Efail security scare fails to kill off email
Despite email being abused by every cyber miscreant, we still continue to use it
Of all the internet applications out there, nothing much beats email for being popular yet dangerously flawed at the same time. Email was designed to ensure messages reached their intended recipients, with no real thought given to making it secure.
This is why email carries spam, malware, tracking code and can be intercepted easily.
It’s also simple to forge messages so that they appear to have been sent by someone you know, when in fact they were transmitted by malicious people.
Despite email being horrendously abused by every cyber miscreant under the sun, we continue to use it.
More than that, we entrust email to carry some very personal messages and information, business secrets and government business, thinking it’s safe to do so when it really isn’t.
Email addresses are even used as logins, which is just asking for it.
Over the years, there have been attempts at plugging the gaping security holes in email.
This includes scanning messages to filter out malicious ones, and encrypting communications between your mail program, the internet provider’s server and onward links to recipients.
Yes, it’s true that traffic wasn’t encrypted in the past and some providers still leave it totally open.
An earlier workaround to make it safer to send sensitive stuff over unencrypted channels was to scramble the email messages themselves. That way, even if messages were intercepted, only the person who had the correct digital key could read them.
Think of it as a super strong envelope around your message.
If you know what (Open)PGP stands for, then you’re one of not very many patient techie people who’ve encrypted and decrypted messages (and other data) despite the software being a bear to use. I still use it every now and then, but it’s rare to receive an encrypted message even though PGP has been around for decades.
Nevertheless, there are PGP emails with secrets that people don’t want others to see.
When a bunch of German researchers said they’d found a weakness in the protocol that could be used to unscramble captured messages, security experts sat up and took notice.
Long story short, the researchers had found that a bug discovered almost two decades ago had not been patched by many email programs and addons. The researchers called it “Efail” (geddit?) and you can read about it on https://efail.de
The flaw meant attackers, who had
We entrust email to carry some very personal messages and information, business secrets and government business, thinking it’s safe to do so when it really isn’t
somehow snagged encrypted messages, could send them again to the original recipient whose buggy mail program would decrypt the emails.
Then, by abusing web-style active content inserted in emails, attackers could get the clear text messages sent to them.
Efail is a real threat for the relatively few people who bother to encrypt messages in email programs; they should patch immediately, and never use HTML and other active content in emails (nor should anyone else, no matter how pretty it makes messages look).
Another threat along the same lines is described a few pages down in the researchers’ paper. It involves the Secure Multipurpose Internet Mail Extension (S/MIME) cryptographic protocol and email gateways.
S/MIME is used by enterprises and governments. Deploying it via an email gateway that does the encryption and decryption heavy lifting, as opposed to in email programs, makes life less complicated for users and means you can do things like malware scanning and spam filtering.
However, S/MIME is also old tech and the flaw in that protocol that Efail exploits won’t be fixed. It means attackers could try to use gateways to decrypt emails.
The possibility of that should have the Department of Internal Affairs, which operates the SEEMail gateway, worried.
DIA describes SEEMail as a “secure email environment between government agencies which protects information classified as INCONFIDENCE, SENSITIVE or RESTRICTED.” All the juicy stuff that mustn’t leak out, in other words.
A DIA spokesperson said they are assessing what impact the vulnerability has, if any, on SEEMail, and that “we continue to work alongside government agencies to ensure our security posture is appropriate.”
What that means remains to be seen, ditto whether or not the vendor that supplied SEEMail to the Government can fix the issue — and there really does seem to be a problem.
How would you fix this then? If you’ve made it this far, and come to the conclusion that email is fundamentally broken despite all the desperate wallpapering over the cracks, we should stop using it.
Many security experts suggest moving to modern end-to-end encrypted messenger apps like Signal.
They make your communications securely encrypted easily, without having to manage public and private keys and other complications.
However email’s formal, letteroriented focus on individual messages that are searchable and archivable would be too hard to drop, for businesses and government organisations especially.
That, and using email addresses as logon credentials for essential services.
Sadly, this means email will live on like the impossible to kill zombie it is, and that there will be many more Efails coming up in the future.