Critical PGP and S/MIME Bugs May Reveal Plaintext of Encrypted Emails

Share

"They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", researchers said.

Security experts are warning PGP users to disable tools that automatically decrypt PGP-encrypted email after the discovery of a critical vulnerability which could help attackers read protected emails. The Efail attacks do not provide attackers with a method to access a victim's email account, but rather are all about the encryption layer. Users of the said software have been advised to immediately disable it in email clients.

EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.
In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.

Trump's Anti-Semitic Faith Adviser To Speak At US Embassy Opening In Jerusalem
Monday's ceremony marking the relocation of the US Embassy in Israel to Jerusalem broke with tradition in more ways than one. McCain, in rejecting Hagee's endorsement, said he found "these remarks and others deeply offensive and indefensible".

Whilst most email is sent unencrypted, many businesses and people rely on S/MIME and PGP encrypted email communications to talk in private. It will be safer for the users to switch to services like Signal, the massaging app backed by WhatsApp co-founder Brian Acton.

More details are to be published by the researchers on May 15 who recommend not using the two encryption tools until they are fixed.

"We describe novel attacks built upon a technique we call malleability gadgets to reveal the plaintext of encrypted emails", the researchers wrote."We devise working attacks for both OpenPGP and S/MIME encryption, and show that exfiltration channels exist for 23 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients".

20 tourists swept away in Neelum Valley bridge collapse
He has directed all the departments concerned to expedite the rescue efforts, the PM Office Media Wing said in a press release. A total of six bodies have been recovered so far while a search for six more students is under way.

The foundation has created guides for disabling PGP in Outlook using Gpg4win, Thunderbird and Enigmail, and Apple Mail with GPGTools.

They then would have to send the contents of that encrypted email back to its owner - the victim - in a carefully crafted way to make email clients think it's HTML. However, it's important to note that the PGP (Pretty Good Privacy) flaw isn't in the core protocol of PGP, reports the BBC.

The use of PGP - short for Pretty Good Privacy - for secure communications has been advocated, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the U.S. National Security Agency before fleeing to Russian Federation.

Former Pakistan PM reportedly admits country's role in 2008 Mumbai attacks
India would do well to treat former Pakistan prime minister Nawaz Sharif's comments with a high dose of scepticism. We must look into it". "Why cant we complete the trial".

Professor Schinzel is a member of a research team consisting of a long list of respected security researchers, and which has been responsible for uncovering a number of cryptographic vulnerabilities. The core technology behind this chip is the memristor, or memory resistor.

Share