Critical vulnerabilities make it possible to read the mails encrypted by OpenPGP or S / MIME

-

Researchers have shown that rendering HTML in email clients can extract decrypted content from an email when it is read. The software of Apple, Microsoft or Mozilla are concerned.

Red alert in the security of e-mails. A group of researchers found critical loopholes in the two main message encryption systems in use, OpenPGP and S / MIME.

As a reminder, these two systems rely on symmetric and asymmetric encryption algorithms - AES and RSA, for example - to ensure end-to-end confidentiality between a transmitter and a receiver.

At the mainstream level, the most well-known technology of both is OpenPGP that can be used with any email client. Just install the software plugin or the appropriate browser extension: Enigmail, GPGTools, Gpgf4win, Mailvelope, etc. Some service providers have also integrated it directly into their offers. This is the case, for example, with ProtonMail and GMX Caramail. S / MIME techno is used only in enterprise because it requires a hierarchical infrastructure to distribute certificates to users.

Two variants of attacks

The researchers did not intend to reveal the details of these flaws until tomorrow morning. However, it turns out that their scientific paper and their explanations are already available on the efail.de website.

Called "EFAIL", the attack principle is as follows: an attacker intercepts encrypted emails, integrates some HTML tags, and sends them to the recipient. At the moment when the latter decrypts them in his mail client, the decrypted text is returned to the attacker thanks, precisely, to these HTML tags.


This extraction channel can be constructed in two ways. In the first case, the ciphertext is simply embedded in an image tag. The decrypted text will then be interpreted by the mail client as part of an HTML image request and sent in clear to the attacker. Of the 47 email clients tested, 17 are vulnerable to this type of attack, including Apple Mail (macOS), Mail App (iOS), Thunderbird (Windows, MacOS, Linux), Postbox (Windows) and MailMate (macOS).


The second case is similar, but technically much more complicated. This time, the attacker injects his tag directly into the ciphertext by relying on vulnerabilities found in the cryptographic standards used by PGP / GPG and S / MIME, namely the CBC and CFB block cipher modes. The HTML tag will only appear after decryption, creating the extraction channel. Out of 35 email clients tested, 23 are vulnerable through S / MIME and 10 through PGP / GPG.
No patch is available at the moment. In the meantime, there are fortunately workarounds, starting with the disabling of HTML mode in email clients. Alternatively, disable decryption in the email client. In this case, the user will have to copy-paste the encrypted content into another decryption application that does not render HTML. Those who do not want to take the lead can also simply abandon the email and use more modern end-to-end encryption messaging like Signal or Telegram.

Finally, the exploitation of these flaws is also not within reach of the first hacker come, according to Bruce Schneier, a cryptographer emeritus. "Being able to intercept and modify e-mails in transit is the kind of thing the NSA can do, but it's hard for the average hacker," he says in a blog note.

paypal,facebook,yahoo,mail,google,maps,ebay,amazon,barcelone,realmadrid,netflix,craigslist,AliCarter,Liverpool,AlfieEvans,YankeesVsAngels,RonanFarrow,YeVsThePeople,MesotheliomaLawFirm,Donate,CarToCharity,California,Donate,Car,ForTaxCredit,DonateCarsInMa;Insurance,Loans,Mortgage,Attorney,Credit,Lawyer,Donate,Degree,Hosting,Claimcashfear,softwares,money,football,SPORTNEWS,cars,carrental,cellphone,phonenumber,forex,torrent,voip,net,adsence,tollsspeakers,tipsspeakers,iphonespeakers,phones,iphone4,facebook,youtube,twitter,livematch,newslive,watchmatchforfree,watchlaligaforfree,watchserieAliveonjsc+,softwares,football,SPORTNEWS,cars,carrental,cellphone,phonenumber,forex,torrent,voip,net,adsence,tollsspeakers,tipsspeakers,iphonespeakers,phones,iphone4,facebook,youtube,twitter,livematch,newslive,watch match for free,watch laliga for free,watch serie A live on jsc+,windows 7,windows 8


Commentaires

Enregistrer un commentaire

CALL US

Nom

E-mail *

Message *

Posts les plus consultés de ce blog

We tested the Nuraphone, the headset that fits your hearing

-
Image
The Nuraphone is an innovative model both for its sound customization system and the design of its headphones. Is it enough to make a difference? How to offer the best possible sound for headphones? The Australian company Nura have tackled this thorny problem and have designed a revolutionary model: the Nuraphone, sold about 400 euros. This helmet is distinguished by its design that combines the circum-auricular and the intra-auricular. The inside of the earpiece has a tip that is placed at the entrance of the ear canal to transmit the sound more directly than with conventional supra or circumauricular models. According to the manufacturer, the tip penetrates less into the duct than the in-ear headphones, which explains the unique size. We would have liked the choice between several sizes and people who do not like the headphones may not like this model either. Another potential problem often related to ear-phones, the restitution of the bass. To avoid this problem, Nura ...
Lire la suite

They turned Amazon Echo into an audio snitch

-
Image
Hackers have managed to create, in the smart enclosure, a seemingly innocuous application that continuously records conversations. With a microphone, smart speakers sometimes cause discomfort in some users who wonder if they do not record their words constantly. Checkmarx's hackers have just given some grit to this conspiracy theory as part of Amazon Echo. They developed a calculator in the form of a "skill", that is to say a voice application that extends the functionality of Amazon Echo. Just say "start calculator" to access and make calculations. Until then nothing abnormal. The problem is that the application continues to record the words of the user even if they are unrelated to the application. The speeches are then transformed into text and sent to the developer of the skill. To achieve this, hackers used a flaw in Amazon Echo's programming interface settings. Normally, a skill is supposed to turn off automatically after a certain time, when...
Lire la suite

Dolby Digital, Atmos or DTS ... what do these audio technologies hide?

-
Image
With the multiplication of audio formats, not easy to navigate to make the right choice. 01net.com explains the main ones to make sure you do not go wrong. Be immersed in a match and live the same atmosphere as the stadium? This is certainly what every football lover dreams about in front of his television. If the image participates more and more, including the broadcast of some matches in 4K, the audio is still the poor relation of sports retransmissions. However, we do not buy a TV only to watch football (well, normally). It is therefore good to know what the different formats used for cinema sound mean. Not always easy to cope with the acronyms and logos displayed on the data sheets of the devices or on the pockets of DVDs and Blu-ray discs. These are the latter that will usually give you the most systematic access to multichannel audio formats, with several voices in the front, rear and a subwoofer. Netflix also offers some compatible content, both movies and series. Two...
Lire la suite