Researchers find vulnerabilities in popular email encryption clients – a reason to react but not to panic

Researchers have disclosed a vulnerability in popular OpenPGP and S/MIME encryption clients and plug-ins which allows an active attacker to use an email client as a “decryption oracle” (see the “EFail” homepage or their scientifc publication). In other words, if the attacker is in the possession of an encrypted email, he can craft a new email and send it to the recipient of the decrypted email. If the email client used by this recipient is vulnerable, the email client will decrypt the encrypted email and use a (hidden) backchannel to send the now decrypted message back to the attacker.

There are different possibilities outlined in the scientific paper how backchannels can be realized, but the main problem is the automatic loading of external images and other content.. Most email clients have this disabled by default (e.g. recent versions of Outlook) because independent of this vulnerability these backchannels pose a big privacy risk.

There are a lot of lessons to be learned for security engineers from this vulnerability. It mainly combines known weaknesses with each other to create a serious new vulnerability previously not known. In case of OpenPGP, many problems also stem from issues related to backwards compatibility as the missing integrity check was identified as a weakness long ago. Therefore, message integrity was added in 2001. That valid integrity checks are still not mandatory in 2018, but missing integrity checks only generate warnings is part of the disclosed problem – and a prime example of the difficulty of handling backwards compatibility and that the standards should be updated to make authenticated encryption mandatory.

Email encryption is used for many sensitive tasks and hence companies and users who use email encryption should check out the homepage to see if their setup is vulnerable. However, the good news is that the researchers did a responsible disclosure thus fixes and updates are already out for several clients. It should also be noted that many setups were not vulnerable in the first place, such as the recent Outlook versions in the default setting.

The big warning to disable all PGP encryption immediately is not convincing to me and I think leads to a bit of an over-hype, I think. Outlook and Thunderbird with the most recent updates and remote content disabled (the default) should be safe enough (see twitter statement). The argument that the recipient might have an insecure system is also not convincing. If the recipient of the encrypted emails does not check his setup, the likelihood that your email is leaked to an attacker because of the recipient having a malware-infested system is likely higher do to the recipient having a maleware-infested system (yes, if your system is maleware infested an attacker can easily defeat PGP encryption”¦). Hence, the risk that your encrypted emails might be decrypted and stolen at the recipient side — , if he is not careful with IT security measures —, existed before. So if you use email encryption, check if your setup is not vulnerable. Simply using no encryption does not make the world safer”¦

EFail is a good example how different vulnerabilities can be combined to create a real threat. It also — once again — shows the big problem with backwards compatibility and should be a warning sign for those advocating mandatory backdoors in encryption system. So, a serious vulnerability, a good scientific job, but no reason to panic

There is also some discussion that this was over-hyped by the researchers. To a degree I agree that the vulnerability was a bit over-hyped at the time of disclosure, or rather at the day before the disclosure by the tweets of Sebastian Schinzel (found here).
Declaring all SMIME and OpenPGP email encryption setups as insecure and “unfixable” and recommending immediately disabling all plug-ins before providing details was a bit too much for this vulnerability in my opinion. It would have been more appropriate if they would have also posted a list of clients and setup that they tested as insecure and which were not found vulnerable (I still cannot find information regarding Thunderbird and Enigmail with the latest patches on the homepage). But in general, I think they did a good job with responsible disclosure by informing CERT, BSI and several important vendors well in advance. And the hype helped spread the news to those really vulnerable – activists and journalists in countries with human right violations.

There is also some blame-shifting if OpenPGP at large is at fault or only the clients. On Twitter you can find some opinion from Matthew Green regarding this here. And the official BSI statement can be found (in German) here and some guidelines in English here.

Addeded May 17th:

A nie article by Arstechnica can be found here, showing that blindly rushing to alternatives is not necessary better as signals and thema desktop also have issues. Hence, make sure that automated execution of HTML is disabled and an updated PGP client and you are still good to keep on using PGP email encryption. And I like Dan Goodin’s finale statement in the article: “No, none of these suggestions for securing encrypted communications is foolproof, and that”™s the biggest takeaway from the past three days”. But if you do not even try, you are sure to loose.