You are not logged in.

Full publication on EFAIL.de. In particular, page 11 of the PDF contains a list of clients that were tested, along with the results.
EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails.
Here are some strategies to prevent EFAIL attacks:
Short term: No decryption in email client. The best way to prevent EFAIL attacks is to only decrypt S/MIME or PGP emails in a separate application outside of your email client. Start by removing your S/MIME and PGP private keys from your email client, then decrypt incoming encrypted emails by copy&pasting the ciphertext into a separate application that does the decryption for you. That way, the email clients cannot open exfiltration channels. This is currently the safest option with the downside that the process gets more involved.
Short term: Disable HTML rendering. The EFAIL attacks abuse active content, mostly in the form of HTML images, styles, etc. Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking EFAIL. Note that there are other possible backchannels in email clients which are not related to HTML but these are more difficult to exploit.
I don't send HTML emails. Am I safe?
No. The attacker can change encrypted text/only emails to HTML emails. You need to disable viewing HTML email to increase protection from EFAIL attacks.I have disabled HTML in my email client. Am I safe now?
Depends. S/MIME or PGP encrypted emails are encrypted with the public keys of all recipients and the sender. The attacker can thus perform the EFAIL attacks if only one of the participants is vulnerable. In order to prevent the EFAIL attacks, all participants must use secure email clients.I have encrypted data using OpenPGP or S/MIME and I won't decrypt it in the email context. Am I safe?
For now yes. There may be edge cases though that we hadn't looked into. For example, if you encrypted a directory with sensitive files, an attacker could change these encrypted files to contain false information or even malware. If a victim decrypts the directory and opens any of the files, malware or even just an HTML file could be used to exfiltrate plaintext or even compromise the system.
I wonder if decrypting it to a non-executable folder would be prudent...
EDIT: I found this statement from the GnuPG and Gpg4Win developers. It asserts three points, which resonate some comments by users below, about the original release by EFAIL.de:
1. This paper is misnamed. It's not an attack on OpenPGP. It's an attack on broken email clients that ignore GnuPG's warnings and do silly things after being warned.
2. This attack targets buggy email clients. Correct use of the MDC completely prevents this attack. GnuPG has had MDC support since the summer of 2000.
3. The authors made a list of buggy email clients. It's worth looking over their list of email clients (found at the very end) to see if yours is vulnerable. But be careful, because it may not be accurate -- for example, Mailpile says they're not vulnerable, but the paper indicates Mailpile has some susceptibility.
The authors have done the community a good service by cataloguing buggy email email clients. We're grateful to them for that. We do wish, though, this thing had been handled with a little less hype. A whole lot of people got scared, and over very little.
In retrospect, for all the hype, I do wish that the overtone of some news articles were "check your email client," rather than "ditch PGP." In fact, that was part of the reason why I started this thread: to focus on preventable actions, because it is clear in the sources that the issue is only with certain clients.
Last edited by siva (2018-05-14 20:06:29)
Offline
wow! honestly, some people are really determined to find the security flaws in evvvverything these days. this isnt a value statement, im impressed that cpus and pgp and all our beloved (and relatively secure) tools appear so vulnerable right now.
its all relative and i just had someone give me an amused look because i was talking about rdma/remote rowhammer and they said "cmon, you live in ____ no ones going to rowhammer your router." well no! i didnt think so, but its still good to disable rdma (imo) if you dont need it. i mean its a feature for large data centres, afaik. (my guess is its probably disabled anyway.)
im glad we arent using windows. this latest one is a little close to home, i presume it isnt found in the wild yet? still at the research stage?
Last edited by figdev (2018-05-14 15:31:46)
Offline

@golinux -- I owe you an apology
I am confused. An apology for what? Nothing that I can think of . . .
Online

@figdev - I resonate the sentiment that it's imprudent to assume one will not be exploited at some point on a computer. It is a little disconcerting, but it's good that there are ways to mitigate it.
@golinux - suffice it to say the result of ignorance of an email infrastructure I was using.
Added a note at the top of the first post, for a list of email clients' vulnerability status.
Offline
This is the latest evidence that security is not at all an automatic thing (if we ever needed one more), and that FUD spreads faster than real news.
The article is really misleading, and the way it has been advertised is even more misleading. Please avoid to spread FUD: It's not PGP or OpenPGP to have been exploited, rather the uncanny behaviour of sending, receiving, and automatically visualising multipart emails containing external references (e.g., HTML tags which are interpreted by the MUA).
OpenPGP is *not* flawed: the MUAs which visualise external content without asking the user are flawed and broken. The usage of HTML emails is flawed and broken.
PGP/OpenPGP/GPG are *safe*. Please continue encrypting and signing your emails. Just use a *sane* client. If you can't use one, then just disable the automagic visualisation of HTML parts, and disable the references to external content.
Offline

Please avoid to spread FUD: It's not PGP or OpenPGP to have been exploited, rather the uncanny behaviour of sending, receiving, and automatically visualising multipart emails containing external references (e.g., HTML tags which are interpreted by the MUA).
@siva / @moderators: This thread's title really should be changed to reflect this!
Offline

The article is really misleading, and the way it has been advertised is even more misleading.
Since they're the ones who published the actual paper, it may be a good idea to tell them to stop spreading FUD.
It's not PGP or OpenPGP to have been exploited, rather the uncanny behaviour of sending, receiving, and automatically visualising multipart emails containing external references (e.g., HTML tags which are interpreted by the MUA).
I believe you. Can you help me understand how to interpret this segment of page 3 in the paper:
2.1 Cryptographic basics
In the email context, both S/MIME and PGP use hybrid encryption, in which the sender generates a random session key "s" that is used to symmetrically encrypt the message "m" into a cipher text "c."
The session key "s" is encrypted with at least two public keys using a public key encryption scheme. The first encryption of "s" happens with the public key of the sender. Additional encryptions are done using all the public keys of the intednded recievers. Thus, "s" will be encrypted under n+1 different public keys for "n" recipients of the email. Since our attacks exploit weaknesses in the symmetric encryption, we focus on the symmetric encryption part.
Offline
Since they're the ones who published the actual paper, it may be a good idea to tell them to stop spreading FUD.
I totally agree, and I was not referring to your article, rather to the original one.
I believe you. Can you help me understand how to interpret this segment of page 3 in the paper:
2.1 Cryptographic basics
In the email context, both S/MIME and PGP use hybrid encryption, in which the sender generates a random session key "s" that is used to symmetrically encrypt the message "m" into a cipher text "c."
The session key "s" is encrypted with at least two public keys using a public key encryption scheme. The first encryption of "s" happens with the public key of the sender. Additional encryptions are done using all the public keys of the intednded recievers. Thus, "s" will be encrypted under n+1 different public keys for "n" recipients of the email. Since our attacks exploit weaknesses in the symmetric encryption, we focus on the symmetric encryption part.
This part is irrelevant to the exploit, and is also factually wrong. Encrypting something with the *public* key of the sender makes *no sense at all*, since the only way to recover whatever is in there is by using the *private* key of the sender (<- this is the factual mistake in the text above). The session key is encrypted with the *private* key of the sender (so that the received can decrypt it using the *public* key of the sender, to guarantee that it comes indeed from the sender) and then with the *public* key of the receiver (so that the receiver can decrypt it with her *private* key, which guarantees that only the receiver can decrypt it if her private key has not been compromised).
Offline

I totally agree, and I was not referring to your article, rather to the original one.
The article in the original post? If so, they also published the paper as well.
This part is irrelevant to the exploit, and is also factually wrong.
Forgive me for finding this weird, because...
Since our attacks exploit weaknesses in the symmetric encryption, we focus on the symmetric encryption part.
So that would seem to be a key component of the attack.
If I'm reading your posts correctly, and I believe you, but I'm concerned that there would be irrelevant misinformation in the paper about this attack. I'll reach out to them and see if we can get clarification on some of these points.
Offline
Siva, please not that they say that the attack is based on the *symmetric* part of the encryption, not on the *asymmetric* part (that is the part that involved private and public keys). The factual error is in the description of how *asymmetric* encryption works in OpenPGP. And it is not relevant to the attack (and they say that in the article).
In general, publishing a paper does not mean publishing a truth. Especially if the paper had not been peer-reviewed yet (and this does not seem to have been peer reviewed yet, or at least not with proper attention)...
Offline

Alright, I understand what you're saying now. It sounded like you were implying the symmetric part of the attack was factually wrong, ie not part of the attack lol.
It is still in draft phase (0.9.0 at this time). We'll see if it changes at all.
Offline