Home / Technologie / EFAIL: the PGP encryption was not pirated

EFAIL: the PGP encryption was not pirated

Meanwhile, there are critical voices in EFAIL that consider that the recommendation to disable the encryption of electronic mail is excessive.

In the course of the publication on the incorrect implementation of PGP and S / MIME encryption in certain E-mail clients recommend some experts without encryption. This, in turn, inhibits other professionals and provides advice on how to continue using email encryption without the risk of compromising the content of the EFAIL vulnerability. [19659003] EFAIL Enigmail (Screenshot: ZDNet.de) "width =" 684 "height =" 293 "srcset =" https://www.zdnet.de/wp-content/uploads/2018/05/EFAIL- Enigmail-684×293.jpg 684w, https://www.zdnet.de/wp-content/uploads/2018/05/EFAIL-Enigmail-150×64.jpg 150w, https://www.zdnet.de/wp-content/ uploads / 2018/05 / EFAIL-Enigmail-250×107.jpg 250w, https://www.zdnet.de/wp-content/uploads/2018/05/EFAIL-Enigmail-333×143.jpg 333w, https: // www. zdnet.de/wp-content/uploads/2018/05/EFAIL-Enigmail-214×92.jpg 214w, https://www.zdnet.de/wp-content/uploads/2018/05/EFAIL-Enigmail-120×51.jpg 120w, https://www.zdnet.de/wp-content/uploads/2018/05/EFAIL-Enigmail-80×34.jpg 80w, https://www.zdnet.de/wp-content/uploads/2018/05 /EFAIL-Enigmail-60×26.jpg 60w, https://www.zdnet.de/wp-content/uploads/2018/05/EFAIL-Enigmail.jpg 701w "sizes =" (max-width: 684px) 100vw, 684px "/>

The vulnerabilities identified by EFAIL allow attackers to manipulate encrypted emails in such a way that the content The message is delivered in clear text after being deciphered by the recipient. "However, email encryption standards can continue to be used safely if implemented correctly and configured securely," writes the Federal Office of Information Security in a statement, making it clear that the problem is the email client and not the encryption standards as such. Headlines such as "PGP cracked" are therefore incorrect.

Such headlines may also have been promoted by the ambiguous title "Efail: Breaking S / MIME and OpenPGP Email Encryption using Exfiltration Channels (draft 0.9.0)" by investigators, BSI and other experts continue to believe that mail encryption Electronics with PGP is safe when certain conditions are met.

First, the agency generally recommends more security in e-mail communication about presentation and creation. to dispense with emails in HTML format. That HTML emails are potentially dangerous has long been known and should not surprise anyone who encrypts messages. Therefore, emails encrypted with PGP probably contain a small HTML code. But, what happens if you receive a dangerous email from an attacker who wants to exploit EFAIL vulnerabilities? In such a case, one should open this as with each email from an unknown recipient, this only with caution. Basically, the execution of the active content, that is to say, the visualization of emails in HTML format and the reload of external content, must be deactivated. In addition, you must inform if there is an update available for the email program used. Enigmail already offers an update that is immune to EFAIL's vulnerabilities.
  EFAIL Clients (screenshot: ZDNet.de)
Of course, it does not do much good if the recipient of the encrypted email continues to use a client vulnerable to EFAIL vulnerabilities. It must be ensured that all recipients use a secure client. It is best to use secure webmailers such as ProtonMail or Mailbox.org. Both providers have commented on EFAIL in their respective blogs and are also confirmed by the researchers' findings that confirm that Webmail services protect against EFAIL vulnerabilities.

Those who need to encrypt e-mail should be aware of this if they are protected against unauthorized access only if all the participants in the correspondence are insured. Due to EFAIL's general vulnerabilities to relinquish encryption, it seems that the existing security options are exaggerated. The BSI also sees it that way.

Source link