EndCryptor is not vulnerable to EFAIL attack


On May 13, 2018 researchers published findings concerning attack on OpenPGP and S/MIME, see https://www.efail.de : "EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails." and "While it is necessary to change the OpenPGP and S/MIME standards to fix these vulnerabilities, some clients had even more severe implementation flaws allowing straightforward exfiltration of the plaintext.".

The techniques used in the attack cannot be applied to EndCryptor, read more below.

The attack uses the properties of specific email clients and their plugins and the properties of OpenPGP and S/MIME standards. The first warnings to those affected vendors the researches were aware of were sent in October 25, 2017. In some cases the attack has been possible for over 10 years.

The EFAIL attack the researchers published has two forms: an easily applied one and a more challenging one.

1. In its easiest form an attacker modifies a previously obtained encrypted email's unencrypted html part and then sends the email to the victim. Upon receiving this modified email victim's email client decrypts it and then sends the decrypted content to the web server of the attacker.

Here are some S/MIME clients that the researchers list as vulnerable: Outlook: 2007, 2010, (2013, 2016 victim interaction required), Win. 10 Mail, Win. Live Mail, IBM Notes, Thunderbird, Apple Mail, iOS Mail and GMail.

Some of the vulnerable OpenPGP clients and plugins: Thunderbird/Enigmail and Apple Mail/GPGTools.

2. The more challenging EFAIL attack modifies the encrypted part of the email. This enables further attack that reveals the plaintext. This modification is possible because of complexities/shortcomings in standards and client sofware's behaviour. The researchers of the EFAIL attack say: "The S/MIME standard does not provide any effective security measures countering our attacks."  and "OpenPGP provides Message Modification Codes and we could observe several OpenPGP implementations that were not vulnerable to our attacks because they dropped ciphertexts with invalid MDCs. Unfortunately, the OpenPGP standard is not clear about handling MDC failures. The standard only vaguely states that any failures in the MDC check 'MUST be treated as a security problem' and 'SHOULD be reported to the user'. Furthermore, the standard still supports SE packets which offer no integrity protection.".

It can be argued that from the viewpoint of preventing the attack S/MIME is more severely affected than OpenPGP. One can only say that S/MIME has failed really bad - especially because it is being used mostly by companies and governmental organizations. 

After the EFAIL attack was published other security researhers have found new ways to perform the attacks - as responses to first solutions to prevent the attack.

EndCryptor is not using OpenPGP or S/MIME standards and receives the encrypted email as an attachment delivered by IMAP server. There is not any html code processed by EndCryptor that the attacker could modify. The file that is received is checked to have valid mac and signature - so it cannot be modified by the attacker.

When processing the decrypted content and rendering it to the user EndCryptor does this in offline mode with scripting disabled - even if the true sender had placed hostile html in his/hers own message it cannot do any harm - like reveal the receiver's IP address.