Mailvelope

Security researchers from the University of Münster and Bochum in Germany and of KU Löwen in Belgium have yesterday released their research paper Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels.

A common misconception with the interpretation of Efail has been that the OpenPGP standard as such is broken. What we see instead are implementation errors in email clients when integrating PGP functionality. Mailvelope is not an email client and the architectural separation between webmail client and the Mailvelope browser extension that encapsulates the encryption logic has shown to have advantages in the resilience against the Efail findings. Mailvelope is not affected by those critical vulnerabilities.

In the following we will provide an overview of vulnerabilities found and their possible impact on Mailvelope and its users.

The findings of the Efail paper can be divided in 3 categories.

Direct Exfiltration

According to our view this is the most severe finding. This vulnerability can be used to give an attacker access to the complete plaintext of an encrypted message and was found in email clients like Thunderbird or Apple Mail.

The exploit uses implementation errors in emails clients that result in insufficient isolation between decrypted content and other parts of the email structure. Mailvelope is not affected by this vulnerability. There is a strong isolation between the decrypted content of the email and the webmail client that prevents this sort of attack in Mailvelope.

The CFB Gadget Attack

The Efail authors describe an attack on the CFB mode used in OpenPGP to exfiltrate the plaintext. Deficiencies of this block cipher mode that uses unauthenticated encryption are well known and led to the introduction of integrity protection in OpenPGP with the MDC feature (around the year 2000). A PGP client that strictly enforces usage of integrity protection is not vulnerable to Efail's "crypto gadgets".

OpenPGP.js as the underlying crypto library of Mailvelope has a strict check on integrity protection since 2015 that prevents this type of attack for the vast majority of all PGP keys generated in the last ~15 years that have AES as the preferred symmetric encryption algorithm, which is the default in all relevant PGP implementations.

In summary: Mailvelope users that have generated their private key in Mailvelope or in general use PGP keys which are not older than ~15 years are not affected by the CFB gadget attack.

The remaining risk of older PGP keys has been eliminated with the release of Mailvelope 2.2.2 today where we completely block decryption with unauthenticated older algorithms.

Backchannels

Mailvelope does not block external resources loaded in HTML emails. As a result there is a general problem with leaking meta data. This is a known issue in Mailvelope and we are planning to block external resources in HTML emails by default and make loading only optionally available.

But this problem should not be confused with the critical direct exfiltration of plaintext as described above. An attacker could at most find out about the IP address of the Mailvelope user or the time the email was decrypted, but never about the content of the message.

Conclusion

Efail has found severe issues in email clients but also created a lot of uncertainty due to media coverage and the notion of PGP being broken. The impact of the Efail findings on Mailvelope users are minor, there has been no way to extract the plaintext of the message in Mailvelope, if the PGP key has been generated with Mailvelope and the communication was from a Mailvelope to Mailvelope user.

Still we are constantly working on improving Mailvelope, and an upcoming release should provide improvements towards the elimination of leaking meta data.