#EFail Security Flaw in Email Encryption (2)

In part one of this series we explained how EMail suddenly went EFail. This part will talk about alternatives for PGP and S/MIME for a truly secure email encryption.

A variety of "secure" messaging systems require the sender and recipient to share keys, to login to get access to information in an online account, or to sign up to the same service that the sender uses.

Consider two levels of email encryption:

1. Encryption for Compliance: As simple as possible for the recipient, yet secure to meet regulated data privacy standards as GDPR for instance.
2. Encryption to Protect Strategic Secrets: Remains encrypted through the sender's IT organization and email servers, and while inside the recipient inbox, to protect from prying eyes at the sending side, recipient side, and while stored in sender or receiver email archive service.

When you encrypt for business compliance (as in Level 1), all you want is simplicity. Frama suggests RMail's default automatic email encryption. The system automatically detects the easiest way to provide security based on the systems of the recipient and transmits using this best method by adapting on every single message.

If you use encryption to protect business secrets from prying eyes (as in Level 2) -- for financial, legal or investment banking strategies -- Frama suggests using RMail's RPX for email encryption. RMail RPX encrypts the email on the desktop of the sender and it remains encrypted in the recipient's inbox within an AES 256-bit PDF file. Then it will be opened and decrypted outside email in a PDF reader (making the RMail RPX encryption immune to the EFail attack) --- something that security researchers recommend when considering the newly discovered EFail vulnerabilities.

What does all of this mean?

IT professionals frequently overlook the ease of use needed for broad acceptance. When the recipient is frustrated with the more secure process and says to the sender, "Just send the damn thing," the sender often just sends it, frustrated that he frustrates the recipient with a policy or process set up by his companies IT staff.

If it's not easy to use (as mentioned in Level 1), people will work around the process; and they do - including those who know that they shouldn't. Automatic email encryption ensures the appropriate level of security and accountability - and the users are not forced into bypassing the process.

According to the recommendations of the BSI (German Federal Office of Information Security) you should set following settings when you are still working with email encryption such as OpenPGP and S/MIME:

• Deactivating “active content“ in the email client is required. This includes the execution of html code and the reloading of external content, which is often permitted for design reasons.
• Email servers and email clients must be protected against unauthorized access attempts.

Source

BSI https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/efail-schwachstellen_15052018.html

This article was originally written by RPost Tech Essentials and edited by Thomas Zurbrügg