Welcome Stranger to OCC!Login | Register

Vulnerabilities Discovered in OpenPGP and S/MIME Email Encryption Systems

Category: General News
Posted: 09:45AM

If you use your email for sending sensitive information and want to protect it, the OpenPGP and S/MIME standards used for end-to-end encryption have been broken. Security researchers have discovered two means of getting the decrypted information out of the message, and all they require is a copy of the encrypted message. The first method will directly send the decrypted information to the attacker by exploiting how images are embedded into emails. By adding an HTML image tag at the beginning of the message, but failing to close the src attribute until after the message, the edited message can be sent to the original person to decrypt it. That person's email will do the decryption for the attacker and then send a request for the image, but the path contains the message in it, defeating both PGP and S/MIME standards. The other attack is more difficult but still works for compromising the security of the emails.

While this is definitely an issue, the researchers do list some mitigation strategies, including disabling HTML rendering for incoming messages. There are other methods that could be used to attack the information, but these backchannels are more difficult to exploit. Email client vendors can also publish patches to fix these and in the long term both OpenPGP and S/MIME standards could be updatd to prevent this from happening, though making such changes will take time. Another mitigation strategy is to not use the email client for decryption, but remove the private keys from it to then use a second application to decrypt the cipher text. This naturally prevents the email client from opening any of the channels to expose the decrypted information.

Source: EFAIL

Register as a member to subscribe comments.

© 2001-2018 Overclockers Club ® Privacy Policy
Elapsed: 0.1874170303   (xlweb1)