Many are the occasions in which we have seen, in one way or another, how literally the internet is not safe. At this point, the truth is that if companies and multinationals around the world, the same ones that many users have trusted, have seen how cybercriminals have managed to access their servers and steal the passwords and personal data of millions of their users, imagine That can be done with much smaller applications where, in many cases, security takes a backseat.
Far from all this, the truth is that, and this is much more worrying, there are many security protocols, which until now seemed very secure, that are starting to fail. On this occasion we are not going to talk about an email or a company with a name and surname that offers you a secure email account, but precisely about the protocols that these secure platforms make, which, according to a group of researchers, could arrive to expose all your emails to anyone with sufficient knowledge.
PGP, the standard encryption protocol for email, has a critical vulnerability
Going into a little more detail, tell you that we are talking about the security protocols that today are used by many companies to encrypt and thus offer their customers a much more secure email service. Specifically we talk about PGP or S / MIME encryption algorithms, which, as has been discovered, suffers from a serious vulnerability whereby all encrypted plaintext emails can be exposed, even all those messages that you could send in the past.
In a much easier way to understand and referring to the words of Sebastian schinzel, one of the security specialists who have been working on this project and, in turn, professor of computer security at the University of Applied Sciences in Münster:
Email and anus is a secure means of communication
Electronica Frotier Foundation has been responsible for bringing to light this critical flaw in the PGP protocol
To give us an idea of the risk, tell you that This vulnerability was first detected by the Electronic Frontier Foundation precisely on Monday morning just after a large-circulation German newspaper broke a news embargo. Once all this information was made public, the group of European researchers involved in this discovery has literally started to announce that people should stop using PGP encryption algorithms altogether as, to this day, there are no reliable solutions against the vulnerability detected.
As the researchers have stated:
EFAIL attacks exploit vulnerabilities in the OpenPGP and S / MIME standards to reveal encrypted emails in plain text. Simply put, EFAIL abuses active content in HTML email, such as externally loaded images or styles, to filter the plain text through the requested URLs. To create these exfiltration channels, the attacker first needs to gain access to the encrypted emails, for example by intercepting network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.
The attacker changes an encrypted email in a certain way and sends this manipulated encrypted email to the victim. The victim's email client decrypts the email and loads any external content, exfiltrating the plaintext to the attacker.
Many are the security experts who think that this vulnerability has been overestimated
To know a little more about PGP, tell you that it is nothing more than an encryption software that, at least until now, has been considered as the standard for email security. This type of encrypted email, for many today something essential for their communications, began to worry many companies from all those reports where the enormous electronic surveillance that was being carried out by the United States government was announced .
Within the danger that this finding may pose, the truth is that there are many experts who bet that vulnerability has been overestimated And everyone is overreacting to this ad. An example of this we have in the words of Werner koch, lead author of GNU Privacy Guard who literally comments that the way to mitigate this problem is literally stop using HTML mail and use authenticated encryption.