Serious Vulnerability In PGP And S/MIME E-Mail Encryption

in #security6 years ago (edited)

A group of European researchers posted a warning on Twiter that the PGP/GPG and S/MIME email encryption included a group of serious vulnerabilities that can reveal the content of past (encrypted) messages to the attacker.

skul1.jpg
image source

With the details of the vulnerability, the researchers had previously informed the Electronic Frontier Foundation, which confirmed that it's a serious threat.

As a first step, it's recommended to disable automatic decryption of messages, that is, disabling PGP/GPG encryption in mail clients (e.g., Enigmail in the Thunderbird client, GPGTools in Apple Mail, Gpg4win in Outlook).

The authors also published a description of the vulnerability. There are two methods.

  • The first method is direct exfiltration, where the attacker steals the contents of the encrypted message by an HTML image badge which is embedded in a properly prepared message.
  • The second method is CBC/CFB Gadget Attack. It's an attack that exploits the specificity of Cipher Block Chaining encryption. The assumption of this attack is that an attacker knows at least one full block of plain text, which is not a problem in the given case since S/MIME encrypted emails usually begin with "Content-type: multipart/signed".

efail2.png
image source

As mentioned, the short-term solution is to disable encryption in the mail client and disable the HTML viewer, and the long-term solution will require the installation of appropriate updates (when available) and an upgrade of OpenPGP and S/MIME standards.

More details:
PSA: PGP and S/MIME email clients may leak encrypted emails
Attention PGP Users: New Vulnerabilities Require You To Take Action
Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels - full technical report

More security news:
Malicious Chrome Extensions Infected Thousands Of Computers
Master Key For Hotel Rooms
Internet Passwords Will Soon Be A History?
Does This Change Will Speed Up Your Internet?
5 Privacies You Didn't Know You Lost
Piracy Is Popular Like Never Before
Kaspersky Lab Joins Enterprise Ethereum Alliance
Slingshot - A State-Sponsored Malware

Enjoy the rest of the day!
logosecko.gif
@seckorama

Take a look at my DTube Channel
Check out my DSound Channel

#privacy #cybercrime #teamslovenia #steemitbalkan
6 years ago in #security by
$2.15
  • Past Payouts $2.15, 0.00 TRX
  • - Author $1.93, 0.00 TRX
  • - Curators $0.22, 0.00 TRX
64 votes
Reply 6
Sort:  
  • Trending
    • [-]
     6 years ago 

    Thank you for sharing!
    Most vulnerability’s seem to be fixed in thunderbird 52.7 nevertheless it will need 52.8 to fix every vuln.
    As you mentioned it is important to disable html and show emails only in plain text.
    At the moment the best practice seems to decrypt encrypted mails out of the mail client - like in CLI of GPG or so

    [-]
     6 years ago 

    Yes, you're right. No html and decrypt outside mail client.

    [-]
     6 years ago 

    Thanks for making me aware of this. It is hard to keep on top of security as technology continues to grow! I love your artwork by the way too!

    [-]
     6 years ago 

    Thank you, glad you like my artworks, too :)

    $0.00
      Reply
      [-]
       6 years ago 

      very good article @sckorama, you are right in many things. You have incredible talent and ability ne the computer. God bless you.

      $0.00
        Reply
        [-]
         6 years ago (edited)

        Thank you :)

        $0.00
          Reply

          Coin Marketplace

          STEEM 0.29
          TRX 0.11
          JST 0.033
          BTC 63901.15
          ETH 3133.40
          USDT 1.00
          SBD 4.05