To Evolution

Researchers Have Found a Vulnerability in Two Popular Email Encryption Protocols

    Abdulaziz Sobh
    By Abdulaziz Sobh

    Categories: Technology

    0/5 stars (0 votes)


    European security researchers have found a new alarming vulnerability in the most common forms of email encryption. The attack, described in a report published Monday morning, allows bad actors to inject malicious code into intercepted emails, despite encryption protocols designed to protect against code injection. Implemented correctly, the malicious code could be used to steal all the content in the inbox of a destination. The vulnerability affects two of the most common email encryption protocols, PGP and S / MIME, although the degree of vulnerability depends to a large extent on the implementation of the protocol by the client. Several different clients are vulnerable, including Apple Mail, Mail App on iOS and Thunderbird. Notably, many currently available message authentication systems can effectively block the attack. If an email encrypted with these clients is intercepted in transit, an attacker could use the new vulnerability, modify the email and add malicious HTML code before sending it to the destination. When the target opens the new email, the malicious code could be used to send the plain text of the email. Many corporate servers still use S / MIME encryption, so the attack represents a significant risk to current systems. In practical terms, however, the lesson is this: there is no "theoretical vulnerability". There are vulnerabilities and exploitable vulnerabilities that have not yet been exploited. We need to build systems as we recognize it. 16/16 - Matthew Green (@matthew_d_green) May 14, 2018, The GNU Privacy Guard open source software wrote in a statement: "There are two ways to mitigate this attack: do not use HTML emails ... use authenticated encryption."Sebastian Schinzel, professor of Computer Security at the University of Applied Sciences in Münster, who co-wrote the document, warns on Twitter that "there are currently no reliable solutions for vulnerability." Recommend people to disable their encryption in their email client if they use PGP for sensitive communications. The Electronic Frontier Foundation calls these measures "a temporary and conservative measure" until the community, in general, solves the problems.