Researchers warn PGP and S/MIME users of serious vulnerabilities

A professor at Münster University issued a warning on Sunday about serious vulnerabilities in PGP and S/MIME – two widely-used methods for encrypting email – which, if exploited, could reveal plain text communications.

The issue also impacts emails from the past.

“There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now,” said Sebastian Schinzel, a professor of computer security at Münster University of Applied Sciences.

“We’ll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.”

The research into the PGP S/MIME vulnerabilities can be sourced to a number of familiar names listed by Schinzel on Sunday, including several who were behind the Drown research in 2016.

In addition to Münster University, the research also includes work from academics at KU Leuven University and Ruhr-University.

Exact details of the vulnerabilities are not public.

However, in order to reduce risk, the EFF has recommended that users of Enigmail on Thunderbird, GPGTools on Apple Mail, and Gpg4win on Outlook disable those applications until things are fixed.

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email,” the EFF wrote in a blog post.

The EFF has also posted guides on how to disable those clients.

This story is ongoing, so Salted Hash will follow-up with any additional developments as they happen.

[Note: This story has been updated several times since the original posting, due to new informaion and developing context. Please see below for details. -Steve]

Update:

Shortly after this story was published, Robert Hansen, who works on the user interface and user support for Enigmail, said that users of Enigmail shouldn’t “believe the hype” about the vulnerabilities.

“Speaking for Enigmail: don’t believe the hype. Don’t panic. Make sure you’re running the latest version of Enigmail. Yes, we have seen the paper. Out of deference to the paper authors, we will forego further comment until publication.”

Later, Hansen said the flaw can be completely mitigated “by watching for packets with missing or invalid MDCs and reacting appropriately. Most email clients already do this. If you’re one of them, you’re safe.”

Update 2:

Werner Koch, the principal author of GnuPG (GPG) said in a mailing-list post that the topic of the researcher’s paper is that “HTML is used as a back channel to create an oracle for modified encrypted mails.”

Koch goes on to say that it has long been known that HTML-based email and external links are evil if the Mail User Agents (MUAs) actually honors them.

“Due to broken MIME parsers a bunch of MUAs seem to concatenate decrypted HTML mime parts which makes it easy to plant such HTML snippets,” Kock wrote.

Assuming the mailing-list post is spot on, and HTML messages are indeed at the core of the issue surrounding the pending disclosure, Koch said that using authenticated encryption will mitigate the issue. Also, stopping the practice of using HTML mail will do the trick too. But if HTML-based email is required, then disallow external links and use a proper MIME parser.

In a related update, the GnuPG Twitter account posted some additional details in response to a discussion, outlining mostly the same premise:

“They figured out mail clients which don’t properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation.”

In response to that post, Sebastian Schinzel, asked the account to “please keep it quiet” — an apparent request to refrain from further discussion.

Update 3:

Since the original publication of this story a lot of things have happened.

After GnuPG’s twitter account started talking about the issue, Sebastian Schinzel considered the embargo broken and released the vulnerability details openly under the name EFAIL.

When you read the EFAIL paper, there are a few things that stand out. First, the disclosure process had some problems and that led to a lot of frightening statements. The EFF warned the public and urged people stop using – or uninstall fully – various PGP and S/MIME tools.

Many experts viewed the EFF’s stance as FUD, and this led to GnuPG and Enigmail staffers discussing the embargoed details ahead of release.

The overall problem is how MDC (Modification Detection Code) is treated by email clients. The EFAIL paper makes it clear that using HTML email clients with encrypted messages is a bad idea. Likewise, having email clients read the MDC warning from GnuPG but fail to take action unless the setting is enabled is also an issue.

ProtonMail, which is not impacted by EFAIL, sent a statement to Salted Hash discussing many of the same topics other experts are discussing.

“As the world’s largest encrypted email service based on PGP, we are disappointed that some organizations and publications have contributed to a narrative that suggests PGP is broken or that people should stop using PGP. This is not a safe recommendation,” the statement said.

“It’s important to highlight that eFail is not a new vulnerability in PGP and S/MIME. It has been known since 2001. The vulnerability exists in implementation errors in various PGP clients and not the protocol itself. What is newsworthy is that some clients that support PGP were not aware of this for 17 years and did not perform the appropriate mitigation. Users should be encouraged to use clients that are using secure implementations of PGP.”

Enigmail’s Robert Hansen said that the EFAIL researchers misnamed their paper, noting that the attack itself targets buggy clients. He also gave them credit for creating a solid list of said buggy clients.

“If you’re worried about the Efail attack, upgrade to the latest version of GnuPG and check with your email plugin vendor to see if they handle MDC errors correctly.  Most do,” Hansen wrote.

So, blame the email client, right?

Not really. Matthew Green, who teaches cryptography at Johns Hopkins University, sums it up succinctly.

“PGP clients are vulnerable because 17 years after a vulnerability was known, the mitigation was not made a default in GnuPG and defense was instead “left to PGP clients”, which also make a convenient scapegoat when it goes pear-shaped.”

Filippo Valsorda, a cryptographer at Google also had some insightful thoughts to share.

“No, in 2018 you don’t get to claim the high ground and blame users and implementations if your crypto API returns the plaintext on a decryption error,” Valsorda wrote.

“I really don’t get the community’s negative reaction. This is a perfect case study for proper AEADs, safe APIs, and against secure email in general.”

As mentioned, EFAIL is something most academics and cryptographers have known for about 17 years. So, it isn’t like the problem is a new one. However, it’s still a problem – just not a problem that will lead to the end of times.

The real concern, as Green pointed out, is S/MIME, which is used by private corporations and government entities across the globe.

“It’s an extremely cool attack and kind of a masterpiece in exploiting bad crypto, combined with a whole lot of sloppiness on the part of mail client developers,” Green explained.

“The real news here is probably about S/MIME, which is actually used in corporate e-mail settings. Attacking and modifying encrypted email stored on servers could actually happen, so this is a big deal.”

It isn’t clear where things go from here. However, this post to the GnuPG mailing-list has some interesting thoughts on the suggestion to change the default behavior of GnuPG to ensure that failure is fatal.

According to the EFAIL website the following email clients are vulnerable to exfiltration with no user interaction with PGP:

Outlook 2007 / GPG4Win (no longer supported); Postbox / Enigmail, eM Client; Thunderbird / Enigmail; Apple Mail / GPG Tools; Airmail / GPG Tools; R2Mail2; MailDroid / Flipdog; Roundcube / Enigmail; Horde IMP / GnuPG.

According to the EFAIL website the following email clients are vulnerable to exfiltration with no user interaction with S/MIME:

Outlook 2007 / 2010; Windows 10 Mail / Windows 10 Live Mail; Postbox; eM Client; IBM Notes; Thunderbird; Evolution; Torjitá; Apple Mail; MailMate; Airmail; iOS Mail; R2Mail2; MailDroid; Nine; Gmail

The following are vulnerable with some user interaction with S/MIME:

Outlook 2013 / Outlook 2016; The Bat!; KMail; Horde IMP

One final important note, as mentioned by the FAQ on the EFAIL website:

“The EFAIL attacks require the attacker to have access to your S/MIME or PGP encrypted emails. You are thus only affected if an attacker already has access to your emails. However, the very goal of PGP or S/MIME encryption is the protection against this kind of attacker.”

Update – May 24, 2018:

On Thursday, a core team of PGP developers, including Phil Zimmermann, the original creator of PGP, Enigmail, Mailvelope, and ProtonMail issued a statement regarding last week’s report.

“The EFF and many news outlets proclaimed there are ‘serious vulnerabilities in PGP’ and recommended that users disable PGP email encryption. These statements are highly misleading and potentially dangerous. PGP is not broken. The vulnerabilities identified by Efail are not flaws with the OpenPGP protocol itself but rather flaws in certain implementations of PGP, including in Apple Mail, Mozilla Thunderbird, and Microsoft Outlook. Many other commonly used software based upon PGP are not affected by the Efail vulnerability in any way, as the researchers themselves point out in their paper,” the statement says.

A full copy of the statement is avilable here, but the gist is that PGP is not broken, as we reported previously. The problem centers on the clients themselves.

More on encryption:

• 4 hot areas for encryption innovation
• 5 myths about data encryption
• The race for quantum-proof cryptography