old rusty lock on door
PHOTO: James Sutton

Over the past week, European digital security researchers published a paper which uncovered a new vulnerability in a widely used form of email encryption. The vulnerability lets hackers insert malicious codes into intercepted emails, giving them access to the entire inbox of a given target. However, before any enterprise starts pulling out their servers, it should be noted that the vulnerability only impacts two of the most commonly used encryption protocols, notably PGP and S/MIME.

While this makes a number of clients like Apple Mail, and the Mail app on iOS, Windows and Thunderbird vulnerable, many of the existing authentication systems can effectively block the attack. In practical terms this means the vulnerability impacts messages through HTML content, like externally loaded images.

How EFail Takes Your Data

According to a blog post by the Electronic Frontier Foundation EFail attacks exploit vulnerabilities in the OpenPGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions) standards to reveal the plaintext of encrypted emails. EFail, the name given to the vulnerability, abuses active content of HTML emails, to surreptitiously extract plaintext through requested URLs.

To create the passageways needed to extract the plaintext, the attacker first gains access to the encrypted emails by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The attacker then changes an encrypted email and sends the changed encrypted email back to the victim. The victim's email client decrypts the email and loads any external content, thus giving plaintext access to the attacker.

No one really seems to agree on how bad the vulnerability actually is. Dramatic headlines in the mainstream press have caused some concern in organizations. However, the reality is probably different. A statement, for example, from Hannover, Germany-based Hornetsecurity stated the vulnerabilities discovered do not impact the security protocols themselves but use already known weaknesses in recipients' email clients to make them decrypt an encrypted email and deliver it to the attacker. "This kind of unsubstantiated exaggeration [about the impact of EFail] doesn't help the cause of increasing the wider use of encryption and providing better overall security. Individuals and institutions that claim to want to improve IT security have done a disservice in this case by creating hysteria in numerous misleading articles and in other unsubstantiated headlines related to EFail.” 

Protecting Your Email Service

There are two relatively easy ways of mitigating an attack according to a statement from open-sourced software GNU Privacy Guard in response to the research:

  1. Don't use HTML mails. Or if you really need to read them use a proper MIME parser and disallow any access to external links.
  2. Use authenticated encryption that adds a layer of protection to confirm the message hasn’t been changed.

The issue puts encryption back in the spotlight yet again as the only current way to ensure emails are safe. The revelation comes at a time when encryption is slowly but surely being adopted as a safety measure for a protocol — email — that no one company owns.

In practical terms this means no single company can encrypt your emails end to end. If you use Outlook, for example, and you send an email to a Gmail account, Microsoft can’t encrypt your email at one end and decrypt it at the other as Microsoft does not have access to Google email servers. However, while encryption is difficult, security concerns are overriding these technical difficulties and enterprises are moving in the direction of encryption, but it’s a slow process.

Related Article: Why Email Encryption Still Has a Long Way to Go

Challenges of Email Encryption

Dave Martin is vice president at San Joes, Calif.-based encryption company VeriFyle. He said while people say they want to secure their emails, encryption is complex and it can be hard to set up. He said encrypted email services almost always require some kind of software, like an email client, installed on both the sender's and the recipient's devices in order to manage the exchange of public and private keys. If you don't have nodes that can find the keys, you can't decrypt the message and the encryption becomes worthless.

In this case, you can do a good job encrypting messages on the client side and in transit as long as the sender and recipient are using the same service. In other words, if both people are using Gmail, the messages can be encrypted without much extra effort on the user's part. But if someone using Gmail wants to send a message to someone on Yahoo, encryption becomes extremely difficult for the average user to manage.

“What we've witnessed is that while many people say they want improved security for the digital communications, they loathe any extra complexity (even one step more than they are used to). As a result, they default to the most convenient method (regular old email) even when sending sensitive information,” Martin said.

A separate problem is exactly how the keys are created, stored and managed. Many services, for example, choose to use master keys for encrypting information in bulk. This improves performance, but can also lead to massive breaches where one hacked key gives a hacker access to many user accounts. Adding to this, the provider in almost every case keeps a backup of all user keys (in case, for example, they forget their password). In order to be truly secure, a user needs to have the option to forbid the service from keeping a backup key.

Email Encryption's Compliance Concerns

For Rema Deo, managing director and CEO of Coral Springs, Fla.-based 24By7 Security, encryption is the way forward until something better and as tried-and-tested comes along. She said the biggest driving force behind moving forward with email encryption is compliance. Several industries are regulated for data privacy and security and these laws are providing encryption as a strong method for safeguarding data. The US HIPAA enforcement agency “Office of Civil Rights” states that if properly encrypted data is breached (lost or stolen), they will not consider it as reportable or as a breach because it was encrypted.

Related Article: Internet Security Threats to Watch For in 2018

Steps to Frustrate Would-Be Hackers

Email is one of the most popular targets for hackers, making it vital for organizations to take the necessary measures to secure their email accounts against cyber-attacks as well as attempts of unauthorized access to their users' email accounts, said Mihai Corbuleac, a senior IT consultant at Natick, Mass.-based ComputerSupport.com, an IT support and consulting company for AWS/Azure and information security services.

When email users encrypt all their messages as a standard practice, hackers wishing to access sensitive data will have a harder time. Decrypting email messages one-by-one to find messages that contain personal information will be tedious and will discourage most hackers. This will cut down on phishing emails and malware sent through different email services, which will improve online security. 

Chris Strammiello, vice president of market development and strategy at Burlington, Mass.-based Nuance Communications agrees, but warns encrypting email is not enough. He said organizations must ensure email messages are secure by encrypting body content and attachment files as well. He said security professionals need to remember that many data breaches are not the result of stereotypical hacking, but human error, such as sending an email to the wrong recipient. The steps Microsoft and Google are taking to encrypt email messages are encouraging, and companies should go even further by securing their attachments and verifying addresses as well.

Encryption + Domain-Based Email Authentication

Encryption is only really effective when users are sure about the identity of the person or company they are dealing with. Encryption can make email more private and secure, but only if those using it are confident about the identity of the person or company on the other end. “Right now, that’s not the case for the vast majority of the messages in your inbox. In order to make email more trustworthy, we need widespread domain-based email authentication — which guarantees that messages really do come from who they appear to come from,” said Alexander García-Tobar, CEO and co-founder of San Francisco-based ValiMail, an email authentication service.

An existing infrastructure for authenticating email senders’ identities called DMARC does exist. Seventy-five percent of the world’s mailboxes respect and enforce it, but only 0.5 percent of the top million domains are using this infrastructure to protect themselves. Technologies for automating email authentication can close that gap. But until it’s closed, email will remain untrustworthy. "Encryption alone is no panacea. We need encryption and domain-based authentication together,” García-Tobar said.