A team of academics says that, if exploited,
the vulnerabilities can reveal the plain text of encrypted emails, including
those sent years ago
The widely-used OpenPGP
and S/MIME
email encryption protocols suffer from weaknesses that may ultimately expose
the plain text of encrypted messages to attackers, according to a team of eight
academics from German and Belgian universities, who have nicknamed the flaws
“EFAIL”.
“In a nutshell, EFAIL abuses active content
of HTML emails, for example externally loaded images or styles, to exfiltrate
plain text through requested URLs,” the researchers wrote on efail.de, a newly-launched website
dedicated to their findings. The vulnerabilities come in two flavors and are
described in great detail in a technical paper
entitled “Efail: Breaking S/MIME and OpenPGP Email Encryption using
Exfiltration Channels”.
In order to exploit the weaknesses,
miscreants first need to access the end-to-end encrypted email message. This
means intercepting it in transit or stealing it, for instance, from a
compromised email account, client computer or backup system. Then, the
attackers need to alter the email by adding custom HTML code to it, and send
the manipulated email to the victim. The victim’s email client decrypts the email
and, given its HTML-rendering capability, it is tricked by the malicious code
into sending the full plain text of the emails to the attackers. Even messages
sent years ago are vulnerable.
The team also said that their
proof-of-concept exploit has been shown to be successful against 25 out of 35
tested S/MIME email clients and 10 out of 28 OpenPGP clients. The flaws affect
email applications such as Apple Mail with the GPGTools encryption plug-in,
Mozilla Thunderbird with the Enigmail plug-in, and Outlook with the Gpg4win
encryption package. The academics said that, in keeping with the principles of
responsible disclosure, they have reported their findings to email providers
concerned.
They also averred that there are no reliable
fixes for the vulnerability and recommended several short-, medium-, and
long-term mitigation
strategies. The short-term actions involve decrypting emails in a separate
application rather than in the email client, together with disabling the
rendering of remote content, such as HTML images or styles. As for medium- and
long-term fixes, respectively, the academics said that software holes need to
be patched and the standards need to be updated.
The Electronic Frontier Foundation (EFF), a
US-based digital rights group, had reviewed the researchers’ findings before
they were published. On Sunday, it released a series of tutorials in which it largely echoed the researchers’
advice – users should disable or uninstall PGP plugins in their email handlers
until the vulnerabilities are patched. Since the same flaws affect S/MIME,
which is common in enterprise email networks, EFF recommended that, “during this period of uncertainty”,
users should switch to alternative methods of secure communication.
Broken encryption, broken embargo
The research attracted a great deal of
publicity even before its results was published. This was after the
researchers initially released a “teaser”
to the effect that the flaws would be described in detail in a paper on
Tuesday. However, the embargo
was broken on Monday, prompting the researchers to go public with their
findings ahead of schedule.
Meanwhile, the findings have stirred some
controversy, in particular over how realistic the threat truly is. For example,
Robert J. Hansen of Enigmail dismissed the alarm bells as “a tempest in a teapot”.
In a similar vein, Werner Koch, the man
behind GNU Privacy Guard (GnuPG/GPG), which is an implementation of OpenPGP, called the warnings “overblown”.
In fact, according
to GnuPG, the problem lies elsewhere. “They figured out mail clients which
don’t properly check for decryption errors and also follow links in HTML mails.
So the vulnerability is in the mail clients and not in the protocols. In fact
OpenPGP is immune if used correctly while S/MIME has no deployed mitigation,”
GnuPG tweeted.
ProtonMail said in a statement
that its encrypted email service is not affected by the flaws and that, beyond
“one minor exception”, the vulnerabilities are not, in fact, present in PGP
itself. “What the authors of Efail did was catalogue a list of PGP clients that
have errors in their PGP implementation,” reads the statement. With that in
mind, the company recommended the use of secure PGP implementations.
Cryptographer and professor at Johns Hopkins
University Matthew Green said of the exploit that “[i]t’s an extremely cool
attack and kind of a masterpiece in exploiting bad crypto, combined with a
whole lot of sloppiness on the part of mail client developers.”
Cryptography expert Bruce Schneier weighed in by saying that “[t]he vulnerability isn’t with
PGP or S/MIME itself, but in the way they interact with modern e-mail
programs.”