In recent years, email encryption has been one of the best ways to be able to safely send confidential emails, especially for businesses. We all knew that this wasn’t the panacea for all corporate cybersecurity woes, but generally speaking, we thought it was probably the best option for keeping emails safe.
However, nothing is perfect. Very few technologies can stand the test of time; even those we thought most reliable aren’t impervious to the world’s relentless pace of change. And if you’re not sure about that, just ask the creators of the PGP/GPG and S/MIME protocols. The controversy has a name: EFail.
Who’s to blame for EFail?
According to a group of cybersecurity researchers, both protocols could be affected by a serious vulnerability that allows access to the content of apparently encrypted, impregnable emails. Confirmation by the Electornic Frontier Foundation (EFF) has brought a new dimension to the controversy, legitimizing the research and the security concerns it has brought up.
This is no small matter: the average user probably isn’t even aware of the PGP/GPG and S/MIME protocols, but the fact is that they are the most commonly used when it comes to encrypting emails. The practice is especially common in the business world, where the confidential nature of emails makes the use of this type of tools, which have now been called into question, a must.
But this isn’t the end of the battle. The creator the PGP protocol, Phil Zimmermann, doesn’t agree with this assessment. In a statement, he affirms that any suspicions about his technology are totally unfounded: according to his explanation, the vulnerabilities detected in no way affect his protocol, but rather affect only the implementation of the protocol deployed by several email providers (Mozilla Thunderbird, iOS Mail o Apple Mail).
For Werner Koch, another of the developers singled out by the controversy, the problem doesn’t lie with the protocol in question, but in the use of HTML code when writing and visualizing emails, a practice that, according to him, is most likely the real reason for the vulnerabilities.
What do we do now?
Beyond this exchange of accusations, the question remains: what can we do about this? What about companies that believed that they were eliminating the risk of leaks by using PGP/GPG or S/MIME? Is the cybersecurity that they thought was safe now at risk? And more importantly, what do they need to do to mitigate the problem?
In the last few weeks, the EFF has offered some recommendations on how companies that have been affected can protect their cybersecurity and avoid possible unwanted access to their email communications.
1.- ‘Deactivate’ the vulnerabilities
The EFF gives some credit to Zimmerman’s theory that in order to get rid of the vulnerabilities in these protocols, the best thing isn’t to get rid of the protocols themselves, but to disable third-party software on the email client. To do this, the foundation offers several tutorials on how to avoid problems if a company has been reliant upon platforms like Gpg4win or GPGTools, among others.
2.- Do away with HTML
If inserting HTML code into emails is one of the main causes of these vulnerabilities, the best thing may be to do away with this type of rendering. This will only serve as a temporary measure, since, in the meantime, the EFF affirms that it will keep investigating how to improve the security of the protocols that have been affected.
3.- Use different encryption methods
In any case, the Electronic Frontier Foundation considers that the encryption offered by the PGP/GPG and S/MIME protocols may not be the best. As an alternative, the organization proposes that users fall back on end-to-end encryption which, as has recently been shown, is capable of adapting perfectly to any vulnerabilities which may crop up. In their opinion, the best example is Signal.
As such, the ball is in the developers and experts’ court. They will have to provide patches to solve the problem; but it is also important that companies don’t forget about their own cybersecurity. This situation shows that encryption can’t guarantee that communications are 100% secure. Companies should adopt measures to protect their systems from possible attacks that could exploit information gained from intercepted emails. If you want a solution that can help you to avoid unwanted visitors, you can try Panda Adaptive Defense, the tool that will help you to batten down the hatches of your company’s IT security.