What was supposed to be secure and private has now become exposed and public thanks to what security researchers like to call “EFAIL”. They have recently discovered vulnerabilities in PGP and S/MIME encryptions both of which are supposed to secure email content. This means that emails are no longer protected by end-to-end encryption and are subject to malicious attacks thus leading to a comprise of business and private email accounts. Secure messages are now vulnerable, and users have to disable what’s supposed to be protecting their content to dodge the bullet. So how can users retrieve their information and ensure that their email content doesn’t fall into the wrong hands? Read on to find out.
What Is EFAIL?
“EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs” according to security researchers who have closely examined these vulnerabilities. The idea behind end-to-end encryption is to secure emails to an extent that hackers can’t read them even if they somehow got their hands on your account credentials. EFAIL here represents quite the opposite where attackers are able to read encrypted messages and the exfiltration of plaintext messages is possible.
The problem had been addressed by Sebastian Schinzel, at Munster University of Applied Sciences who released a statement saying: “We’ll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.”
What is PGP?
PGP is an encryption program that provides cryptographic privacy and authentication for data communication. It is used for signing, encrypting, and decrypting texts, emails, and files and to increase the security of e-mail communications. However, serious vulnerabilities have been detected in PGP hence increasing risks of leakage of “real secrets”. Robert Hansen agrees to disagree with the issue of vulnerability arguing that it has nothing to do with glitches in PGP but rather a lack of appropriate safeguards in email programs to begin with.
What Is S/MIME?
PGP was not the only encryption method affected, S/MIME had its own fair share of these vulnerabilities. S/MIME is a standard for public key encryption and signing of MIME data extensively used by businesses to secure email communications. The difference between PGP and S/MIME is that S/MIME relies on a trusted authority to distribute encryption keys instead of having users solely define their own encryption methods. This feature makes S/MIME susceptible to many forms of comprise.
How To Protect Yourself From EFAIL?
The Electronic Frontier Foundation (EFF) has advised people to disable PGP in their emails until responsible parties patch up the problem. The (EFF) also said that the solution provided is temporary until the risk of exploitation is properly dealt with. “Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.”
The organization has also provided a detailed guide on how to disable PGP in Thunderbird with Enigmail, Apple Mail with GPGTools, and Outlook with Gpg4win. Researchers have disclosed that users of PGP email can disable HTML in their mail programs to stay safe from attacks, however, that would not entirely put an end to them.
PGP S/MIME And Privacy
People use encryption methods like PGP and S/MIME for a reason and having those two compromised leaves users’ information exposed and unprotected. At this point, it really doesn’t matter whether the problem traces back to a flaw in the PGP implementation or in the design of email program; violation of privacy must be mitigated against as soon as possible. For the time being, users have to be extra careful with their forms of communication, as if they needed one more privacy-related concern to worry about in this already dangerous cyber world.