Do you encrypt emails before sending and think that they are safe? Well, think again! Though we don’t want to scare you, but a new vulnerability known as EFail has exposed that they are not! This was discovered by Researchers at Münster University of Applied Sciences. Well, you might be wondering how is it even possible. But we suggest if you are using OpenPGP or S/MIME for email encryption, you should swiftly find alternatives for secure end-to-end communication. Sebastian Schinzel, a co-author of the new study has conveyed that encrypted emails are no longer safe. To know more about this, read further.
What Is EFail?
EFAIL is the name given to a vulnerability that leaks plaintext of an encrypted email. Simply put, this breaks encryption layer that has been put on your emails. As “EFAIL abuses active content of HTML emails,” we are no longer in power.
To make this attack successful, hacker needs to send the modified encrypted Email to the victim. This multipart email message email has three parts:
- HTML Body which contains an HTML image tag. This tag is opened but not closed.
- The PGP or S/MIME ciphertext.
- The tag which was left open in the first point.
Now the victim’s email client processes the email and decrypts the second part of the body. Furthermore, it combines three parts together in one HTML email. This eventually decrypts the mail and sends it to the attacker.
In layman terms, the attacker gets your email which is encrypted. He tweaks the mail and sends it to the victim. Now, the client used by victim (Firefox, Outlook, etc.) decrypts it and transmits the plaintext to the hacker.
However, Vince Lombardo has conveyed that “this attack requires a high level of access to the victim’s computer.” If hacker has this much access to your system, then securing your emails should not be your priority.
As we all are using PGP for communication, our emails are at risk! A few might recommend that disabling HTML will be more than enough. No doubt, EFAIL abuses HTML and disabling it will close easiest way. But it is not optimal solution in the long run. Discarding HTML email will do nothing. You ask why? Because in PGP you send encrypted email, but it is encrypted only for sender and receiver. It has no role to play if the message is leaked by someone else with whom you’ve communicated intentionally or unintentionally.
What Should be Done to Stay Protected?
There are some strategies that you can use to secure email communication. They have been divided into three categories, let’s break them down so that you can understand easily!
Short Term Solution
No decryption in email client is said to be the best option if you are seeking solutions for short term. You can start by eliminating S/MIME and PGP private keys from email clients to send encrypted emails. For decryption, you must use separate application which is capable of producing plain text from cipher text. The only problem with this is that you need to be always involved and thus it is not feasible.
Medium Term Solution
An alternative that you can opt for is patching. A few vendors have come up with some patches that are making it harder for the attackers to implement EFail. But this won’t go on forever and at some point in time, the attackers will find a way to get through the patches as well.
Must Read : How to Stay Protected Online
Long Term Solution
The standards need to be updated. There is no way we can continue seamlessly after knowing about these. These flaws are embedded deeply into the behavior of PGP and S/MIME, and thus experts will have to come forward and patch them permanently.
Until there is a permanent solution, we can use the strategies given. What do you think?