Email remains the least common denominator when two or more people communicate over the Internet. While many modern messengers use end-to-end (e2e) encryption by default, email relies on transport encryption among email servers, which offers a much weaker protection.
OpenPGP and S/MIME are two competing standards that bring e2e encrypted communication to email. While S/MIME is mostly used in corporate environments and built into many of the widely used email clients, OpenPGP often requires that users install additional software and plugins. Both technologies never reached large deployment, mostly because both suffer from a range of usability issues. However, it is commonly assumed that if one manages to use OpenPGP or S/MIME to encrypt emails, it is very secure.
In this talk, I’ll discuss several attacks that leak the plaintext of OpenPGP or S/MIME encrypted emails to an attacker. Some of the attacks are technically interesting, i.e. the two different efail attacks, some are somewhat silly, yet effective. Some abuse HTML emails, some also work with plain ASCII emails.
The disclosure of the efail vulnerabilities caused a lot of stir in the press and the community, which also led to confusion about how the vulnerabilities work, about the mitigations and about the consequences for the OpenPGP and S/MIME standards. I’ll discuss our lessons learned and describe the efail-related changes to mail clients and the OpenPGP and S/MIME standards.