Disable email encryption tools immediately, say researchers who found ‘critical vulnerabilities’

In a paper published Monday, security experts outline two attacks that malicious parties could use to gain access to a target's entire inbox.


A group of security researchers has discovered “critical vulnerabilities” in the common email encryption tools PGP and S/MIME, prompting calls for users to disable email plugins until a fix is developed.

In a paper published Monday, the group outlined a proof-of-concept process for how attackers could exploit weaknesses in how email clients like Apple Mail, iOS Mail, and Mozilla Thunderbird manage HTML in messages.

“The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker,” the researchers wrote in a paper that dubs the exploits "Efail attacks".

A successful attack could theoretically grant malicious parties access to the entire contents of a target’s inbox. The Electronic Frontier Foundation provided a simplified explanation of the two attack methods:

“The first attack is a “direct exfiltration” attack that is caused by the details of how mail clients choose to display HTML to the user. The attacker crafts a message that includes the old encrypted message. The new message is constructed in such a way that the mail software displays the entire decrypted message—including the captured ciphertext—as unencrypted text. Then the email client’s HTML parser immediately sends or “exfiltrates” the decrypted message to a server that the attacker controls.

The second attack abuses the underspecification of certain details in the OpenPGP standard to exfiltrate email contents to the attacker by modifying a previously captured ciphertext.”

PGP, which stands for “pretty good protection,” and S/MIME have long been standards for end-to-end email encryption. These tools help people like journalists and whistleblowers be reasonably sure that sensitive information is readable only to sender and receiver. But today’s paper has raised debate in the cryptography community about the level of security these tools are able to provide, and what users should expect.

In the short term, the researchers and the Electronic Frontier Foundation (EFF) recommend users disable PGP plugins and use non-email based messaging platforms to decrypt messages until a long-term solution is developed.

1 in 100 water molecules started in solar nebulae

New research identifies an unexpected source for some of earth's water.

Surprising Science
  • A lot of Earth's water is asteroidal in origin, but some of it may come from nebulae.
  • Our planet hides majority of its water inside: two oceans in the mantle and 4–5 in the core.
  • New reason to suspect that water is abundant throughout the universe.
Keep reading Show less

How to split the USA into two countries: Red and Blue

Progressive America would be half as big, but twice as populated as its conservative twin.

Image: Dicken Schrader
Strange Maps
  • America's two political tribes have consolidated into 'red' and 'blue' nations, with seemingly irreconcilable differences.
  • Perhaps the best way to stop the infighting is to go for a divorce and give the two nations a country each
  • Based on the UN's partition plan for Israel/Palestine, this proposal provides territorial contiguity and sea access to both 'red' and 'blue' America
Keep reading Show less

Elon Musk's SpaceX approved to launch 7,518 Starlink satellites into orbit

SpaceX plans to launch about 12,000 internet-providing satellites into orbit over the next six years.

Technology & Innovation
  • SpaceX plans to launch 1,600 satellites over the next few years, and to complete its full network over the next six.
  • Blanketing the globe with wireless internet-providing satellites could have big implications for financial institutions and people in rural areas.
  • Some are concerned about the proliferation of space debris in Earth's orbit.
Keep reading Show less