At that point, both Thunderbird with Enigmail and Apple Mail with GPGTools were vulnerable for users who were using the default settings. On May 14, the research team behind EFAIL published its paper. “One click means you lose the very thing that PGP is supposed to protect.” When you receive the malicious email, your email client uses your secret key to automatically decrypt the pilfered message within the malicious email, and then sends a decrypted copy of the stolen message back to the attacker - for example, through a web request to load an image into the email. The EFAIL researchers discovered that they could craft a special email that secretly includes a stolen encrypted message within it, and then send it to you. When you receive an email that’s encrypted to your public key, your email client automatically uses your secret key to decrypt it so that you can read it. PGP was specifically designed to protect against this - the promise of PGP is that even attackers with copies of your encrypted messages can’t decrypt them, only you can. They could get this by hacking your email account, hacking your email server, compelling your email provider to hand it over with a warrant, intercepting it while spying on the internet, or other ways. In a nutshell, the EFAIL attack works like this: First, the attacker needs a copy of a message that’s encrypted to your public key. Unfortunately, Apple Mail does not have an option to disable viewing HTML emails. ![]() You can do this by clicking View > Message Body As > Plain Text. Disabling HTML in your email will will prevent most, or maybe all, future variants of this attack from working against you. If you’re using Thunderbird, you should also configure it to only view emails in plain-text format instead of HTML format. Thunderbird is an open source email client that works on Macs, and the latest version of the Enigmail plug-in, which adds PGP support to Thunderbird, successfully mitigates the EFAIL attack, at least as far as is publicly known. If you’re an Apple Mail user who relies on PGP-encrypted email, and completely disabling PGP for the time being, like the Electronic Frontier Foundation, or EFF, recommends, isn’t an option for you, then your best course of action is to temporarily stop using Apple Mail and switch to Thunderbird, at least until GPGTools releases an update that fixes this issue. Here is a short video that demonstrates how dangerous this exploit could be: I have reported the vulnerability to the GPGTools developers, and they are actively working on an update that they plan on releasing soon. I developed a proof-of-concept exploit that works against Apple Mail and GPGTools even when remote-content loading is disabled (German security researcher Hanno Böck also deserves much of the credit for this exploit - more on that below). Similarly, the creator of PGP, Phil Zimmermann, co-signed a blog post Thursday stating that EFAIL was “easy to mitigate” by disabling the loading of remote content in GPGTools.īut even if you follow this advice and disable remote content, Apple Mail and GPGTools are still vulnerable to EFAIL. GPG Suite 2018.2 which mitigates against this attack is coming very soon. "Efail": as a temporary workaround against "efail" ( ), disable "Load remote content in messages" in Mail ? Preferences ? Viewing. The day the EFAIL paper was published, GPGTools instructed users to workaround EFAIL by changing a setting in Apple Mail to disable loading remote content: And developers of email clients and encryption plug-ins are still scrambling to come up with a permanent fix.Īpple Mail is the email client that comes free with every Mac computer, and an open source project called GPGTools allows Apple Mail to smoothly encrypt and decrypt messages using the 23-year-old PGP standard. It’s been nearly two weeks since a group of European researchers published a paper describing “EFAIL,” a set of critical software vulnerabilities that allow encrypted email messages to be stolen from within the inbox. ![]() If you use an older version of macOS, GPGTools is still vulnerable. If you use macOS High Sierra, Apple Mail, and GPGTools, it should be safe to use PGP again if you update to the latest version of everything. Update: Since this article was published, GPGTools released version 2018.2 which appears to successfully mitigate the OpenPGP EFAIL attack for macOS High Sierra users.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |