Security researchers from Münster University of Applied Sciences, Ruhr University Bochum and the University of Leuven (Belgium) have found weaknesses in the widely used OpenPGP and S/MIME email encryption standards. Important: The encryption itself was not broken.
The vulnerabilities cause mail programs to forward encrypted emails to third parties in decrypted form. This is done by manipulating the original encrypted email.
Necessary for this attack is access to encrypted emails through a man-in-the-middle attack or access to compromised mailboxes. The attacks also affect old encrypted emails. According to current knowledge, numerous standard e-mail programs are affected.
By default, the t-online mail portal does not offer PGP or S/MIME. However, customers can also use this form of encryption via so-called plug-ins. Then the described weak points are also given for them.
Important: The use of e-mail encryption with PGP and S/MIME is still recommended!
Please also note the classification and instructions of the Bundesamt für Sicherheit in der Informationstechnik:
To exploit the vulnerabilities, an attacker must have access to the recipient's transport path, mail server, or e-mail inbox. In addition, active content must be allowed on the receiver side, such as the execution of html-code and in particular the reloading of external content. This is currently the default, especially for mobile devices. E-mail client manufacturers have announced or provided updates on their products. Regardless of specific security updates, secure configuration also protects.
To continue using e-mail encryption, users need to:
- Active content in the e-mail client must be deactivated. This includes running html code and reloading external content that is often allowed from a design perspective.
- E-mail servers and e-mail clients must be secured against unauthorized access attempts.