Author: Pedro Umbelino / Source: Hackaday
Last week the PGPocalipse was all over the news… Except that, well, it wasn’t an apocalypse.
A team of researchers published a paper(PDF) where they describe how to decrypt a PGP encrypted email via a targeted attack. The research itself is pretty well documented and, from a security researcher perspective, it’s a good paper to read, especially the cryptography parts.
But we here at Hackaday were skeptical about media claims that Efail had broken PGP. Some media reports went as far as recommending everyone turn off PGP encryption on all email clients., but they weren’t able to back this recommendation up with firm reasoning. In fact, Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit. Advising everyone to disable encryption all together just makes no sense.
Aside from the massive false alarm, Efail is a very interesting exploit to wrap your head around. Join me after the break as I walk through how it works, and what you can do to avoid it.
Efail Does Not Directly Exploit PGP
In a nutshell, if an attacker is able to get access to a user’s encrypted email, they can modify the message in a specific way and send it back to the user. The user’s email client will the decrypt the message and (if the email client is rendering HTML tags) automatically send the decrypted message back to the attacker.
The encryption itself it is not broken in any way. It’s how the messages are processed by the user’s email client that introduces the vulnerability. Saying PGP is broken is just plain wrong — but we suppose it generates a lot of clicks.
The ability to exfiltrate data from within an email is an old subject. When email clients started adding the ability to render HTML, a lot of security issues were introduced. In the past, some email clients even treated email content just like a webpage going as far as rendering Javascript. What could possibly go wrong?…
Story Time: Tracking Pixels
One common technique used by the ads industry to track users on websites works in HTML emails also: the tracking pixel. The tracking pixel is a kind of web beacon in the form of a tiny image that is included inside a webpage or an email that results in the software client making a request to another server. With these requests it is usually possible for the server to identify the IP address of the requesting computer, the time the content was requested, the type of web browser that made the request, and the existence of cookies previously set by that server. In an email, it is also possible to know if the user has forward the email to another user, since each email sent by the ad company with the tracking pixel has an unique code to each user.
Implementing a tracking pixel is just as easy as adding an image tag to an HTML email. Lets say an email has the following tag within:
<img src="http://attacker.domain.xyz/image-12345678.png" height="1" width="1">
When the email client tries to render the HTML, it tries to load the file ‘/image-12345678.png’ from the webserver located at attacker.domain.xyz in order to display it. The attacker controlled webserver logs this request. If you ever looked at a webserver log file this will look familiar:
11.22.33.44 - - [17/May/2018:00:25:18 +0100] "GET /image-12345678.png HTTP/1.1" 200 702 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
In the above log entry, the webserver (Apache in this case) log the IP address 11.22.33.44…
The post Explaining Efail and Why It Isn’t the End of Email Privacy appeared first on FeedBox.