Researchers Warn Of Critical PGP And S/MIME Email Encryption Vulnerabilities

15 May, 2018, 13:14 | Author: Pamela Mathis
  • PSA PGP and S  MIME are broken and leaking encrypted emails – stop using them right now

In addition to the HTML rendering issue, the EFAIL researchers also posted a more technical exploit of the S/MIME standard specification itself which affects twenty-something clients in addition to Apple's.

Short Term: Disable decryption of S/Mime or PGP emails in the email client.

The second component, referred to as CBC/CFB gadget attack, potentially allows an attacker to send malformed data blocks that, when read by the target, would fool the email client into sending to the attacker's server the unencrypted contents of the message.

Security researchers have gone public with vulnerabilities in some secure mail apps that can be exploited by miscreants to decrypt intercepted PGP-encrypted messages.

In a paper published Monday, the group outlined a proof-of-concept process for how attackers could exploit weaknesses in how email clients like Apple Mail, iOS Mail, and Mozilla Thunderbird manage HTML in messages.

Professor Schinzel is a member of a research team consisting of a long list of respected security researchers, and which has been responsible for uncovering a number of cryptographic vulnerabilities.

"You need to take action now", says Alan Woodward, a professor of computer science at the University of Surrey.

After Saudi Arabia, UAE Oil Giant to Buy Stakes in Indian Refinery
On Sunday, the UAE's oil minister also said that any oil shortages due to Iran sanctions could be filled by the country. Our per capita energy consumption is very modest which will increase in the coming years.


"Securely encrypted e-mail remains an important and suitable means of increasing information security", it said in a statement, adding that the flaws which have been discovered can be remedied through patches and proper use. Within hours, the researchers published the paper, which is titled Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels.

"In response to that, they said that they did a simple rollback to the non-MDC encryption", he said.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. Koch for instance said that OpenPGP's message authentication that thwarts EFAIL (in place since 2001) can't be made mandatory because "some implementations haven't kept up".

Security researchers are warning anyone who uses PGP (Pretty Good Privacy) or S/MIME for email encryption to disable the scheme in their email clients right away, and to uninstall tools that automatically decrypt PGP-encrypted email, due to a security flaw.

Another way would be to use authenticated encryption via tools such as OpenPGP, he argued.

But while that advice might be easier to implement for anyone who uses and configures their own PGP tools, it fails to address how secure webmail providers might address the flaws. And many corporate email services employ S/MIME.

The flaws, some of which have existed for more than a decade, are part of a series of vulnerabilities dubbed "Efail".

Recommended:



Popular

Supreme Court Decision May End Delaware's Advantage on Sports Betting
What it does is open the potential for legislators to bring legislation regarding sports betting in our next legislative session. If Amendment 3 is approved by at least 60 percent of voters, any future casino expansion would require voter approval.

United States makes pledge to aid North Korea's economy
Ever since the Korean war (1950-53), the Communist dictatorship of North Korea has exemplified the horrors of that creed. Yet, in spite of that, the date and location weren't finalized until Pompeo had met with North Koreans.

Lynchburg area at risk of severe storms; derecho a possibility
That's particularly for areas to the north and west of Long Island, said Carlie Buccola, weather service meteorologist in Upton. Today's forecast calls for cloudy skies with a high of 63 and rain, with a chance of thunderstorms and hail after 10 a.m.

Near Earth an asteroid about the size of the Statue of Liberty
But, persons wishing to see the asteroid can tune in to Slooh, the astronomy broadcasting service beginning at 4 pm Alaska time. The 2010 sign means that it was initially detected in 2010, particularly on November 30, by the Catalina Sky Survey in Arizona .

Catalan lawmakers set to elect new hardline leader Quim Torra
He was handpicked as a candidate by deposed leader Carles Puigdemont . "From October 27, he will be able to call new elections". Polls show that the wealthy region's 7.5 million residents are evenly divided on whether Catalonia should secede from Spain.

Crystal Palace 2 West Brom 0: Eagles sign off in style
Zaha broke the deadlock for Palace in the 70th minute and Patrick van Aanholt secured the three points shortly thereafter. Palace waltzed their way towards another hard-fought victory in the final stages of the game.

Is Iran's Supreme Leader Ayatollah Khamenei trolling Trump?
Khamenei reiterated that he knew that "accepting the nuclear deal would not end America's enmity". And he added, "I don't trust these three countries", Britain, France and Germany.

'Injured Lukaku may not start FA Cup final'
Adorned with gold logos, the new United kit was modelled by several of the first team players. The only problem was I also knew he didn't want to play me", Lukaku told Play Sports .

Portsmouth MP pays tribute to Tessa Jowell
Politicians across all parties have been paying tributes to the beloved former Labour MP all day as the announcement was made. Three years later, after stepping down from the Commons at the 2015 general election, she was made Baroness Jowell of Brixton.

Six is a crowd for Tournament Players Championship first round
Also at 67 was Keith Mitchell, who only got into the tournament Wednesday when Paul Casey had to withdraw with an injury. That's been the story of the TPC Sawgrass over the years - a design that doesn't favor one particular style of play.