Researchers Warn of a Vulnerability in Email Encryption Standards

Email encryption is supposed to make the content of your emails safer, but according to a team of nine academic researchers, two of the most widely used encryption standards might be doing the opposite.

In a tweet sent on May 14, 2018, Sebastian Schinzel, a professor of computer science at Germany’s Münster University of Applied Sciences, said his team was about to publish information about “critical vulnerabilities” in OpenPGP and S/MIME. OpenPGP is the most widely used email encryption standard in the world. S/MIME, meanwhile, is a public key encryption standard that is also often built into modern email software, especially in corporate networks.

Schinzel and his team of academic researchers have codenamed the vulnerability “EFAIL.” If exploited, the flaw would make it possible for a hacker to retrieve plaintext content from encrypted emails. The attacker could intercept an encrypted email, modify it with custom HTML, and use those HTML modifications to extract the plaintext content of the message. EFAIL applies to both sent and received emails.

Until the issue has been resolved, users are advised to disable both email plugins in their email clients. Disabling the plugins is especially necessary for users whose jobs involve sending sensitive or confidential information via email.

The Electronic Frontier Foundation (EFF), a non-profit data rights group that is helping Schinzel’s team get the word out about EFAIL has issued tutorials to help users disable OpenPGP and S/MIME until further notice. So far, the EFF has published guides for disabling the plugins in Thunderbird, Apple Mail, and Microsoft Outlook.

As the EFF has noted, disabling the plugins should not be a permanent step. In a statement, the foundation has stated that “these steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community.” Once the vulnerability is resolved, OpenPGP and S/MIME will make your emails safer and more secure. With the weakness in place, though, the encryption cannot offer any true protection and might jeopardize your communications more than not having it would.

For individuals who need to send sensitive information to a recipient over the internet, the EFF recommends using an instant messaging client that offers end-to-end encryption.

Ideally, fixes will be applied shortly to put OpenPGP and S/MIME back in play. Users who do change their email habits should keep an eye on the latest news about EFAIL to determine when it is safe to switch the plugins back on.