time table

The Highly Sensitive Encrypted Email at Risk of Exposure

According to a paper published on Monday, a new vulnerability could be detected in email's client that uses PGP and S / MIME to encrypt messages to expose the plaintext of the error.

The author, a team of researchers from three European universities, shows that by injecting malicious text snippets into encrypted messages, an attacker can use the flaw to make email clients sneak in encrypted copies of email.

The researchers wrote, as soon as the recipient opens an e-mail message, the malicious action starts. The team consists of researchers from the University of Applied Sciences and Rohr Bochum University of Germany, both at the University of Leuven in Germany and the Netherlands.

The software defect was found in 23 out of 23 S / Mtime customers and 10 tested 28 PGP customers.

"While it is necessary to change the OpenPGP and S / MIME standards to correct the vulnerabilities, some customers suffer from more serious operational defects, which allow for clearer text feature," the researchers wrote.

Customer ignores bad news

While the problem is serious, it is more about buggy customers in the host than OpenPGP, Stephen Moore, XBeam's chief trustee, told TechNewsWorld.

Phil Zimmerman, author of PGP and Associate Professor at Delft University of Technology in the Netherlands, noted that some e-mail clients fail to use the core features of the encryption protocol to circumvent the type of attack described by researchers.

"There are some investigations going on at PGP," he told TechNewsWorld, "If the email client responds to the news that PGP has tampered with, everything will be alright." "But if the customer ignores that information, you will get this vulnerability."

Zimmerman said that fixing bugs in email clients using PGP is not a difficult task.

"I saw someone patch it up very quickly in a few hours," he said.

Chief Advocate of Electronic Frontier Foundation employees Nate Cardasso said an improvement has been made to address the flaws for the Thunderbird email client, but not yet for Apple Mail.

TechNewsWorld reported, "The patch does not close the vulnerability - it makes it impossible to exploit it on the client."

"Emails sent from the customer are still exploitative," Cardozo said. "It is the recipient of the folder, but it does not fix the vulnerability contained in the protocol, which remains."

He said that when this fundamental problem is fixed, it is probably not compatible with previous versions.

Sensitive information threatened

Since only a small percentage of email users use a PGP or S / MIME client, the threat posed by the malfunction isn't as severe for all users, said Alexis Doris Jonkas, the leader of Asset's security intelligence team.

According to EFF's Cardozo estimates, out of more than 3 billion e-mail users in the world, only one million use PGP mail.

Previous messages are missing

The attack is made more dangerous by the ability to access previous emails.

"The victim's mail can be used as a tool to decrypt old emails sent or received to clients," Cardozo said. "It's too fast."

For users interested in protecting PGP or S / MIME e-mail clients, Eset's Doris-Jonkas has done the following:

Stop using weak e-mail clients to decrypt e-mail messages. Use standalone application.
Disable remote HTML rendering and automated content in your e-mail client. This explicit text will block the back-end communication mechanisms used by the bug to troubleshoot data.
Watch for updates. The vendors hope to issue improvements to fix some of the defects detected by the researchers.

All email applications on this page support the OpenPGP standard directly or with additional software. The authors of this webpage are not actively involved in the development of each of these third-party applications. Security audits are not conducted by us and therefore, we cannot provide any security guarantee.

Many webmail providers support OpenPGP email encryption using MailValp. Mailvelope provides a list of supported webmail providers.

Unlike the previous section, the following email providers are not required to install browser plugins, instead OpenPGP is provided directly to JavaScript through the website. Although it is easy to guarantee and install basic security with OpenPGP, some people do not consider it "end-to-end safe".

No comments:

Post a comment

whatsapp chat tricks: know who chat more with you

whatsapp chat tricks: know who chat more with you