UPDATE from May 16, 2018: In order to proactively protect our corporate customers, who are still encrypting and decrypting their emails via an in-house solution and have not yet booked the Hornetsecurity Encryption Service, from EFAIL, we have also developed a special filter level for attacks according to the EFAIL pattern. The only prerequisite for this is that their email communication runs via the Hornetsecurity servers, which is generally the case with our email security products. The filter level is already activated by default for all our customers who have booked at least the Hornetsecurity spam filter service and. It protects not only against EFAIL, but also against future attacks with similar patterns. +++++ A known vulnerability is transferred to the PGP and S/MIME protocols and takes email manipulation to a new level. No problem for Hornetsecurity. On Monday, May 14, 2018, a team of security researchers from the University of Applied Sciences Münster, the Ruhr University Bochum and the University of Leuven (Belgium) published a paper that questions the security of the PGP and S/MIME encryption standards and thus attracts worldwide attention. However, the vulnerabilities discovered (CVE-2017-17688 and CVE-2017-17689) do not affect the protocols themselves, but use an already known vulnerability to decrypt encrypted emails by the mail client and send them to the attacker. A prerequisite for the execution of the attacks is that the attacker already possesses emails in encrypted form. To do this, the emails need to be intercepted during transport. The attacker must have previously executed a man-in-the-middle attack (MitM) or compromised a mail server to gain access to the emails passing through him or the server. Only if these requirements are met, the attacker can execute one of the EFAIL attacks described in the paper. The authors of the paper present two similar attacking methods to decrypt emails with existing PGP or S/MIME encryption. The first method is quite simple, but limited to certain email clients (Apple Mail, iOS Mail, Mozilla Thunderbird) and any third-party plug-ins installed there: To do this, the attacker creates an email with three body parts. The first part formats the email as HTML and inserts an image tag with a target website. The quotation marks and the image tag are not closed. This is followed in the second body part by the PGP- or S/MIME-encrypted text. The third part consists of HTML formatting again and closes the image tag from part one. If the attacker sends this email to the sender of the encrypted message, it is possible that the message is decrypted and transmitted to the stored website. To do this, the email client must be configured so that it automatically downloads external images without asking the user. The second way to read PGP or S/MIME encrypted emails is a well-known method of how to extract plain text in blocks of encrypted messages. The attacking scenarios are called CBC attack (S/MIME) and CFB attack (PGP). They determine a known text portion in an encrypted message and overwrites subsequent blocks with their own content. The EFAIL attack inserts an image tag with a target website into the encrypted text, as described in the first part. If the message is then delivered to the actual recipient of the encrypted message, it is possible that the message is decrypted and transmitted to the attacker.
The emails encrypted by Hornetsecurity are protected by design against attacks of this kind, since Hornetsecurity does not even allow the different content types (multipart/mixed) required for the attack. The encryption methods themselves – S/MIME and PGP – were not broken; rather, vulnerabilities were found in email clients for HTML emails that bypass these encryption techniques. In addition, we object to the recommendation of various security researchers to generally deactivate content encryption: PGP and S/MIME are still not per se more insecure than a pure transport-encrypted transmission or no encryption at all, even after this publication. Since the attack requires a MitM attack, i.e. a breaking of the possible transport encryption, a general levering out of content encryption would be fatal: Possible attackers could even read the email traffic directly like a postcard!
Hornetsecurity Encryption Service, which is immune to EFAIL, does not require any client plug-ins: Encryption and decryption are fully automated by Hornetsecurity in the cloud – no installation, maintenance or user interaction is required – simply secure!