Disable email encryption tools immediately, say researchers who found ‘critical vulnerabilities’
In a paper published Monday, security experts outline two attacks that malicious parties could use to gain access to a target's entire inbox.
A group of security researchers has discovered “critical vulnerabilities” in the common email encryption tools PGP and S/MIME, prompting calls for users to disable email plugins until a fix is developed.
In a paper published Monday, the group outlined a proof-of-concept process for how attackers could exploit weaknesses in how email clients like Apple Mail, iOS Mail, and Mozilla Thunderbird manage HTML in messages.
“The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker,” the researchers wrote in a paper that dubs the exploits "Efail attacks".
A successful attack could theoretically grant malicious parties access to the entire contents of a target’s inbox. The Electronic Frontier Foundation provided a simplified explanation of the two attack methods:
“The first attack is a “direct exfiltration” attack that is caused by the details of how mail clients choose to display HTML to the user. The attacker crafts a message that includes the old encrypted message. The new message is constructed in such a way that the mail software displays the entire decrypted message—including the captured ciphertext—as unencrypted text. Then the email client’s HTML parser immediately sends or “exfiltrates” the decrypted message to a server that the attacker controls.
The second attack abuses the underspecification of certain details in the OpenPGP standard to exfiltrate email contents to the attacker by modifying a previously captured ciphertext.”
PGP, which stands for “pretty good protection,” and S/MIME have long been standards for end-to-end email encryption. These tools help people like journalists and whistleblowers be reasonably sure that sensitive information is readable only to sender and receiver. But today’s paper has raised debate in the cryptography community about the level of security these tools are able to provide, and what users should expect.
Our collective inability to design and deploy a useable secure email system at scale is one of the most embarrassing failures of the applied cryptography community.— matt blaze (@mattblaze) May 14, 2018
In practical terms, however, the lesson is this: there is no such thing as a ‘theoretical vulnerability’. There are exploitable vulnerabilities, and vulnerabilities that haven’t been exploited yet. We need to build systems like we recognize this. 16/16— Matthew Green (@matthew_d_green) May 14, 2018
There's a major debate over the Efail vulnerabilities and whether they're exaggerated. Nay sayers argue the plaintext exfiltration happens only if users do unsafe things like enable HTML mail and ignore error messages. Filippo makes an excellent counter argument. https://t.co/imqGcySuzd— Dan Goodin (@dangoodin001) May 14, 2018
Universities claim to prepare students for the world. How many actually do it?
- Many university mission statements do not live up to their promise, writes Ben Nelson, founder of Minerva, a university designed to develop intellect over content memorization.
- The core competencies that students need for success—critical thinking, communication, problem solving, and cross-cultural understanding, for example—should be intentionally taught, not left to chance.
- These competencies can be summed up with one word: wisdom. True wisdom is the ability to apply one's knowledge appropriately when faced with novel situations.
This is what the world will look like, 250 million years from now
To us humans, the shape and location of oceans and continents seems fixed. But that's only because our lives are so short.
A new study may help us better understand how children build social cognition through caregiver interaction.
Researchers at UT Southwestern noted a 47 percent increase in blood flow to regions associated with memory.
- Researchers at UT Southwestern observed a stark improvement in memory after cardiovascular exercise.
- The year-long study included 30 seniors who all had some form of memory impairment.
- The group of seniors that only stretched for a year did not fair as well in memory tests.