The Recent Concerns with OpenPGP and S/MIME Encryption

On Monday, May 14th, the Electronic Frontier Foundation (EFF) reported that European researchers had discovered core problems and commonplace implementation flaws in the S/MIME and OpenPGP protocol specifications. The vulnerability, which the researchers have described as EFAIL, can reportedly expose the content of encrypted emails (even messages sent in the past) to be viewed. The EFAIL vulnerability affects many email clients that use S/MIME and OpenPGP. There is a list of email clients with vulnerabilities by protocol in an article posted at thehackernews.com.

It’s very important to understand that to be at risk for this vulnerability, attackers would need access to your emails. This means that your email system has been compromised by an attacker who has access to the encrypted emails through tactics such as eavesdropping on network traffic (also known as a man-in-the-middle (MITM) attack), compromised email accounts, access to email servers, backup systems or client computers, usually achieved through social engineering attacks, such as Phishing and other tactics.

We have checked our own web-based email client (MDaemon Webmail) and our MDaemon OpenPGP-based encryption feature. Our results show that MDaemon Webmail is not vulnerable. However, the MDaemon email server OpenPGP feature is partially vulnerable to one implementation flaw. We have released a patch for affected versions of MDaemon email software, which can be found here. The current version of the MDaemon email server, v18.0.1, includes this fix.

A Reminder on the Best Email Security Practices

This latest issue should remind us all about the importance of email security practices as a whole.  Implementing strong passwords, two-factor authentication, location screening, SSL/TLS, SMTP AUTH, IP Shielding, dynamic screening, freezing accounts after failed authentication attempts, all play a role in helping to keep your accounts and your email safe. You can review a list of email security features in MDaemon here.

If you’ve implemented security to help protect malicious people from accessing your email accounts, then you are less likely to have an account compromised and you will be better protected against these types of attacks and vulnerabilities.

Ongoing Monitoring

While the researchers go into some depth to expose issues deep within the S/MIME and OpenPGP specification documents, these encryption protocols may need specification changes to address the longer-term issues mentioned in the initial report. MDaemon Technologies will continue to monitor this issue.

Additional Resources

We have provided links to past blog posts that cover a number of email security topics to provide additional information:

Thwart Hackers with Strong Password Policies

Are You Taking the Security of Your Email Account Seriously?

Why Passwords May Not Keep Your Email Safe

Block Incoming Connections by Country with MDaemon’s New Location Screening Feature

SSL & TLS Best Practices

Block Hackers from Guessing Passwords with MDaemon’s Improved Dynamic Screening

Are You Doing Enough to Protect Your Email Privacy?

Follow These 13 Tips to Avoid Being Blacklisted

New Security & Collaboration Features for MDaemon 17.5!

Introducing SecurityGateway 5.0, with New Location Screening, Terms of Service Agreements, and More!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •