Critical Email Encryption Flaws Outlined

by Chris Brook on Monday May 14, 2018

Contact Us
Free Demo

A set of vulnerabilities dubbed "EFAIL" affect encryption standards like PGP and S/MIME and could reveal the plaintext of encrypted emails sent in the past.

A group of European researchers and professors on Sunday disclosed a series of vulnerabilities in PGP and S/MIME, internet standards used for delivering end-to-end encrypted emails, that theoretically could be exploited to decrypt the plaintext contents of emails sent in the past.

There are no patches or even reliable fixes for the vulnerabilities; in lieu of a fix the researchers are encouraging users to disable the standards if they're using them for encrypted email.

The research, which is being referred to as “EFAIL,” was slated for publication on Tuesday but similar to January's Meltdown and Spectre vulnerabilities, the hype around the embargo was too much to sustain. This prompted researchers to publish the full details of their paper, “Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels," (.PDF) Monday morning.

The underpinnings of the research stem from how email clients abuse active content, like externally loaded images or styles, in HTML emails. To exploit the flaws an attacker would first need to obtain encrypted email, either by eavesdropping on a network or by compromising an email account or server.

From there an attacker would have to change an email by adding embedded altered PGP or S/MIME cipher text and custom HTML and send it back to the victim. The recipient in turn would decrypt it, load external content, and trigger the exfiltration, one of two ways:

The first takes advantage of when the email software – Apple Mail, iOS Mail and Mozilla Thunderbird, etc. - displays the decrypted message as unencrypted. The client's HTML parser exfiltrates that message to a server the attacker controls.

The second is much more sophisticated and relies on using Cipher Block Chaining, or CBC, (in S/MIME) and Cipher Feedback Mode, or CFB (in in OpenPGP) gadgets to inject plaintext snippets into emails in order to exfiltrate data after decryption.

Blog Post

What is Email Encryption? Definition, Best Practices & More

As Matthew Green, a noted cryptographer and Assistant Professor of Computer Science at Johns Hopkins Information Security Institute, notes, the attack meets at the intersection of "bad crypto" and the "sloppiness" of mail client developers. In particular, he warns, the flaws could be exploited at a corporate email level, provided an attacker had access to stored emails.

Werner Koch, the author of GNU Privacy Guard, a.k.a. GPG, dismissed the research as “overblown” on Monday.

“The topic of that paper is that HTML is used as a back channel to create an oracle for modified encrypted mails. It is long known that HTML mails and in particular external links like <img href=""/> are evil if the MUA actually honors them,” Koch wrote in an email to the Gnupg-users mailing list.

“There are two ways to mitigate this attack
- Don't use HTML mails. Or if you really need to read them use a proper MIME parser and disallow any access to external links.
- Use authenticated encryption,” Koch continued.

Robert J. Hansen, an Enigmail developer and GnuPG volunteer issued a statement on behalf of the standard Monday morning, urging caution in how the paper is interpreted.

“You might be vulnerable if you're running an ancient version of GnuPG (the 1.0 series; the current is 2.2), or if your email plugin doesn't handle GnuPG's warning correctly,” Hansen wrote, “You might also have had some exposure in the past if back then you used a pre-2000 version of GnuPG, and/or an email plugin which didn't handle the warning correctly.

1. This paper is misnamed. It's not an attack on OpenPGP. It's an attack on broken email clients that ignore GnuPG's warnings and do silly things after being warned.
2. This attack targets buggy email clients. Correct use of the MDC completely prevents this attack. GnuPG has had MDC support since the summer of 2000.
3. The authors made a list of buggy email clients. It's worth looking over their list of email clients (found at the very end) to see if yours is vulnerable. But be careful, because it may not be accurate -- for example, Mailpile says they're not vulnerable, but the paper indicates Mailpile has some susceptibility. The authors have done the community a good service by cataloguing buggy email email clients. We're grateful to them for that. We do wish, though, this thing had been handled with a little less hype. A whole lot of people got scared, and over very little,” Hansen tweeted.

There are arguments on both sides of the coin when it comes to the flaws. As Hansen/GnuPG notes a user would have to essentially blown past GnuPG's MDC warnings to be exploited. Some experts questioned Monday whether email clients should really treat MDC failures as warnings, instead of errors.

MDC, or Modification Detection Code, is a cryptographic hash function introduced in 2000, designed to prove a message's integrity.

For what it's worth the authors of the paper, a group of academics from Münster University of Applied Sciences and Ruhr University Bochum in Germany, and KU Leuven in Belgium, called on PGP and S/MIME users to either disable encryption in their email clients or disable HTML rendering as a means to prevent active content abuse.

The second option, especially for the more security conscious, could be an especially fine option. As Claudio Guarnieri, a Senior Technologist at Amnesty International and Advisor at Citizen Lab notes, it could leave users less susceptible to phishing attacks.

The Electronic Frontier Foundation (EFF) echoed the researchers' sentiments and encouraged users to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email like Enigmail with Thunderbird, GPGTools with Apple Mail, and Gpg4win with Outlook.

ProtonMail, an end-to-end encrypted email service, took umbrage with the EFF's warning, calling it "overblown and disproportionate, and likely issued without fully understanding the issue," adding that the way the flaws were disclosed added insult to injury.

ProtonMail, for its part, said Monday it was not affected by the flaws. The end-to-end encrypted email software Tutanota and Canary Mail, an email app with PGP for Mac and iPhone, also acknowledged their services weren't affected. Enigmail, as Hansen notes, patched the issues months ago.

"If you're using a recent GnuPG and Enigmail 2.0 or later, you should be fine. If you're not, consider this an object lesson in the importance of upgrading your security-critical software," he tweeted.

Keys image via Ozzy Delaney's Flickr photostream, Creative Commons

Tags: Security News, Encryption

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.