DataMotion Direct and SecureMail not vulnerable to PGP or S/MIME EFAIL attacks
PGP and S/MIME have been in the news recently as a vulnerability has been exposed, and an attack vector observed. This post is to confirm that neither secure messaging services that DataMotion provides are vulnerable. SecureMail does not use PGP or S/MIME, and while the Direct Secure Messaging protocol does use PGP, implemented per the specification, it is not vulnerable (as detailed in the excerpt from DirectTrust below). If you have questions or concerns about either service – please contact us.
|Summary (the following information was published by the DirectTrust – governing body for the Direct Secure Messaging network).
EFAIL is a set of attacks used to exploit vulnerabilities in email clients that decrypt and display PGP and S/MIME encrypted messages by coercing them into sending the decrypted text of the emails to an attacker. Properly implemented, Direct is NOT vulnerable. However, we recommend that if you are exchanging with anyone outside of the DirectTrust Network, you will want to understand at a reasonable depth how their implementation protects against EFAIL.
How does EFAIL work?
EFAIL consists of two different attack scenarios that create “backchannels” to send the decrypted text to an attacker. Both require an attacker to first obtain the encrypted message.
Although the attacks are different, the end result is the same: a vulnerable email client sends the decrypted text to the attacker.
How is this relevant to Direct?
Direct uses S/MIME to encrypt messages, so in theory every Direct message could be vulnerable to this attack. However, Direct, when implemented correctly, is NOT vulnerable. The vulnerability is only applicable if decryption and rendering of the message are done in certain email clients like Thunderbird, iOS, Apple Mail, and some versions of Outlook. The best way to prevent EFAIL attacks is to decrypt S/MIME or PGP emails only in a separate application outside of your email client. For this purpose, a HISP is an external/separate application that decrypts messages and therefore removes the threat.
Why isn’t Direct vulnerable?
While the S/MIME specification has multiple options to encrypt and digitally sign a message, the Direct specification mandates a very specific profile of S/MIME. It is this profile that protects Direct from the vulnerabilities of EFAIL.
What has DirectTrust done to ensure proper implementations?
DirectTrust has implemented many safeguards to ensure proper implementations of Direct within its network:
What are the recommendations to protect against EFAIL?
In summary, DirectTrust members can be assured that proper Direct implementations in combination with the security and trust policies of the DirectTrust Network are not vulnerable to EFAIL attack.