is more hypothetical than is it is unsafe", Dave Kennedy, the chief executive at security company TrustedSec, said.

The researchers have published a paper on how encrypted emails can be turned into plaintext.

"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email". The Electronic Frontier Foundation (EFF) recently claimed that the encryption bug posed "an immediate risk" to PGP and S/Mime users, and that even ancient messages buried deep inside elaborately named folders are in danger.




The flaw, codenamed EFAIL, if exploited, allow an attacker to decrypt sent or received messages, according to the researcher team.

The flaw, as reported by the BBC, was discovered by Sebastian Schinzel, who was investigating the encryption protocol as part of his role at the Münster University of Applied Sciences.

Users should for now switch to non-e-mail-based secure messaging apps for sensitive communications.

"This is bad because the people who use PGP use it for a reason", he told the BBC.

In the future, patches should prevent this PGP flaw from being exploited. The PGP CFB gadget attack was assigned CVE-2017-17688, while the S/MIME CBC vulnerability was given CVE-2017-17689. Because the HTML rendering engine is enabled, this prompts the mail client to treat the message body as a URL, which it encodes and queries the malicious actor's server, thereby leaking the message.

Recommended:



Popular

Tiger gets the loud roars, but Webb has the bite
For the second day running, the former world No. 1 plundered the first 12 holes at TPC Sawgrass, this time picking up six birdies. South African Charl Schwartzel (67) and Americans Xander Schauffele (67) and Jimmy Walker (67) tied for second on 14 under.

Southampton vs Manchester City - Betting Tips and Predictions
The Citizens have scored at least three goals in each of their last three away games in the league. Midfielders Mario Lemina and Steven Davis are both carrying knocks.

Seattle Mariners at Detroit Tigers Game Two
Tigers reliever Buck Farmer pitched a scoreless seventh inning after working in both games of Saturday's doubleheader . After a brief examination by the Seattle trainer, Cano left the game and was replaced by infielder Andrew Romine .

7 killed as blasts, gunfire rock Jalalabad
He said security forces killed six of the attackers after two of them carried out suicide attacks near the building's entrance. However, the Taliban is now taking part in its annual spring offensive and has launched a number of attacks in recent weeks.

Warm Weekend Will Spill Into Work Week
This lead to sun-filled skies, which in turn allowed temperatures to climb into the seasonably mild low to mid 70s. EXTENDED: We're going to see a chance of showers and thunderstorms for much through Thursday .

Israel Officials Admit to April Airbase Strikes on Syria
On Thursday, Israeli jets destroyed intelligence sites, weapons storage centres, and Syrian air defence systems. Iran has an advantage here because it is already on the winning side in the wars in Syria and Iraq.

Lalu gets six weeks provisional bail for treatment
Congress president Rahul Gandhi and his sister Priyanka Gandhi Vadra, however, did not attend the wedding. While Lalu warmly shook hands with Nitish, Rabri Devi also exchanged greetings with the Chief Minister.

Donald Glover pushed agent to win him Star Wars role
I know for Ron [Howard] and [producer] Kathleen [Kennedy] it's just such a huge deal to have him really, genuinely enjoy the film. In the meantime, Solo opens May 24 in Australia and May 25 in the U.S. and UK.

Alvaro Morata Returns For Chelsea's Crunch Clash At Home To Huddersfield
Chelsea boss Antonio Conte concedes their top four hopes are just about over their 1-1 draw against Huddersfield Town . Like today, we played an intense game with a will and desire to get three points.

Mariners pitcher James Paxton throws no-hitter against Blue Jays — NewsAlert
He allowed seven hits and three runs over 5 1/3 innings and took the loss in his most recent start Friday against the Angels. Five times this season, a starter has been pulled after six innings of no-hit ball. "He likes to jab at me a little bit".