Encrypted Emails At Risk From Two New Attacks

Share

In a 21-page academic paper, the researchers from Munster University, Ruhr University Bochum and KU Leuven detail Efail, which could potentially enable an attacker to read emails that have been encrypted with the OpenPGP and S/MIME standards.

"The second attack abuses the underspecification of certain details in the OpenPGP standard to exfiltrate email contents to the attacker by modifying a previously captured ciphertext".

Google's Gmail isn't that much better, as it also uses PGP encryption, according to a Wired report from February 2018. Both methods require the attacker to get their hands on the emails they wish to decrypt beforehand, for example by eavesdropping on the victim's network.

The new critical vulnerability is dubbed as EFAIL, and the researchers say that there is no permanent fix available now.

The first vulnerability involves errors in how email programs process messages encrypted using PGP or S/MIME. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. By injecting malformed images or styling resources into encrypted plaintext, the attacker has a one in three chance of success at decoding the remainder of the target email. The Electronic Frontier Foundation echoed its warning in its memo and included guides for disabling email client plugins that use OpenPGP or S/MIME.

Professor Schinzel is a member of a research team consisting of a long list of respected security researchers, and which has been responsible for uncovering a number of cryptographic vulnerabilities. "There is a real attack that can be exploited by people that allows them to decrypt a lot of encrypted email".

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. It also name dEnigmail for Thunderbird, GPGTools for Apple Mail and Gpg4win for Outlook as worthy of disablement, and offers instructions on how to do so. Some have criticized the researchers for teasing the vulnerability before publishing their full paper on it, while others have jumped straight to disabling PGP in their email clients.

Uganda Intensifies Ebola Screening At DRC Border Posts
Ebola is thought to be spread over long distances by fruit bats and is often transmitted to humans through contaminated bush meat. Congo's health ministry on Tuesday, May 8, described the fresh outbreak as a "public health emergency with global impact".

Open Mail and quit it through Mail Quit Mail.

In the Finder menu bar, select Go Go to Folder...

Trash the "GPGMail.mailbundle" file by either dragging it to the trash icon on the dock or by right-clicking it and selecting Move to Trash.

"You need to take action now", says Alan Woodward, a professor of computer science at the University of Surrey.

On the intro page, click Next.

Now, click Install button and then Finish.

Share