Email Encryption with gpg4o Protected against Attacks
Dreieich/Frankfurt am Main, 2018/05/23 – On May 14th a group of researchers at the Fachhochschule Münster (Germany) released the so called efail vulnerabilities. Press releases titled „OpenPGP and S/MIME are hacked“. A deeper inspection showed that the most common standards in email encryption are not compromised directly. The efail scenarios are pretty complex and need some steps to go and they need to rely on errors in the interface between mailclient and cryptographic library. For us we can say that gpg4o, an addin for Microsoft Outlook is not vulnerable to those attacks in the actual release combined with GnuPG 2.2.
The German IT Security Association (TeleTrust) states as well, that both technologies are still safe and no one needs to disable them in a hurry. A similar statement has been released by the german BSI (Bundesamt für Sicherheit in der Informationstechnologie).
Efail describes two different attack vectors on encrypted email following the OpenPGP Standard. The first one has already been closed in GnuPG 18 years ago. Probably manipulated encrypted mail will be detected by GnuPG and marked as unsafe. The addin gpg4o takes notice of this flag and does not decrypt such content. The second attack vector describes the unfriendly leakage of confidential data through manipulated HTML emails. Within certain circumstances in the cooperation of email client and crypto library, a transmission of confidential data to a prepared external webserver is possible.
Our team from gpg4o thoroughly tested the described attacks with malicious HTML emails with all supported releases of gpg4o and made sure that gpg4o in conjunction with GnuPG 2.2 will not release confidential data to the world. We recommend all users that they make sure, that their OpenPGP communication partners already use an email client not vulnerable to the efail scenarios.
Confidentiality and integrity of our valuable customers data do have highest priority at Giegerich & Partner. This is why thousands of customers worldwide rely on gpg4o. By continous improvements, Giegerich & Partner spares no effort to maintain and enhance this protection of our customers data in future releases. This is the reason that we released a maintenance release for all customers with a valid maintenance to improve the protection for all users still using gpg4o with GnuPG 1.4. For customers without a valid maintenance contract, a special offer to renew maintenance is available