EFAIL : Critical Flaws Found in PGP and S/MIME
For some people and organizations that regularly send sensitive information via email, the standard layers of security (e.g. TLS) provided by email service providers are not sufficient. For decades, the two de facto standards for end-to-end encryption used around the world have been Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME). Today, security researchers have announced newly discovered vulnerabilities in these technologies.
"The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. [...] To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago."
Mitigating the Issues
The researchers describe two methods which can mitigate these vulnerabilities until patches are released by software vendors:
Disallow decryption of email directly within email clients. Since the exploits take advantage of the behaviour of email clients, remove the email client from the equation and only decrypt the contents of email in a separate application. It adds an extra step, but is the most effective way to neutralize this threat.
Disable HTML rendering. Exploits typically use active content, such as rendering HTML, so disabling these features in favour of static plain text content may mitigate many scenarios. This may not be a complete mitigation.
For more information, we suggest visiting the researchers' official website for the EFAIL threat: