[BreachExchange] Uninstall or Disable PGP Tools, Security Researchers Warn

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 14 20:02:18 EDT 2018


European computer security researchers say they have discovered
vulnerabilities that relate to two techniques used to encrypt emails and
data: PGP and S/MIME.

The vulnerabilities "might reveal the plaintext of encrypted emails,
including encrypted emails sent in the past," the researchers warn. And
until the flaws get resolved, they recommend that everyone disable any
tools that decrypt PGP emails by default.

There is not yet a full fix for the problem, says Sebastian Schinzel, a
professor of computer security at Germany's Münster University of Applied
Sciences, who's part of the research team - together with researchers from
Ruhr-University Bochum in Germany and KU Leuven University in Belgium -
that has found the flaws. The researchers have dubbed the flaws efail.

"There are currently no reliable fixes for the vulnerability," Schinzel
says via Twitter. "If you use PGP/GPG or S/MIME for very sensitive
communication, you should disable it in your email client for now." In
particular, he's recommends temporarily disabling PGP/GPG in Outlook, Apple
Mail and Thunderbird.

"We'll publish critical vulnerabilities in PGP/GPG and S/MIME email
encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of
encrypted emails, including encrypted emails sent in the past. #efail1/4"

— Sebastian Schinzel (@seecurity) May 14, 2018

PGP is short for Pretty Good Privacy, which was first released by Phil
Zimmermann in 1991. He later created OpenPGP, an open source approach that
is based on PGP and available via free software such as GPG, short for GNU
Privacy Guard. Users can employ PGP-compatible email clients themselves,
and many secure webmail clients also make use of PGP. Numerous email
clients also support S/MIME - Secure/Multipurpose Internet Mail Extensions
- for sending encrypted communications and digitally signing messages.

At Risk: S/MIME and OpenPGP Email

Full details of the implementation flaws were published on Monday in a
research paper titled "Efail: Breaking S/MIME and OpenPGP Email Encryption
using Exfiltration Channels."

The researchers say their proof-of-concept attacks "for both OpenPGP and
S/MIME encryption" could allow attackers to exfiltrate data "for 23 of the
35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email

Vulnerable mail clients include the iOS mail app, native mail clients on
Android, Outlook and IBM Notes running on Windows systems, Thunderbird on
Linux, as well as online Exchange, according to the researchers. And
affected webmail providers include FastMail, Gmail, GMX, Hushmail, iCloud
Mail, Mail.ru, Mailbox.org, Mailfence, Outlook.com, ProtonMail, Yahoo Mail,
and Zoho Mail.

'Take Action Now'

Security experts said the vulnerabilities would likely soon be targeted,
and they recommended users follow Schinzel's advice immediately. Indeed,
after any bug reports get published, attackers often begin exploiting the
new flaws within hours.

"You need to take action now," says Alan Woodward, a professor of computer
science at the University of Surrey.

"PGP is awkward to use & to mess up but if you do rely upon it for your
privacy & confidentiality you need to take action now

— Alan Woodward (@ProfWoodward) May 14, 2018

Mikko Hypponen, chief research officer at F-Secure, has called out
researchers' warning that the flaws could be used to decrypt past messages.

"This vulnerability might be used to decrypt the contents of encrypted
emails sent in the past. Having used PGP since 1993, this sounds baaad.

— Mikko Hypponen (@mikko) May 14, 2018

Two Vulnerabilities

Full details of the PGP and S/MIME implementation flaws were due to be
released on Tuesday, when the researchers appear to have negotiated a
coordinated vulnerability announcement with makers of vulnerable software.

But on Monday, Munich newspaper Süddeutsche Zeitung appeared to break that
embargo. Shortly thereafter, the full research paper was released.

Attackers could automatically exploit the flaws by tricking victims' email
clients. "In a nutshell, efail abuses active content of HTML emails, for
example externally loaded images or styles, to exfiltrate plaintext through
requested URLs. To create these exfiltration channels, the attacker first
needs access to the encrypted emails, for example, by eavesdropping on
network traffic, compromising email accounts, email servers, backup systems
or client computers. The emails could even have been collected years ago,"
the researchers write.

"The attacker changes an encrypted email in a particular way and sends this
changed encrypted email to the victim. The victim's email client decrypts
the email and loads any external content, thus exfiltrating the plaintext
to the attacker."

Matthew Green, a professor of cryptography at Johns Hopkins University in
Baltimore, has reviewed the researchers' work. "The result is really
elegant," he tells Süddeutsche Zeitung.

Green already recommended not using PGP. In a 2014 blog post, Green wrote
that "it's time for PGP to die," noting that it was time to build something
much better. "Poking through an OpenPGP implementation is like visiting a
museum of 1990s crypto," he warned.

In the wake of the new research, Green tells Süddeutsche Zeitung: "This is
another bullet hole in an already perforated car."

Stop Sending/Reading PGP Emails

Süddeutsche Zeitung reports that although many of the affected vendors and
software teams have had months to patch the flaws, they've run into

In the meantime, digital privacy rights group Electronic Frontier
Foundation, which has reviewed the researchers' findings, confirmed that
the bugs pose a risk to anyone using PGP and S/MIME and as a "temporary,
conservative stopgap" recommends disabling any email plug-ins that
automatically decrypt such messages.

"EFF has been in communication with the research team, and can confirm that
these vulnerabilities pose an immediate risk to those using these tools for
email communication, including the potential exposure of the contents of
past messages," the organization says in a blog post.

"Our advice, which mirrors that of the researchers, is to immediately
disable and/or uninstall tools that automatically decrypt PGP-encrypted
email," EFF says. "Until the flaws described in the paper are more widely
understood and fixed, users should arrange for the use of alternative
end-to-end secure channels, such as Signal, and temporarily stop sending
and especially reading PGP-encrypted email."

"There are some mitigations to #Efail, and not all email clients are
vulnerable, but it looks like the OpenPGP and S/MIME standards need a bit
of updating https://t.co/8XFzto2Ygr"

— Alan Woodward (@ProfWoodward) May 14, 2018

Is Alert Overblown?

But some think the vulnerability warning is overblown. Werner Koch, a core
components maintainer for GnuPG - a complete and free implementation of the
OpenPGP standard - says he's seen a copy of the researchers' paper, with
the names of all but one vulnerable mail user agent (MUA) redacted, notes
that the flaws involve some HTML email clients' implementation of PGP.

Koch says the researchers found that HTML can be "used as a back channel to
create an oracle for modified encrypted mails." In computer security, an
oracle attack refers to an attackers being able to exploit a vulnerability
to extract information from a target.

Koch says some MUAs' failure to block hidden HTML links are the problem.

"There are two ways to mitigate this attack," Koch writes in a Monday post
to the GnuPG mailing list. "Don't use HTML mails. Or if you really need to
read them use a proper MIME parser and disallow any access to external
links." In addition, he writes, "use authenticated encryption."

But while that advice might be easier to implement for anyone who uses and
configures their own PGP tools, it fails to address how the many different
webmail providers, for starters, might handle these problems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180514/221a67a5/attachment.html>

More information about the BreachExchange mailing list