A vulnerability called EFAIL is being widely reported on after new research on the existing, but little-known vulnerability became available. In technical terms, EFAIL can allow a hacker to expose the plain text of some encrypted emails sent using the encryption technologies OpenPGP and S/MIME. In layman’s terms, if an attacker were to exploit this vulnerability, they could read emails that were encrypted (and therefore thought to be “safe.”)
As is often the case when security issues are discussed in the media, reactions range anywhere between “So what?” to “We’re all gonna die!” Our job as security experts is to provide balance and help you separate sound guidance from hype.
In these situations, it’s helpful to know what has to happen before the worst-case scenario can occur. In order to exploit EFAIL and view the plain text in an encrypted email, a hacker must already have access to your encrypted emails. This means they have to be “sniffing” or eavesdropping on your network traffic, or that your computer, email server or email account has already been compromised.
ADNET is working with our security partners to ascertain if their encryption systems are exposed to this vulnerability, and at this time, we have not found any issues with the solutions we recommend. For example, Zix, a provider of secure email solutions, shared with us “The vulnerabilities identified as EFAIL occur ONLY IF S/MIME is used without the validation of digital signatures.” The Zix solution requires the use and validation of digital signatures to ensure the integrity of encrypted emails.
We have received questions about whether users should disable PGP and S/MIME encryption in their email clients, or temporarily stop sending and reading encrypted email. ADNET does not recommend this approach. In my opinion, this would be like removing all of the smoke detectors from your house because their batteries can fail. Yes, email encryption is flawed. However, until patches or other fixes become available for this vulnerability, flawed encryption is still better than no encryption.
The best advice we can offer is to keep your systems up to date with the latest security patches as they are released to deal with vulnerabilities like EFAIL. While it’s cause for concern and we will continue to monitor it as more information becomes available, EFAIL alone isn’t the end of the world. If the perfect storm strikes and an attacker is able to exploit this, your system has already been compromised to allow that, which is a much bigger problem.