New encryption vulnerability means email is no longer secure

Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.

Email has always been one of those things that just work, and we generally think very little of the encryption methods used. Many email clients use PGP (Pretty Good Protection) and S/MIME to secure the contents of an email, but researchers at Münster University of Applied Sciences have told German news outlet Süddeutschen Zeitun that that is no longer the case.

From Professor Sebastian Schinzel,

Email is no longer a secure communication medium.

PGP is considered the standard for email encryption and was first introduced way back in 1991. This new vulnerability allows hackers and attackers the ability to read encrypted HTML emails in plaintext files.

More from the report,

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.

Some people are saying this is an overreaction, but if you would like to be certain, the EFF has released guides on how to disable PGP encryption in Apple Mail, Outlook, and Thunderbird.

We will continue to monitor the story and update appropriately.

Josiah Motley

Former KnowTechie editor.