How organizations can defend against the Efail email hacker threat
As you may have heard, security researchers last week reported that they have discovered a critical flaw that’s been dubbed “Efail.” This defect affects applications such as Mozilla Thunderbird, Apple Mail, and some versions of Outlook and the way they handle a popular encryption technology that safeguards emails from prying eyes.
The Efail vulnerability allows hackers to read an encrypted email by making changes to its HTML, which essentially tricks the affected email applications into decrypting the rest of the message. However, this attack only applies if you are using S/MIME or OpenPGP for end-to-end email encryption. In addition, the attack requires hackers to have a high level of access which, in itself, is difficult to achieve.
If you aren’t using either of these add-ons in your email client, this vulnerability doesn’t affect you—after all, if the crooks can sniff out your original messages and they’re not encrypted, they’ve got your plaintext already. Note also that this attack doesn’t work on all messages:
- It doesn’t work in real time; you need a copy of the original encrypted message.
- It only works with certain email clients.
- It only works when an attacker already has access to a victim's encrypted emails.
- It pretty much requires both HTML rendering and remote content download turned on in your email client.
The researchers and many others have stated that the best course of action is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email until the flaws are more widely understood. They recommend that, until Efail can be fixed, users should arrange for the use of alternative end-to-end secure channels.
I disagree. The correct response to vulnerable PGP implementations should not be to stop using PGP, but to use secure PGP implementations or to temporarily stop sending secure emails via the current transmission affected. Strictly speaking, this is not a problem with PGP, but with the underlying client implementations of the encryption standard in certain mail clients. Because the vulnerabilities are in the PGP implementations and not the OpenPGP protocol itself, these bugs are very easy for PGP plugin developers to patch.
If you feel the least bit concerned, temporarily disable email encryption in Outlook, macOS Mail, Thunderbird, etc., and switch to something like Signal, WhatsApp, or iMessage for secure communication until the dust settles. Keep in mind, however, that will be difficult for many businesses to make that switch and then quickly change back to the patched email clients.
If you're not concerned, I still recommend that you keep an eye on the story and see if anything changes over the next couple of days. Don’t ignore this, but also don’t make the mistake of panicking, removing necessary security features, and opening yourself to a possible vulnerability. Instead, consider that those email clients affected by this vulnerability will likely be patched pretty quickly.
There will always be exploitation and vulnerabilities, potential and proven. What's important is that they're disclosed ethically, reported responsibly, and addressed expeditiously.