Husband, dad, mountain biker, professor of computer security @fh_muenster. Private account.
Nov 3, 2020 • 7 tweets • 4 min read
New paper on how to fix #efail style attacks against e2e encrypted email, including OpenPGP and S/MIME. Joint work with @JoergSchwenk@lambdafu@dues__@jensvoid@jurajsomorovsky@seecurity. To be presented at @acm_ccs 2020. Thread:
One central problem of email e2ee is that neither MIME structure nor header fields are protected from modification. Attackers can send modified ciphertexts, can send ciphertexts with crafted MIME structures or can add or remove headers such as FROM, RCPT TO or SUBJECT at will.
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: eff.org/deeplinks/2018…#efail 2/4