#eFail: How insecure email clients break encryption
The latest news regarding modern email encryption paints the stronghold of IT security — encryption — in a bad light. In reality, the two ‘standards’ PGP and S/MIME, or more specifically, their implementation in current email clients is what makes users vulnerable.
If the attacker succeeds in intercepting an email on its way from the sender to the receiver, then it is possible for him to manipulate the mail and add HTML tags to the email. This invalidates the signature of the email, if any. To make matters worse, the signature checks of most mail clients are so bad that, at best, an invalid signature results in a warning.
In other words, the mail clients execute the malicious code instead of removing it and further alerting the recipient. This allows the attacker to transfer the content and gain access to the unencrypted mail. However, encrypted mail attachments are luckily not affected by this loophole. So a first advice is to not place confidential information in the mail content but to place them in extra files as mail attachments.
Once again, modern cryptography does not end with the use of public key methods, but requires an end-to-end solution that can guarantee the integrity and security of the transmitted data. The most recent vulnerability #Efail demonstrates the consequences of adding security to software systems as an overlay and not from the early stages of planning. When it comes to the secure transfer of sensitive data, it is recommended to use software that approaches security as a dynamic process from the beginning.
The usage of an end-to-end encryption solution, like Bdrive, protects non-technical users from being vulnerable to such attacks. The desktop client of Bdrive not only verifies the integrity and authenticity of every data transmission, but also prevents the execution of any inserted malicious code. Further, Bdrive offers secure channels to receive and send data with non-Bdrive users.
From experience, we know that high quality security — of the standards required by our partners such as the Bundesdruckerei — requires planning from the onset of a software solution. We make it our priority to deliberate on the security architecture of our solution as well as to make it intuitive for non-technical users at every stage of the development: from conceptualization to implementation.
