A team of security researchers has found serious flaws in how email clients handle PGP and S/MIME encrypted emails that could allow attackers to steal the contents of sensitive communications.
On May 13, the Electronic Frontier Foundation (EFF) published a blog post warning users to disable automatic decryption in their email clients after the organization was briefed privately by the researchers who found the issues.
“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email,” the EFF said. “Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.”
The researchers planned to release their technical paper May 15, but the public interest generated by the EFF’s warning convinced them to push the disclosure forward and release it a day early. A website dedicated to the flaws, which have collectively been dubbed EFAIL, has been set up with a summary and answers to common questions.
The technical paper describes two methods in which attackers could trick email clients to disclose the content of PGP or S/MIME-encrypted emails after they’ve been decrypted.
“In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs,” the researchers said. “To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.”
This is a serious security breach because the main purpose of PGP or S/MIME encryption is to protect the contents of messages not only in transit but also while they’re at rest on email servers Users download the encrypted emails locally inside a software client on their device and then use their securely stored private key to decrypt their contents.
Email clients support S/MIME and PGP encryption natively or through plug-ins and also can be configured to decrypt emails automatically.
The researchers from Munster University of Applied Sciences, Ruhr University Bochum and KU Leuven claim that the EFAIL plaintext exfiltration methods work on 25 of 35 tested S/MIME email clients and on 10 of 28 tested OpenPGP email clients. This includes Thunderbird, Apple Mail and Microsoft Outlook (particularly for the S/MIME attack vectors).
In the short term, to mitigate the issues users can disable the rendering of HTML content in their email clients or can disable automatic decryption. It the latter case, they can decrypt messages by copying them to a separate software application that doesn’t have HTML rendering functionality, but this is not very user-friendly.
In the longer term, some of the affected email clients will probably receive patches to prevent this behavior, but the researchers also noted that the OpenPGP and S/MIME standards will need to be updated to address the undefined behavior.
The creators of GnuPG, the most widely used implementation of OpenPGP, did not agree that the encryption standard itself is at fault, at least as far as OpenPGP is concerned.
“It’s not an attack on OpenPGP,” they said in an official statement Monday. “It’s an attack on broken email clients that ignore GnuPG’s warnings and do silly things after being warned.”
According to them, GnuPG’s accounts for this weakness since almost 20 years ago when it added a Modification Detection Code (MDC) that should accompany messages. If this code is missing or has been modified, GnuPG issues a big warning message.
Email clients or plug-ins that rely on GnuPG decide how to handle these warnings. The normal behavior would be not to decrypt or display the messages in such situations, but it seems that some of them simply ignore the warnings.
“If you’re worried about the Efail attack, upgrade to the latest version of GnuPG and check with your email plugin vendor to see if they handle MDC errors correctly,” the GnuPG developers said. “Most do.”