Encrypted Email Has a Major, Divisive Flaw (wired.com) 22
An anonymous reader quotes a report from Wired: The ubiquitous email encryption schemes PGP and S/MIME are vulnerable to attack, according to a group of German and Belgian researchers who posted their findings on Monday. The weakness could allow a hacker to expose plaintext versions of encrypted messages -- a nightmare scenario for users who rely on encrypted email to protect their privacy, security, and safety. The weakness, dubbed eFail, emerges when an attacker who has already managed to intercept your encrypted emails manipulates how the message will process its HTML elements, like images and multimedia styling. When the recipient gets the altered message and their email client -- like Outlook or Apple Mail -- decrypts it, the email program will also load the external multimedia components through the maliciously altered channel, allowing the attacker to grab the plaintext of the message.
The eFail attack requires hackers to have a high level of access in the first place that, in itself, is difficult to achieve. They need to already be able to intercept encrypted messages, before they begin waylaying messages to alter them. PGP is a classic end-to-end encryption scheme that has been a go-to for secure consumer email since the late 1990s because of the free, open-source standard known as OpenPGP. But the whole point of doing the extra work to keep data encrypted from the time it leaves the sender to the time it displays for the receiver is to reduce the risk of access attacks -- even if someone can tap into your encrypted messages, the data will still be unreadable. eFail is an example of these secondary protections failing.
The eFail attack requires hackers to have a high level of access in the first place that, in itself, is difficult to achieve. They need to already be able to intercept encrypted messages, before they begin waylaying messages to alter them. PGP is a classic end-to-end encryption scheme that has been a go-to for secure consumer email since the late 1990s because of the free, open-source standard known as OpenPGP. But the whole point of doing the extra work to keep data encrypted from the time it leaves the sender to the time it displays for the receiver is to reduce the risk of access attacks -- even if someone can tap into your encrypted messages, the data will still be unreadable. eFail is an example of these secondary protections failing.
Dupe (Score:1)
Same story still on the front page.
Slashdot has a major, repetitive flaw (Score:3)
(see title)
Re: (Score:2)
Here's an article about Slashdot's repetitive flaws...
https://it.slashdot.org/story/18/05/14/149222/attention-pgp-users-new-vulnerabilities-require-you-to-take-action-now [slashdot.org]
A silver lining? (Score:1)
Re: (Score:2)
No need. The morons making "modern" mailers just need to learn about the basics of security.
Re: (Score:3)
It is not a flaw in PGP/GnuPG. It is a flaw in the email software, or rather several flaws in combination. The combination seems to be widespread unfortunately.
Dupe (Score:2)
Is the flaw that Slashdot editors posted a duped story?
Re: (Score:2)
The stories were encrypted so the editor could't read their contents and tell they were dupes. The stories are proof of concept by themselves and only become readable once published on Slashdot with the help of the MIME hack.
HTML in email (Score:1)
was always a bad idea.
Dupe and Wrong (Score:5, Informative)
Old news and it's not PGP and S/MIME, but the mail clients that can use them: Thunderbird and Apple Mail and Outlook. Probably also affects clients using GPG. Or any other encryption scheme.
PGP is not broken. GPG is not broken. S/MIME is not broken. The flaw is in how mail clients display email. Admittedly, a lot of them have the same issue.
Re: (Score:3)
PGP is not broken. GPG is not broken. S/MIME is not broken. The flaw is in how mail clients display email.
I don't buy it. I mean, if there were just a mail client issue then why am I already flailing my arms and screaming?
;)
Re: (Score:2)
Because you’re name is Chick N. Little?