Sebastian Schinzel (Research Group MediSec), Jens Müller (Research Group Intelligente Messsysteme) und Christian Dresen (Research Group MediSec) were involved in the publication of a major flaw in how current email encryption works.

From the website:

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

Their study will be presented at the 27th Usenix Security Symposium in August in Boston.

 

Leave a Reply

Your email address will not be published. Required fields are marked *