Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels
Credit: Poddebniak, Dresen, Muller, Ising, Schinzel, Friedberger, Somorovsky, and Schwenk
When you were young, just getting into the field, armed only with uuencoded temp file race exploits and a ragged blue edition of Applied Cryptography, this is the attack you dreamed someday you might put you name on: you straight-up broke PGP.
But time went on, life happened, you got big into deserialization attacks and but for a midlife crisis barely avoided become a web app security person. You stopped listening to Sublime, Soul Asylum broke up (please tell me soul asylum broke up) and somewhere along the line you stopped thinking about PGP. You let go of your dreams and they floated away.
But not the Münster and Ruhr security teams. They held on. While you rolled your eyes at mailing list posts and tweets about PGP problems, they took notes. They ran experiments. And eventually, they figured something out: the PGP email encryption, it’s a not so good, eh? Nobody could have predicted it, but it turns out sending rich HTML messages over an encryption protocol designed in the phlogiston era of cryptography wasn’t a great plan.
It’s a great attack and a great paper, full of gritty implementation details. They’re capturing messages, flipping bits in them to inject live content, working their way past DEFLATE compression, and in the end breaking the most PGP email clients. The various PGP projects lost their minds over this. It was a sight to see.