Encryption is a critical building block for online trust, but it’s never perfect. Any encryption you use is the product of many steps. Encryption methods have to be defined; protocols for implementation have to be specified; and then the protocols have to be implemented. Each step is handled by different people and potentially introduces vulnerabilities along the way. Even with the best lock design in the world, if someone builds the lock with variations in the design (either intentionally or accidentally), it might be easily picked.
When you own a broken lock, you have it fixed or use a different one – encryption is no different.
Yesterday (14 May 2018), the Internet security community was alerted to newly discovered vulnerabilities in the secure email ecosystem, dubbed “EFAIL”. EFAIL can make the content of emails encrypted with PGP and S/MIME readable to an attacker. While there are some fixes users and companies can make to mitigate EFAIL, cases like this underscore the importance of choice when it comes to secure communications.
How does the EFAIL attack work?
EFAIL abuses a combination of vulnerabilities in the OpenPGP and S/MIME specifications and the way that many email clients render remote content in email to allow an attacker to exfiltrate the plaintext of previously encrypted messages. Full details of the attack are available from the researchers and there are also some videos showing the exploit in action against Thunderbird and Mac Mail.
Some things to note about the attack:
- The attacker needs to have a copy of the encrypted message. This could be obtained by snooping on the traffic as it passes over the network, or by compromising email servers or email accounts, for example. On the one hand this means it is not trivial for an attacker to mount a successful attack using EFAIL. On the other hand, attackers with these capabilities are precisely what PGP and S/MIME are intended to protect against.
- The easiest way to exploit the EFAIL vulnerabilities is to abuse the automatic rendering of remote content in HTML email. Disabling this functionality in email clients therefore provides some protection against EFAIL.
- A successful attack requires the attacker to send a modified version of the encrypted email back to the victim, and for the victim to open that modified mail. Again, this sets a higher bar for a successful exploit and requires the attacker to reveal something about resources they control (the source of the modified email).
- Attackers with access to archives of encrypted mail could abuse EFAIL to exfiltrate plaintext, so emails sent many years ago are also vulnerable.
What can I do?
There are several actions you can take to mitigate your risk to the EFAIL vulnerability. Users should:
- Ensure that your chosen email client never automatically renders external content. This will mitigate some but not all of the EFAIL risk. (Allowing remote content in email is never a good idea anyway, as it is often used by spammers as a way to verify email addresses and marketing campaigns as a way to know that the user has opened the marketing communication sent to them.)
- Apply software updates to address the EFAIL vulnerability as soon as they are made available by email client vendors.
- In their alert about the issue, the Electronic Frontier Foundation advised that users of PGP email client plugins disable or uninstall them until this vulnerability has been completely addressed. This does not mean that users should stop using encryption for their email, but that they should be using tools other than their email client to decrypt mail or make sure that they are using a non-vulnerable email client in combination with the appropriate protocol (see the table on page 11 of the draft paper for details).
When one form of encryption is broken or a secure service is no longer secure, it’s vitally important that alternative protocols, algorithms and services are available. This ‘defense-in-depth’ approach provides redundancy in the event that one component or tool is shown to have failed. There are of course many alternatives to email that can provide strong end-to-end authenticated encryption for messaging. For example, applications such as Signal and Wire provide high-quality multimedia messaging with strong security guarantees.
The EFAIL vulnerability provides another demonstration of the fact that making secure messaging systems at Internet scale is incredibly hard to do. It is made harder in the case of email where any security solution has to be retrofitted to protocols and applications that initially had no protections built in. Arguments about providing ‘backdoors’ in Internet encryption protocols often make this point: it’s hard enough to ensure there are no accidental vulnerabilities without having to provide security guarantees about deliberate weaknesses.
Encryption should be the norm for Internet traffic. Reliable secure messaging systems are one piece of a trustworthy Internet infrastructure. Learn more about the Internet Society’s work on the issue of Internet encryption.
- How to Disable Loading of Remote Content & Images in Mail for Mac
- Outlook – Read Email Messages in Plain Text
*The EFAIL vulnerability was recently disclosed, as we learn more details about the vulnerability in the coming days, we will update the blog or follow up with a companion piece.