EFAIL: Critical PGP and S/MIME bugs could reveal plaintext of encrypted emails

EFAIL … it is the reason you should stop using Pretty Good Privacy (PGP) plug-ins to decrypt your email, according to a group of researchers who discovered vulnerabilities that could be exploited to “reveal the plaintext of encrypted emails, including encrypted emails sent in the past.”

EFAIL is what the researchers call the critical flaws in PGP and S/MIME. Sebastian Schinzel, professor of computer security at the Münster University of Applied Sciences, warned, “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

The EFF confirmed the vulnerabilities before urging users to take action now.

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

The EFF released three how-to guides for temporarily disabling PGP plug-ins in Thunderbird with Enigmail, Apple Mail with GPGTools and Outlook with Gpg4win.

Robert Hansen of Enigmail called it a “tempest in a teapot,” adding that he wished “the EFF had reached out to us before running with an alarmist article.”

The researchers had not intended to fully release the details just yet, but the Suddeutsche Zeitung newspaper broke an embargo to publish the “scoop.”

Shortly thereafter, the researchers made the EFAIL website live, as well as their research paper titled, Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels (pdf).

How attackers exploit EFAIL

The European researchers, who devised “working attacks for both OpenPGP and S/MIME encryption,” wrote:

In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.

Matthew Green, professor and all-around expert on cryptography, fired off a series of tweets about EFAIL. He called it an “extremely cool attack and kind of a masterpiece in exploiting bad crypto, combined with a whole lot of sloppiness on the part of mail client developers.”

The real news here is probably about S/MIME, which is actually used in corporate e-mail settings. Attacking and modifying encrypted email stored on servers could actually happen, so this is a big deal. 4/

— Matthew Green (@matthew_d_green) May 14, 2018

Green noted the debate over it not being a PGP issue, but a mail client issue before adding:

So let me just cut through some of that. If you were using GnuPG on the command line and checking your error results, it’s absolutely true that you’re fine. If you’ve been using (one of several) GUI clients with PGP encryption, you were anything but fine. 7/

— Matthew Green (@matthew_d_green) May 14, 2018

How to prevent EFAIL attacks

As for mitigations, the researchers advised several strategies to prevent EFAIL attacks:

Short term: No decryption in email client. The best way to prevent EFAIL attacks is to only decrypt S/MIME or PGP emails in a separate application outside of your email client. Start by removing your S/MIME and PGP private keys from your email client, then decrypt incoming encrypted emails by copy&pasting the ciphertext into a separate application that does the decryption for you. That way, the email clients cannot open exfiltration channels. This is currently the safest option with the downside that the process gets more involved.

Short term: Disable HTML rendering. The EFAIL attacks abuse active content, mostly in the form of HTML images, styles, etc. Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking EFAIL. Note that there are other possible backchannels in email clients which are not related to HTML but these are more difficult to exploit.

Medium term: Patching. Some vendors will publish patches that either fix the EFAIL vulnerabilities or make them much harder to exploit.

Long term: Update OpenPGP and S/MIME standards. The EFAIL attacks exploit flaws and undefined behavior in the MIME, S/MIME, and OpenPGP standards. Therefore, the standards need to be updated, which will take some time.