The widely-used OpenPGP and S/MIME email encryption protocols suffer from weaknesses that may ultimately expose the plaintext of encrypted messages to attackers, according to a team of eight academics from German and Belgian universities, who have nicknamed the flaws “EFAIL”.

“In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs,” the researchers wrote on efail.de, a newly-launched website dedicated to their findings. The vulnerabilities come in two flavors and are described in great detail in a technical paper entitled “Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels”.

In order to exploit the weaknesses, miscreants first need to access the end-to-end-encrypted email message. This means intercepting it in transit or stealing it, for instance, from a compromised email account, client computer or backup system. Then, the attackers need to alter the email by adding custom HTML code to it, and send the manipulated email to the victim. The victim’s email client decrypts the email and, given its HTML-rendering capability, it is tricked by the malicious code into sending the full plaintext of the emails to the attackers. Even messages sent years ago are vulnerable.

The team also said that their proof-of-concept exploit has been shown to be successful against 25 out of 35 tested S/MIME email clients and 10 out of 28 OpenPGP clients. The flaws affect email applications such as Apple Mail with the GPGTools encryption plug-in, Mozilla Thunderbird with the Enigmail plug-in, and Outlook with the Gpg4win encryption package. The academics said that, in keeping with the principles of responsible disclosure, they have reported their findings to all email providers concerned.

They also averred that there are no reliable fixes for the vulnerability and recommended several short-, medium-, and long-term mitigation strategies. The short-term actions involve decrypting emails in a separate application rather than in the email client, together with disabling the rendering of remote content, such as HTML images or styles. As for medium- and long-term fixes, respectively, the academics said that software holes need to be patched and the standards need to be updated.

The Electronic Frontier Foundation (EFF), a US-based digital rights group, had reviewed the researchers’ findings before they were published. On Sunday, it released a series of tutorials in which it largely echoed the researchers’ advice – users should disable or uninstall PGP plugins in their email handlers until the vulnerabilities are patched. Since the same flaws affect S/MIME, which is common in enterprise email networks, EFF recommended that, “during this period of uncertainty”, users should switch to alternative methods of secure communication.

Broken encryption, broken embargo

The research attracted a great deal of publicity even before its results were published. This was after the researchers initially released a “teaser” to the effect that the flaws would be described in detail in a paper on Tuesday. However, the embargo was broken on Monday, prompting the researchers to go public with their findings ahead of schedule.

Meanwhile, the findings have stirred some controversy, in particular over how realistic the threat truly is. For example, Robert J. Hansen of Enigmail dismissed the alarm bells as “a tempest in a teapot”.

In a similar vein, Werner Koch, the man behind GNU Privacy Guard (GnuPG/GPG), which is an implementation of OpenPGP, called the warnings “overblown”.

In fact, according to GnuPG, the problem lies elsewhere. “They figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation,” GnuPG tweeted.

ProtonMail said in a statement that its encrypted email service is not affected by the flaws and that, beyond "one minor exception", the vulnerabilities are not, in fact, present in PGP itself. In addition, the email provider said that the PGP developer community has been aware of some of the Efail vulnerabilities since 1999. “What the authors of Efail did was catalogue a list of PGP clients that have errors in their PGP implementation,” reads the statement. With that in mind, the company recommended the use of secure PGP implementations.

Cryptographer and professor at Johns Hopkins University Matthew Green said of the exploit that “[i]t’s an extremely cool attack and kind of a masterpiece in exploiting bad crypto, combined with a whole lot of sloppiness on the part of mail client developers.”

Cryptography expert Bruce Schneier weighed in by saying that “[t]he vulnerability isn't with PGP or S/MIME itself, but in the way they interact with modern e-mail programs.”