Security researchers have found vulnerabilities in some of the email encryption software. The newly found vulnerability has the potential to reveal encrypted emails in plaintext, including emails sent in the past.
“Email is no longer a secure communication medium,” Sebastian Schinzel, a professor of computer security at Germany’s Münster University of Applied Sciences, told the German news outlet Süddeutschen Zeitung.
More specifically, the vulnerability has been discovered in the PGP or S/MIME software for email encryption. Users of the said software have been advised to immediately disable it in email clients. The email encryption vulnerability was first reported by the Electronic Frontier Foundation (EFF) on Monday.
The new critical vulnerability is dubbed as EFAIL, and the researchers say that there is no permanent fix available currently. According to the European researchers, “EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.”
According to the researchers, users, for the time being, should stay away from plugins for email clients like Microsoft Outlook and Apple Mail as these services automatically encrypt and decrypt emails. It will be safer for the users to switch to services like Signal, the massaging app backed by WhatsApp co-founder Brian Acton.
As of now, there are not many details available on the latest vulnerability, but more information is expected to be shared by the researchers soon. EFF, the world’s biggest digital rights group, which has seen the details, says that such a vulnerability is an “immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”
EFF also advises users to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted emails, and switch to safer tools until the issue is resolved. Users are advised to disable the following email encryption add-ons: Gpg4win for Outlook, Enigmail for Thunderbird and GPGTools for Apple Mail. To help users, the organization has even posted guides on how to disable PGP in Thunderbird, Outlook and Apple Mail.
Though researchers are warning users of the seriousness of the vulnerability, many believe it is being hyped too much. According to Werner Koch, principal author of GNU Privacy Guard, users can protect themselves in two ways, one is by not using the HTML emails, and the other is to use authenticated encryption.
In a tweet, Koch said the vulnerability is primarily in the email clients and not in the protocols. “In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation,” the expert said.
The encryption program PGP (Pretty Good Privacy) was seen as the gold standard for email encryption, and was developed in 1991. The importance of email encryption went mainstream after whistleblower Edward Snowden revealed the extent of the U.S. government’s electronic surveillance in 2013.
In separate news, the researchers have come up with a new technology that could make hacking impossible. In today’s world of the Internet of Things (IoT), more and more devices are connected to each other and this poses a great cybersecurity risk. Even a single vulnerability can leave many others vulnerable, allowing hackers to control and manipulate several nodes in a network.
However, to address this risk, experts have come up with a chip that uses ionic memristor technology to address security concerns. Dmitri Strukov, a professor of electrical and computer engineering at the University of California, and his team are working to put an additional security measure on internet-connected devices to prevent hackers from cloning them. In cloning, hackers replicate nodes in a network, and then use it to exploit a vulnerability within that network.
“You can think of it as a black box,” Strukov says. The researchers claim the chip is unclonable, and thus, protects the device from hacking, replication or counterfeiting by the hackers. The core technology behind this chip is the memristor, or memory resistor. According to the researchers, the said technology can be seen as an electrical resistance switch, which can “remember” its state of resistance due to the history of applied voltage and current.
Such a memory resistor is very significant in today’s world, where hackers use machine learning to vary the inputs and outputs to get control of any network. Along with improving their technology, Strukov and his colleagues are also studying to see if there is any change in its characteristics over time.