It’s never been easy to encrypt email communications fully, from one end to the other. Security experts have long said the only way to secure email from snooping is to use a somewhat-cumbersome multistep process involving a cryptographic key exchange called Pretty Good Privacy, or PGP.

Unencrypted emails, which include standard-issue Gmail, Outlook, and Apple Mail accounts, are often said to be about as secure as a postcard. And encrypted emails lacking PGP or S/MIME protection publicly broadcast a lot of metadata and can be spied on with relative ease, they say. But even PGP, which creates an end-to-end encrypted tunnel, and S/MIME (Secure/Multipurpose Internet Mail Extensions), which is similar to PGP but relies on a more centralized model, aren’t ironclad.

New security research referred to as EFail highlights two kinds of attacks against emails protected with OpenPGP, a variant of PGP that serves as email clients’ primary encryption protocol, and S/MIME.


Can we abandon email for secure messaging? Not so fast
Why weakening encryption can hurt you
How to securely send your personal information
How political campaigns target you via email
Special report: the encryption debate

The paper, published Monday, warns of PGP and S/MIME exploitations in 25 of the 35 tested S/MIME email programs and 10 of the 28 tested OpenPGP email programs. A few of them are marked as safe to use, including Claws and Mutt, most likely because of how they warn the user about HTML content in an email, though the report doesn’t specify why.

Direct exfiltration, the first type of attack the report details, affects Apple Mail, iOS Mail, and Mozilla Thunderbird. Using the exploitation, an attacker can steal the contents of a message by fooling email software into decrypting it and then sending it to the attacker.

Ryan Sipes, the community manager for Thunderbird, told The Parallax in an email that the organization is testing a security patch for the exploit. “We hope to roll it out to our users before the end of the week,” he wrote.

Apple did not return a request for comment.

The second attack goes after OpenPGP and S/MIME by using certain phrases that are known to be in the message (such as the header text “Content-type: multipart/signed”) to inject HTML image tags, fool the email software, and steal the contents of the rest of the message. The researchers used techniques in these attacks they say are new, and called them CBC/CFB gadget attacks because they exploit encryption algorithm functions used in OpenPGP and S/MIME.

In a blog post response to the research, the Electronic Frontier Foundation warned against using any kind of PGP-related email encryption for now. Instead, the digital-rights and privacy advocacy organization is advising that people use encrypted-messaging app Signal.

“This is what happens when we rely on a 27-year-old protocol without forward secrecy and authenticated encryption, layered on an unsecure protocol, which is email,” says Nate Cardozo, senior staff attorney at the EFF.

Cardozo and two of his colleagues say in the post that the EFF is “dialing down” its extensive use of PGP-protected email, and they detail steps to back up PGP-protected email and read it from the operating system command line, which Cardozo notes it is still safe to do.

PGP’s deficiencies are nothing new to the security community. PGP creator Phil Zimmermann told The Parallax in April 2017 that PGP is inadequate for today’s communication needs.

“If you’re very careful about using PGP, you can use email for secure communications. But I qualify that heavily because the threat model has changed so much in the past 25 years,” he said.

While both EFail attacks are legitimate, says Robert J. Hansen, the editor of the GnuPG FAQ and an unofficial evangelist for the GnuPG email encryption protocol, he calls the report a mix of “facts and distortions.”

As they are detailed in the report, he says, “The attacks are real. But the ease of applying them is dramatically out there.” He cautions that the report doesn’t mention that GnuPG has been mitigating these types of attacks for 18 years.

It’s irresponsible to suggest simply removing PGP without a practical working replacement.”—Lesley Carhart, principal threat hunter, Dragos

Its mitigating technology, known as the Modification Detection Code, warns users when they receive a message that does not include the MDC. “We all but scream at users to never, never override the MDC,” Hansen says. “Creating the [malicious] traffic is not the obstacle. Convincing the other person to accept the traffic is the obstacle.”

Researchers who worked on the EFail report, including Sebastian Schinzel, a computer security professor at the Münster University of Applied Sciences in Germany, did not return requests for comment.

The EFF’s Cardozo warns that even with the MDC, there’s no guarantee that the email hasn’t been intercepted and decrypted. It may even be possible to use the EFail exploits to decrypt old emails stored on a computer.

“Turning off HTML or remote content is not a complete solution,” he says, because “anybody who has access to messages on a server in a population that uses PGP might be able to decrypt them.”

Despite the strong reaction by the EFF, not all researchers are hitting their panic buttons over the exploits. Lesley Carhart, principal threat hunter at industrial-cybersecurity company Dragos, said to The Parallax in a Twitter direct message that Signal does not work as a replacement for all PGP use cases, such as sending multiple attachments or missives with complicated formatting.

“It’s irresponsible to suggest simply removing PGP without a practical working replacement,” she says. “So while I agree in principle that Signal may be better designed for the future, we must exercise tremendous caution whenever we suggest the general population remove any working security measure.”

She’s not the only one. Alec Muffett, security expert and director of the United Kingdom-based digital rights organization Open Rights Group, calls the set of circumstances needed to successfully pull off one of the EFail exploits “pretty rare.”

“The attacker needs copies of pre-existing encrypted material of yours, they need to focus on you as an individual, and they need a pretty specific set of circumstances and capabilities to exploit the bug,” he said in an email to The Parallax.

The researchers and the EFF might counter that the EFail report proves that PGP and S/MIME are no longer working as intended, but Carhart argues that an abundance of caution is needed to properly assess the risks.

“This was a fascinating discovery, but there’s tremendous nuance as to what configurations and developers’ products are vulnerable,” she says.