May 15th Researcher at the University of Münster, Germany issued a tweet on May 13, 2018 warning that there are serious loopholes in the PGP and S/MIME e-mail encryption tools, affecting more than 20 e-mail clients. Researchers said that an attacker could initiate an EFAIL attack to decrypt the encrypted information sent or received. The vulnerability has been confirmed by the Electronic Frontier Foundation (EFF).
PGP and S/MIME
PGP and S/MIME are treated as two locks for email encryption:
PGP is an open source, end-to-end email encryption standard designed to prevent email communications from being monitored by companies, government agencies, or cybercriminals.
S/MIME is an asymmetric, encryption-based technology that allows users to send e-mails with digital signatures and encryption.
Researchers said that these vulnerabilities could reveal the contents of the plaintext communications of encrypted e-mails, including encrypted e-mails sent in the past. Currently, there is no reliable solution.
The researchers’ May 15 paper (address https://efail.de/) contains a proof-of-concept vulnerability that allows attackers to use the victim’s own e-mail client to decrypt previously acquired messages and The decrypted content is returned to the attacker without alerting the victim. Proof-of-concept is just one implementation of this new type of attack that may change over the next few days. Vulnerabilities fall into two categories:
Direct Exfiltration: Affects Apple's macOS, iOS mail client, and Mozilla Thunderbird. Using this vulnerability, an attacker can send an email to automatically decode the encrypted information sent by the victim and share the content. Researchers believe that this vulnerability can be solved by installing patches.
CBC/CFB Gadget Attack: The impact of the mail client is more, including Microsoft Outlook, the power of the vulnerability, depending on whether it is PGP or S/MIME encryption. If it is PGP encryption, it will succeed once every three attempts. If it is S/MIME encryption, an email can crack up to 500 messages at a time.
Sphere of influence
First, the verification test results for the S/MIME client:
Red: leaked channels (no user interaction required)
Orange: leaked channels (user interaction required)
Green: No leaked channel found
Second, for the PGP client verification results:
Red: leaked channels (no user interaction required)
Green: Not affected
Third, direct leak test results:
Red: leaked channels (no user interaction required)
Orange: leaked channels (user interaction required)
If you want to repair PGP and S/MIME from the underlying architecture, it may take longer. It is recommended that users temporarily disable or uninstall PGP and S/MIME.
solution
The Electronic Frontier Foundation (EFF) has issued guidelines for disabling PGP and related plug-ins, but the organization stated that these solutions are only temporary expedients.
The EFF recommends that users who are in urgent need of email encryption tools use an end-to-end encrypted instant messaging client to communicate. In addition, EFF specifically recommends that users immediately disable the following plug-ins or tools:
Thunderbird with Enigmail
Apple Mail with GPGTools
Outlook with Gpg4win
In addition, researchers emphasized that these vulnerabilities do not exist in the way encryption algorithms work, but rather in the way email encryption tools/plug-ins work.
ZGAR Aurora 1800 Puffs
ZGAR electronic cigarette uses high-tech R&D, food grade disposable pod device and high-quality raw material. All package designs are Original IP. Our designer team is from Hong Kong. We have very high requirements for product quality, flavors taste and packaging design. The E-liquid is imported, materials are food grade, and assembly plant is medical-grade dust-free workshops.
Our products include disposable e-cigarettes, rechargeable e-cigarettes, rechargreable disposable vape pen, and various of flavors of cigarette cartridges. From 600puffs to 5000puffs, ZGAR bar Disposable offer high-tech R&D, E-cigarette improves battery capacity, We offer various of flavors and support customization. And printing designs can be customized. We have our own professional team and competitive quotations for any OEM or ODM works.
We supply OEM rechargeable disposable vape pen,OEM disposable electronic cigarette,ODM disposable vape pen,ODM disposable electronic cigarette,OEM/ODM vape pen e-cigarette,OEM/ODM atomizer device.
Aurora 1800 Puffs,ZGAR Aurora 1800 Puffs Pod System Vape,ZGAR Aurora 1800 Puffs Pos Systems Touch Screen,ZGAR Aurora 1800 Puffs Disposable Vape Pod System,1800Puffs Pod Vape System
Zgar International (M) SDN BHD , https://www.zgarvapor.com