Uninstall or Disable PGP Tools, Security Researchers WarnExploitable Vulnerabilities Could Reveal Plaintext of Encrypted Emails
European computer security researchers say they have discovered vulnerabilities that relate to two techniques used to encrypt emails and data: PGP and S/MIME.
See Also: A Fresh Look at API Security
The vulnerabilities "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past," the researchers warn. And until the flaws get resolved, they recommend that everyone disable any tools that decrypt PGP emails by default.
There is not yet a full fix for the problem, says Sebastian Schinzel, a professor of computer security at Germany's Münster University of Applied Sciences, who's part of the research team - together with researchers from Ruhr-University Bochum in Germany and KU Leuven University in Belgium - that has found the flaws. The researchers have dubbed the flaws efail.
"There are currently no reliable fixes for the vulnerability," Schinzel says via Twitter. "If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now." In particular, he's recommends temporarily disabling PGP/GPG in Outlook, Apple Mail and Thunderbird.
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4— Sebastian Schinzel (@seecurity) May 14, 2018
PGP is short for Pretty Good Privacy, which was first released by Phil Zimmermann in 1991. He later created OpenPGP, an open source approach that is based on PGP and available via free software such as GPG, short for GNU Privacy Guard. Users can employ PGP-compatible email clients themselves, and many secure webmail clients also make use of PGP. Numerous email clients also support S/MIME - Secure/Multipurpose Internet Mail Extensions - for sending encrypted communications and digitally signing messages.
At Risk: S/MIME and OpenPGP Email
Full details of the implementation flaws were published on Monday in a research paper titled "Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels."
The researchers say their proof-of-concept attacks "for both OpenPGP and S/MIME encryption" could allow attackers to exfiltrate data "for 23 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients."
Vulnerable mail clients include the iOS mail app, native mail clients on Android, Outlook and IBM Notes running on Windows systems, Thunderbird on Linux, as well as online Exchange, according to the researchers. And affected webmail providers include FastMail, Gmail, GMX, Hushmail, iCloud Mail, Mail.ru, Mailbox.org, Outlook.com, Yahoo Mail, and Zoho Mail.
One secure email service, ProtonMail, which is named in the report, is not vulnerable to the Efail vulnerability.
"We would like to confirm that ProtonMail is not impacted by the Efail PGP vulnerability; the researchers themselves confirm this in their research paper" on page 11, spokeswoman Irina Marcopol tells Information Security Media Group.
"We also maintain openPGPjs, one of the world's most popular encryption libraries, which powers a large fraction of the PGP clients in existence today," she says. "Any service that uses our openPGPjs library is also safe as long the default settings aren't changed.
Encrypted email service provider Mailfence also says it is not vulnerable to the Efail flaws. "Mailfence is not impacted by the OpenPGP Efail vulnerability," the company says in a blog post. "Also, based on the mentioned issues in the technical paper, the OpenPGP protocol itself is safe to use, if you are not using it with a buggy email client."
'Take Action Now'
Security experts said the vulnerabilities would likely soon be targeted, and they recommended users follow Schinzel's advice immediately. Indeed, after any bug reports get published, attackers often begin exploiting the new flaws within hours.
"You need to take action now," says Alan Woodward, a professor of computer science at the University of Surrey.
PGP is awkward to use & to mess up but if you do rely upon it for your privacy & confidentiality you need to take action now https://t.co/siSbs1RjSp— Alan Woodward (@ProfWoodward) May 14, 2018
Mikko Hypponen, chief research officer at F-Secure, has called out researchers' warning that the flaws could be used to decrypt past messages.
This vulnerability might be used to decrypt the contents of encrypted emails sent in the past. Having used PGP since 1993, this sounds baaad. #efail— Mikko Hypponen (@mikko) May 14, 2018
Full details of the PGP and S/MIME implementation flaws were due to be released on Tuesday, when the researchers appear to have negotiated a coordinated vulnerability announcement with makers of vulnerable software.
But on Monday, Munich newspaper Süddeutsche Zeitung appeared to break that embargo. Shortly thereafter, the full research paper was released.
Attackers could automatically exploit the flaws by tricking victims' email clients. "In a nutshell, efail abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago," the researchers write.
"The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker."
Matthew Green, a professor of cryptography at Johns Hopkins University in Baltimore, has reviewed the researchers' work. "The result is really elegant," he tells Süddeutsche Zeitung.
Green already recommended not using PGP. In a 2014 blog post, Green wrote that "it's time for PGP to die," noting that it was time to build something much better. "Poking through an OpenPGP implementation is like visiting a museum of 1990s crypto," he warned.
In the wake of the new research, Green tells Süddeutsche Zeitung: "This is another bullet hole in an already perforated car."
Stop Sending/Reading PGP Emails
Süddeutsche Zeitung reports that although many of the affected vendors and software teams have had months to patch the flaws, they've run into challenges.
In the meantime, digital privacy rights group Electronic Frontier Foundation, which has reviewed the researchers' findings, confirmed that the bugs pose a risk to anyone using PGP and S/MIME and as a "temporary, conservative stopgap" recommends disabling any email plug-ins that automatically decrypt such messages.
"EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages," the organization says in a blog post.
"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email," EFF says. "Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email."
Is Alert Overblown?
But some think the vulnerability warning is overblown. Werner Koch, a core components maintainer for GnuPG - a complete and free implementation of the OpenPGP standard - says he's seen a copy of the researchers' paper, with the names of all but one vulnerable mail user agent (MUA) redacted, notes that the flaws involve some HTML email clients' implementation of PGP.
Koch says the researchers found that HTML can be "used as a back channel to create an oracle for modified encrypted mails." In computer security, an oracle attack refers to an attackers being able to exploit a vulnerability to extract information from a target.
Koch says some MUAs' failure to block hidden HTML links are the problem.
"There are two ways to mitigate this attack," Koch writes in a Monday post to the GnuPG mailing list. "Don't use HTML mails. Or if you really need to read them use a proper MIME parser and disallow any access to external links." In addition, he writes, "use authenticated encryption."
But while that advice might be easier to implement for anyone who uses and configures their own PGP tools, it fails to address how the many different webmail providers, for starters, might handle these problems.
Some services that implement PGP, however, have emphasized that the problem isn't with the standard, but rather some implementations of it. "As the world's largest encrypted email service based on PGP, we are concerned that some organizations and publications have contributed to a narrative that suggests PGP is broken or that people should stop using PGP," ProtonMail's Marcopol says. "This is not a safe recommendation."
She adds that the Efail flaw has been a known PGP and S/MIME problem since 2001. "The vulnerability exists in implementation errors in various PGP clients and not the protocol itself. What is newsworthy is that some clients that support PGP were not aware of this for 17 years and did not perform the appropriate mitigation."
This story has been updated with comment from ProtonMail and Mailfence.