Disable email encryption tools immediately, say researchers who found ‘critical vulnerabilities’

In a paper published Monday, security experts outline two attacks that malicious parties could use to gain access to a target's entire inbox.


A group of security researchers has discovered “critical vulnerabilities” in the common email encryption tools PGP and S/MIME, prompting calls for users to disable email plugins until a fix is developed.

In a paper published Monday, the group outlined a proof-of-concept process for how attackers could exploit weaknesses in how email clients like Apple Mail, iOS Mail, and Mozilla Thunderbird manage HTML in messages.

“The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker,” the researchers wrote in a paper that dubs the exploits "Efail attacks".

A successful attack could theoretically grant malicious parties access to the entire contents of a target’s inbox. The Electronic Frontier Foundation provided a simplified explanation of the two attack methods:

“The first attack is a “direct exfiltration” attack that is caused by the details of how mail clients choose to display HTML to the user. The attacker crafts a message that includes the old encrypted message. The new message is constructed in such a way that the mail software displays the entire decrypted message—including the captured ciphertext—as unencrypted text. Then the email client’s HTML parser immediately sends or “exfiltrates” the decrypted message to a server that the attacker controls.

The second attack abuses the underspecification of certain details in the OpenPGP standard to exfiltrate email contents to the attacker by modifying a previously captured ciphertext.”

PGP, which stands for “pretty good protection,” and S/MIME have long been standards for end-to-end email encryption. These tools help people like journalists and whistleblowers be reasonably sure that sensitive information is readable only to sender and receiver. But today’s paper has raised debate in the cryptography community about the level of security these tools are able to provide, and what users should expect.

Our collective inability to design and deploy a useable secure email system at scale is one of the most embarrassing failures of the applied cryptography community.

— matt blaze (@mattblaze) May 14, 2018

In practical terms, however, the lesson is this: there is no such thing as a ‘theoretical vulnerability’. There are exploitable vulnerabilities, and vulnerabilities that haven’t been exploited yet. We need to build systems like we recognize this. 16/16

— Matthew Green (@matthew_d_green) May 14, 2018

There's a major debate over the Efail vulnerabilities and whether they're exaggerated. Nay sayers argue the plaintext exfiltration happens only if users do unsafe things like enable HTML mail and ignore error messages. Filippo makes an excellent counter argument. https://t.co/imqGcySuzd

— Dan Goodin (@dangoodin001) May 14, 2018

​There are two kinds of failure – but only one is honorable

Malcolm Gladwell teaches "Get over yourself and get to work" for Big Think Edge.

Big Think Edge
  • Learn to recognize failure and know the big difference between panicking and choking.
  • At Big Think Edge, Malcolm Gladwell teaches how to check your inner critic and get clear on what failure is.
  • Subscribe to Big Think Edge before we launch on March 30 to get 20% off monthly and annual memberships.
Keep reading Show less

Why the ocean you know and love won’t exist in 50 years

Can sensitive coral reefs survive another human generation?

Videos
  • Coral reefs may not be able to survive another human decade because of the environmental stress we have placed on them, says author David Wallace-Wells. He posits that without meaningful changes to policies, the trend of them dying out, even in light of recent advances, will continue.
  • The World Wildlife Fund says that 60 percent of all vertebrate mammals have died since just 1970. On top of this, recent studies suggest that insect populations may have fallen by as much as 75 percent over the last few decades.
  • If it were not for our oceans, the planet would probably be already several degrees warmer than it is today due to the emissions we've expelled into the atmosphere.
Keep reading Show less

Why modern men are losing their testosterone

Research has shown that men today have less testosterone than they used to. What's happening?

Flickr user Tom Simpson
Sex & Relationships
  • Several studies have confirmed that testosterone counts in men are lower than what they used to be just a few decades ago.
  • While most men still have perfectly healthy testosterone levels, its reduction puts men at risk for many negative health outcomes.
  • The cause of this drop in testosterone isn't entirely clear, but evidence suggests that it is a multifaceted result of modern, industrialized life.
Keep reading Show less

Health care: Information tech must catch up to medical marvels

Michael Dowling, Northwell Health's CEO, believes we're entering the age of smart medicine.

Photo: Tom Werner / Getty Images
Sponsored by Northwell Health
  • The United States health care system has much room for improvement, and big tech may be laying the foundation for those improvements.
  • Technological progress in medicine is coming from two fronts: medical technology and information technology.
  • As information technology develops, patients will become active participants in their health care, and value-based care may become a reality.
Keep reading Show less