‘Efail’ exploit exposes popular email encryption schemes

Latest news

    Although further details on the encryption flaws were expected to go public by May 15th, they have leaked early. The complete paper can be accessed here. Efail is a term which describes exploitable loopholes in end-to-end encryption services. The Electronic Frontier Foundation (EFF) recently claimed that the encryption bug posed “an immediate risk” to PGP and S/Mime users, and that even ancient messages buried deep inside elaborately named folders are in danger. Such a flaw might not be a cause for concern if your private data files consist of mundane salutations and dank memes, however, for those in the public sphere — journalists, activists, or politicians — who depend on encryption tools to shield confidential workplace messages, the protective barrier is gone.

    Efail attacks work by abusing the active content of HTML emails to access or ‘exfiltrate’ plaintext. The researchers explain that there are two main types: Direct exfiltration attacks (which target weak points in Apple Mail, iOS Mail and Mozilla Thunderbird) and CBC/CFB gadget attacks. It’s this variety that attackers use to ambush users of OpenPGP and S/Mime by sending a slightly modified S/Mime email to the victim’s address. By injecting malformed images or styling resources into encrypted plaintext, the attacker has a one in three chance of success at decoding the remainder of the target email.

    Prior to the leak, Schnizel stated that there were “no reliable fixes”, and recommended that affected users disable breached encryption software. The EFF echoed Schnizel’s instruction, and advised those affected to use Signal — a free end-to-end encryption software that’s compatible with both Android and iOS devices — until the issue has been rectified.

    View the original article: https://www.engadget.com/2018/05/14/efail-exposes-email-encryption/

    The Efail report lists additional steps users can take to reduce the likelihood of falling prey to encryption attacks — namely, decrypting S/Mime and PGP outside email clients in a separate application and disabling HTML rendering altogether. But the researchers cautioned that since attacks could become increasingly sophisticated in future, strategies which bolster OpenPGP and S/Mime standards are required for a long term fix.

    In the same category are

    Magic Leap’s lackluster AR demo proves hardware is still hard The next day, Magic Leap co-founder Rony Abrovitz went on Twitter to explain that the video was a teaching tool for the creator and developer communit...
    Amazon’s Part Finder helps you find those weird screws you need Amazon added the feature to its iOS app a couple of weeks back, it confirmed to TechCrunch, but didn't announce Part Finder or even mention it in the ...
    The Morning After: How Android stifles competition It's probably better just to wait for the battery to recharge.Zero motorcycle's modular battery is one pricey upgrade Electric motorcycles can be a t...
    Facebook can’t decide when a page should be banned Bickert was given an example by Rep. Gaetz (R-FL) about a page on Facebook called "Milkshakes Against the Republican Party," which he said had multipl...
    Wirecutter’s best Amazon Prime Day deals: the PM edition Mackie CR3 Street price: $100; deal price: $80 Although we've seen this set of speakers at an all time low of $70, that's a somewhat rare discount. C...

    Leave a comment

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.