In part one of this series we explained how EMail suddenly went EFail. This part will talk about alternatives for PGP and S/MIME for a truly secure email encryption.
A variety of "secure" messaging systems require the sender and recipient to share keys, to login to get access to information in an online account, or to sign up to the same service that the sender uses.
Consider two levels of email encryption:
When you encrypt for business compliance (as in Level 1), all you want is simplicity. Frama suggests RMail's default automatic email encryption. The system automatically detects the easiest way to provide security based on the systems of the recipient and transmits using this best method by adapting on every single message.
If you use encryption to protect business secrets from prying eyes (as in Level 2) -- for financial, legal or investment banking strategies -- Frama suggests using RMail's RPX for email encryption. RMail RPX encrypts the email on the desktop of the sender and it remains encrypted in the recipient's inbox within an AES 256-bit PDF file. Then it will be opened and decrypted outside email in a PDF reader (making the RMail RPX encryption immune to the EFail attack) --- something that security researchers recommend when considering the newly discovered EFail vulnerabilities.
What does all of this mean?
IT professionals frequently overlook the ease of use needed for broad acceptance. When the recipient is frustrated with the more secure process and says to the sender, "Just send the damn thing," the sender often just sends it, frustrated that he frustrates the recipient with a policy or process set up by his companies IT staff.
If it's not easy to use (as mentioned in Level 1), people will work around the process; and they do - including those who know that they shouldn't. Automatic email encryption ensures the appropriate level of security and accountability - and the users are not forced into bypassing the process.
According to the recommendations of the BSI (German Federal Office of Information Security) you should set following settings when you are still working with email encryption such as OpenPGP and S/MIME:
Source
BSI https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/efail-schwachstellen_15052018.html
This article was originally written by RPost Tech Essentials and edited by Thomas Zurbrügg