Security researchers at the Electronic Frontier Foundation (EFF) have discovered a dangerous new email vulnerability called “Efail.” Exploiting this new email vulnerability would allow hackers to decrypt emails encrypted with either PGP or S/MIME – including emails that were sent several years earlier. Both of these encryption tools are commonly used by politicians, journalists and other professionals who need a secure means of electronic communication. Since the standards are so well established, they’re used widely and regarded as fool-proof. Sadly, that’s no longer the case.
EFF researchers had this to say about the newly discovered vulnerability:
“In a nutshell, Efail abuses active content of HTML emails (for example, externally loaded images or styles) to exfiltrate plaintext through requested URLs. The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.”
In simpler terms, it’s about as bad as it could possibly get. Once a hacker has access to your email account, they can use the embedded HTML tags inside your mail to force your email system to decrypt those messages so the hackers can see exactly what they contain.
EFF’s recommendation is that if you rely on either PGP or S/MIME for email encryption, your best bet is to simply disable them, and uninstall the tool or tools used to decrypt those messages.
It should be noted however, that there are others in the security community who disagree with this assessment. A spokesman for ProtonMail tweeted out the following response:
“Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the store to @EFF and mainstream media and getting an irresponsible recommendation published (Disable PGP), ignoring the fact that many (Engimail, etc.) are already patched.”
Despite the divided opinion, if it’s something you’re concerned about, you can neatly side step the problem by simply opting for plain text messages, rather than using HTML-emails.