The disclosure of a pair of vulnerabilities in the way that some email clients handle encrypted messages has again raised concerns about the way that secure email systems implement popular encryption protocols.
The vulnerabilities are known collectively as Efail and they can allow attackers to extract plaintext from encrypted emails under some very specific conditions. The bugs affect some clients that handle OpenPGP or S/MIME encrypted messages, including Mozilla Thunderbird, Apple Mail, iOS Mail, and many others. The team of researchers who discovered the flaws and developed the attacks to exploit them found a couple of methods to gain access to the plaintext of encrypted HTML messages by modifying the contents of the encrypted message and then sending the message to a victim.
But the major caveat with these attacks is that the attacker must first have access to the target’s encrypted emails. That would require the attacker either to have a man-in-the-middle position somewhere on the network to intercept the messages or to have compromised a system that stores the messages, such as the target’s endpoint or mail server.
"Being able to intercept and modify e-mails in transit is the sort of thing the NSA can do, but is hard for the average hacker. That being said, there are circumstances where someone can modify e-mails. I don't mean to minimize the seriousness of this attack, but that is a consideration," cryptographer Bruce Schneier said on his blog.
“In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs,” the explanation on the Efail site says.
“The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.”
The issues that the researchers exploit with these attacks, such as the problem with the way the OpenPGP protocol handles feedback, have been known for some time. Also, there are specific mitigations already in place in some mail clients and in the OpenPGP protocol that can prevent this attack from succeeding. Specifically, the use of Modification Detection Codes (MDC), which are warnings about the integrity of an encrypted message, will let users know that a message is not authenticated.
“This is at its heart a malleability attack on OpenPGP's cipher feedback mode. These attacks aren't new. The IETF OpenPGP Working Group first knew about them in 1999. By September 2000, GnuPG had a defense. The defense is called a Modification Detection Code, or MDC. Originally MDCs were optional. Today they're the default. The Efail attack requires an MDC either be missing or be invalid,” Robert J. Hansen, who works on the Enigmail encrypted email plugin for Thunderbird, wrote on Twitter Monday.
“It’s important to note it’s not an attack on PGP itself. The cryptography there is good."
While the weaknesses are serious, researchers say that attacks exploiting them would be simple to detect and visible in a victim’s email archives.
“As an attacker, I could not care less about this technique. It's intellectually neat, but operationally stupid,” Dan Guido, a security researcher and CEO of Trail of Bits, said on Twitter.
In their paper, the researchers from Munster University of Applied Sciences, Ruhr University Bochum, and KU Leuven, say that an attacker who wants to use their technique would need to manipulate the contents of en encrypted message in specific ways depending upon who the receiver is and what software the receiver uses. Those conditions also raise the degree of difficulty somewhat, though not to a prohibitive level.
“To decrypt the emails, he first manipulates their ciphertext by using appropriate malleability gadgets. In order to make these manipulations work, he may make informed guesses about the operating system, the email client and the encryption software the victim uses.
“He then sends the manipulated email to one of the original receivers, or to the original sender. He may hide this by choosing new FROM, DATE and SUBJECT fields, and he may hide the manipulated ciphertext by hiding it within an invisible iFrame. Thus the attack mail the victim receives looks unsuspicious,” the paper says.
For many users, the simplest way to mitigate the risk from these attacks is to disable support for incoming HTML email in their mail clients. The researchers also recommend that users not decrypt messages in their email clients, but rather copy and paste the ciphertext into an external application and decrypt it there.
The PGP protocol on which OpenPGP is built is nearly three decades old now, and it was not designed with modern use cases in mind. But Phil Zimmermann, the creator of PGP, said the security of the protocol is still sound and points out that the Efail attacks affect the implementation of the protocol in mail clients, not the protocol itself.
“It’s important to note it’s not an attack on PGP itself. The cryptography there is good. There are things in there that protect the integrity of messages,” Zimmermann said. “It has to do with the email clients that are processing the messages. Email is archival in nature and it’s saved forever. It’s not as ephemeral as secure text messages. But businesses still depend on email for records.”
The maintainers of GnuPG, an implementation of the OpenPGP standard, said on Monday that the Esoftware will warn users if a message doesn't have an MDC of if the MDC shows the message has been modified.
"In both cases, if your email client respects this warning and does the right thing -- namely, not showing you the email --then you are completely protected from the Efail attack, as it's just a modern spin on something we started defending against almost twenty years ago," a statement from the maintainers says.