Encrypted Emails At Risk From Two New Attacks

15 May, 2018, 16:20 | Author: Cecelia Webb
  • Edward Snowden

Of Efail, the maintainers said that users "might be vulnerable if you're running an ancient version of GnuPG (the 1.0 series; the current is 2.2), or if your email plugin doesn't handle GnuPG's warning correctly".

"They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", researchers said. In a post on Monday, he said his team was not contacted about the flaw and the attack could be mitigated by avoiding HTML emails or using authenticated encryption, which adds a layer of protection to confirm the message has not been changed.

German and Belgian researchers have warned of potential attacks that break email encryption using Pretty Good Privacy (PGP) and secure multi-purpose internet mail extensions (S/MIME) by coercing clients into sending the full plaintext of the emails to the attacker. "You are thus only affected if an attacker already has access to your emails". Then the emails are changed in a particular way and sent to a victim. This is then encrypted with the sender's private "key" and decrypted by the receiver using a separate public key. So, users guides for email clients Thunderbird, Apple Mail and Outlook.

"It's a lot of steps for sure, and one that honestly is more hypothetical than is it is unsafe", Dave Kennedy, the chief executive at security company TrustedSec, said.

The researchers have published a paper on how encrypted emails can be turned into plaintext.

"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email". The Electronic Frontier Foundation (EFF) recently claimed that the encryption bug posed "an immediate risk" to PGP and S/Mime users, and that even ancient messages buried deep inside elaborately named folders are in danger.




The flaw, codenamed EFAIL, if exploited, allow an attacker to decrypt sent or received messages, according to the researcher team.

The flaw, as reported by the BBC, was discovered by Sebastian Schinzel, who was investigating the encryption protocol as part of his role at the Münster University of Applied Sciences.

Users should for now switch to non-e-mail-based secure messaging apps for sensitive communications.

"This is bad because the people who use PGP use it for a reason", he told the BBC.

In the future, patches should prevent this PGP flaw from being exploited. The PGP CFB gadget attack was assigned CVE-2017-17688, while the S/MIME CBC vulnerability was given CVE-2017-17689. Because the HTML rendering engine is enabled, this prompts the mail client to treat the message body as a URL, which it encodes and queries the malicious actor's server, thereby leaking the message.

Recommended:



Popular

'The House That Jack Built' Trailer Shows Off Brutality
Now, von Trier has been given permission to return to Cannes , and he's doing so with The House That Jack Built . The film looks visually inventive, and I like the idea of Matt Dillon having a big role to sink his teeth into.

Arizona Softball staying home for regionals
While their postseason spot was secure by then, the win put them over the top and helped secure the No. 6 overall seed. Winning the first NCAA Tournament game in program history is the first goal for OH , but not the only one.

Iran's Supreme Leader posts Instagram pic reading 'Fire and Fury'
Iranian lawmakers also set the Stars and Stripes ablaze inside the parliament and burnt symbolic copies of the nuclear agreement. "If you can't get a definite guarantee, then the nuclear deal cannot be continued", he said.

The Swedish Academy and the Illusions of the Nobel Prize in Literature
It may be literature's greatest honor, but the Nobel Prize has sometimes drawn negative attention to writers as well as praise. However, the academy is now down to 10 active members while its statutes stipulate that 12 are needed to elect new members.

China's First Home-Built Aircraft Carrier Started Sea Trials
The ship, the largest and most sophisticated naval vessel in China, was designed and built by the nation on its own. The ship, temporarily named Type 001A, was floated off in April 2017 after nearly 4 years of construction.

US allies lament Trump's decision to pull out of Iran deal
Market participants said there were still many unanswered questions about how the United States might impact European companies. Pulling out of this deal has sent oil prices soaring, which rewards Iran and its equally petro-dependent ally, Russia.

Russian Bombers Intercepted By US F-22 Fighters Near Alaska — USNORTHCOM
The U.S. fighter jets did not get closer than 100 meters to the Russian bombers, the Russian military was quoted as saying. The aircraft are capable of carrying nuclear bombs, but it unclear what weapons they had on board, if any.

Nintendo Has No Plans For the Virtual Console on Nintendo Switch
One of the world's most popular video games is getting a major update on one of the hottest game consoles on the market. Nintendo has just revealed that Minecraft on the Switch will receive its cross-play functionality in June.

Lalu gets six weeks provisional bail for treatment
Congress president Rahul Gandhi and his sister Priyanka Gandhi Vadra, however, did not attend the wedding. While Lalu warmly shook hands with Nitish, Rabri Devi also exchanged greetings with the Chief Minister.

Angel Rangel leaving Swansea - but hopes to return
Do your best to try and win the game and we will see'. "After that, we can wait that a kind of miracle can happen". But Huddersfield Town's draw with Chelsea on Wednesday night left Swansea all-but mathematically relegated.