EFF researchers had this to say about the newly discovered vulnerability:
“In a nutshell, Efail abuses active content of HTML emails (for example, externally loaded images or styles) to exfiltrate plaintext through requested URLs. The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.”
In simpler terms, it’s about as bad as it could possibly get. Once a hacker has access to your email account, they can use the embedded HTML tags inside your mail to force your email system to decrypt those messages so the hackers can see exactly what they contain.
EFF’s recommendation is that if you rely on either PGP or S/MIME for email encryption, your best bet is to simply disable them, and uninstall the tool or tools used to decrypt those messages.
It should be noted however, that there are others in the security community who disagree with this assessment. A spokesman for ProtonMail tweeted out the following response:
“Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the store to @EFF and mainstream media and getting an irresponsible recommendation published (Disable PGP), ignoring the fact that many (Engimail, etc.) are already patched.”
Despite the divided opinion, if it’s something you’re concerned about, you can neatly side step the problem by simply opting for plain text messages, rather than using HTML-emails. If you have questions regarding your email security, contact us and we can help.