Sunday, 27 May 2018
Latest news
Main » PGP and S/MIME decryptors can leak plaintext from emails, says infosec Professor

PGP and S/MIME decryptors can leak plaintext from emails, says infosec Professor

14 May 2018

PGP and S/MIME are said to have flaws that could be exploited to get access to any incoming or outgoing emails on platforms that use either of the two encryption tools.

'If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now'.

A modified encrypted email sent by the attacker to the victim is decrypted by their email client.

The full details of the flaw are set for release at 7am UTC on Tuesday, which is 3am on the United States eastern seaboard, midnight Pacific time, 5pm in Sydney, and 12:30pm in Mumbai. "There are now no reliable fixes for the vulnerability".

More news: Panchayat polls begin in West Bengal

The article then provides links to guides on how to temporally disable PGP plug-ins in Thunderbird with Enigmail, Apple Mail with GPGTools, and Outlook with Gpg4win.

Essentially, an attacker sends three parts - a partial HTML img tag declaration, a string of encrypted text, followed by the closing HTML for the image tag. On the other hand, S/MIME is used mainly in enterprise infrastructure.

Security researchers on May 14 announced a new set of vulnerabilities in the widely deployed S/MIME and OpenPGP email encryption technologies, dubbed Efail.

Professor Schinzel is a member of a research team consisting of a long list of respected security researchers, and which has been responsible for uncovering a number of cryptographic vulnerabilities.

More news: Woman kicked off flight sues United Airlines claiming racial discrimination

Germany's Federal Office for Information Security (BSI) said in a statement there were risks that attackers could secure access to emails in plaintext once the recipient had decrypted them.

It added, however, that it considered the encryption standards themselves to be safe if correctly implemented and configured.

UPDATE 2: Because some researchers started disclosing details about the vulnerability ahead of schedule, the efail.de website is now live, along with the research paper, both containing more info on the EFAIL vulnerability.

The encryption program PGP (Pretty Good Privacy) was seen as the gold standard for email encryption, and was developed in 1991.

More news: ICSE 10th Result 2018 declared at cisce.org, Pass Percentage 98.51

The use of PGP for secure communications has been advocated, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the US National Security Agency before fleeing to Russian Federation. The Efail attacks rely on external communication and if a user is decrypting emails in a standalone application, the risks are somewhat muted.

PGP and S/MIME decryptors can leak plaintext from emails, says infosec Professor