Nobody wants snoops peeking at their emails. Unfortunately, the newly discovered “Efail” vulnerability could make that a possibility.
On Monday morning, the Electronic Frontier Foundation (EFF) reported that Efail is able to expose HTML emails encrypted with PGP and S/MIME encryption programs — even those that were sent years ago. These tools are commonly employed by journalists, politicians, and other users who require secure communication.
“In a nutshell, Efail abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs,” the researchers write.
“The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.”
In other words, once hackers gain access to your emails, they can use the HTML tags in your emails to prompt mail clients to erroneously decrypt those emails in a way that hackers can access.
So, what should you do?
EFF’s recommendation: If you use PGP or S/MIME, disable them, and uninstall the tools that decrypt them.
The security community, however, has claimed these measures aren’t necessary.
ProtonMail, for example, claims that many data encryption and decryption services are already patched against Efail. ProtonMail itself has verified that it is not vulnerable to Efail.
Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.
— ProtonMail (@ProtonMail) May 14, 2018
Dan Guido, CEO of security company Trail of Bits, claims that Efail should be very easy for clients and savvy users to detect.
Before anyone freaks out about “efail”, realize that using it would be:
1) extremely easy to detect
2) archived in your target’s email
As an attacker, I could not care less about this technique. It’s intellectually neat, but operationally stupid.https://t.co/ykJjwUBwHA
— Dan Guido (@dguido) May 14, 2018
But if you’re still worried, you can always opt for plain-text over HTML emails — or just use Signal like everyone else.