‘Efail’ exploit exposes popular email encryption schemes

Latest news

    Although further details on the encryption flaws were expected to go public by May 15th, they have leaked early. The complete paper can be accessed here. Efail is a term which describes exploitable loopholes in end-to-end encryption services. The Electronic Frontier Foundation (EFF) recently claimed that the encryption bug posed “an immediate risk” to PGP and S/Mime users, and that even ancient messages buried deep inside elaborately named folders are in danger. Such a flaw might not be a cause for concern if your private data files consist of mundane salutations and dank memes, however, for those in the public sphere — journalists, activists, or politicians — who depend on encryption tools to shield confidential workplace messages, the protective barrier is gone.

    Efail attacks work by abusing the active content of HTML emails to access or ‘exfiltrate’ plaintext. The researchers explain that there are two main types: Direct exfiltration attacks (which target weak points in Apple Mail, iOS Mail and Mozilla Thunderbird) and CBC/CFB gadget attacks. It’s this variety that attackers use to ambush users of OpenPGP and S/Mime by sending a slightly modified S/Mime email to the victim’s address. By injecting malformed images or styling resources into encrypted plaintext, the attacker has a one in three chance of success at decoding the remainder of the target email.

    Prior to the leak, Schnizel stated that there were “no reliable fixes”, and recommended that affected users disable breached encryption software. The EFF echoed Schnizel’s instruction, and advised those affected to use Signal — a free end-to-end encryption software that’s compatible with both Android and iOS devices — until the issue has been rectified.

    View the original article: https://www.engadget.com/2018/05/14/efail-exposes-email-encryption/

    The Efail report lists additional steps users can take to reduce the likelihood of falling prey to encryption attacks — namely, decrypting S/Mime and PGP outside email clients in a separate application and disabling HTML rendering altogether. But the researchers cautioned that since attacks could become increasingly sophisticated in future, strategies which bolster OpenPGP and S/Mime standards are required for a long term fix.

    In the same category are

    Amazon’s 2018 Echo Show finally gets it right I tried it out briefly following the Amazon announcement earlier today, and the first thing I noticed is that it's much more minimalist in design, wit...
    Samsung’s mid-range Galaxy A7 has a triple camera setup The front camera is no slouch either, featuring 24-megapixel resolution, an adjustable LED flash and the "Selfie Focus" effect that brings bokeh to yo...
    Google gives its Slack rival the ability to snooze notifications According to 9to5google, your colleagues will know if you've only blocked alerts by looking at the status indicator. A purple crescent moon means you...
    iPhone XS and XS Max, Day 1: A clear step forward The thing is, we're still in the middle of testing our iPhone XS and XS Max -- you can expect our full, detailed review soon. In the meantime, we've p...
    Uber fires up its own traffic estimates to fuel demand beyond cars If the whole map is red and it’s a short ride, maybe you’d prefer taking an Uber JUMP Bike instead of an UberX. Or at least if you do end...

    Leave a comment

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.