In Apple Mail, There's No Protecting PGP-Encrypted Messages

It has been nearly two weeks since researchers unveiled "EFAIL," a set of critical software vulnerabilities that allow encrypted email messages to be stolen from within the inbox. The Intercept reports that developers of email clients and encryption plugins are still scrambling to come up with a permanent fix. From the report: Apple Mail is the email client that comes free with every Mac computer, and an open source project called GPGTools allows Apple Mail to smoothly encrypt and decrypt messages using the 23-year-old PGP standard. The day the EFAIL paper was published, GPGTools instructed users to workaround EFAIL by changing a setting in Apple Mail to disable loading remote content. Similarly, the creator of PGP, Phil Zimmermann, co-signed a blog post Thursday stating that EFAIL was "easy to mitigate" by disabling the loading of remote content in GPGTools. But even if you follow this advice and disable remote content, Apple Mail and GPGTools are still vulnerable to EFAIL.

I developed a proof-of-concept exploit that works against Apple Mail and GPGTools even when remote content loading is disabled (German security researcher Hanno Bock also deserves much of the credit for this exploit, more on that below). I have reported the vulnerability to the GPGTools developers, and they are actively working on an update that they plan on releasing soon.

Good

It would only provide a false sense of security from a failed encryption utility.

Re: Good

Uhh PGP has not been broken.
This has to do with after decryption.
The utility is fine, remote content in e-mail is broken.

Drop PGP and be done and safe

This nonsense needs to stop. Zimmerman even tells you to.

Re:Drop PGP and be done and safe

Drop Apple(tm) Mail and be safe. PGP gives an error that the mail client ignores!

Re:Drop PGP and be done and safe

[v1]

I don't see why anyone USES pgp on a mac. Just go get a free certificate from any of several sources, (free for personal use) and import it and DONE. all 100% integrated and supported in apple mail. has had this built-in for YEARS. Buying PGP is like buying another headlight for your car... your car already has two and they work MUCH better than any aftermarket you might be looking at.

Re:Drop PGP and be done and safe

S/MIME clients are even more broken than PGP clients.

Thunderbird?

The more I learn about or use other email clients, the more I love Thunderbird.

Re:Thunderbird?

+1

I only wish Mozilla still loved it.

Re:Thunderbird?

Even Churchill agreed:

Indeed it has been said that Thunderbird is the worst email client except for all those other email clients that have been tried from time to time.

Encrypted text preamble to protect the content

[IMarvinTPA]

> '> ">
Would > '> "> at the start of any encrypted message prevent the issue from sending the real content from going anywhere?

Thanks,
IMarv

Re:Encrypted text preamble to protect the content

[olsmeister]

My solution is to put this at the end of every e-mail I send. It's worked great so far.

This message is for the named recipient(s) only. It may contain confidential, proprietary or legally privileged material not waived or lost by any mistransmission. Any interception, disclosure or use of this communication by other persons is unlawful. You must not, directly or indirectly, use disclose, distribute, print or copy any part of this message if you are not the intended recipient. If you believe you have received this communication by mistake, please delete it and all copies from your system, destroy any hard copies and notify the sender.

Sensationalist bullshit

Puts Apple in the headline, even though Apple has nothing to do with this -- the vulnerability is strictly within the open source plugin that people use with Apple Mail.

Additionally he trumpets that it works against systems with "load remote content" turned off... and then buries *way* down his page that his exploit requires that the user clicks a link.

WTF? Clicking links in email has *NEVER* been safe.

Your super amazing "exploit" is that you can con the user into clicking a malicious link and use an already existing vulnerability on that basis? Wow. Welcome to super genius mode, dude.

Re:Sensationalist bullshit

[Blasphemy]

Agreed, this story is bullshit. The problem is not with Apple Mail, but with GPG Tools. Disable or remove GPT Tools and you are good to go.

Re:Sensationalist bullshit

It's msmash. If they can spin it to be negative and relate it to Apple in any way, shape or form -- you got yourself a /. post!

Re:Sensationalist bullshit

Am I missing something?

Wouldn't removing GPG Tools simply revert the mail to regular email, that is, the kind that is easily MITMable right now?

At least GPG Tools puts the email in an envelope, even if it can be opened and read en-route by someone intent on doing so.

Re:Sensationalist bullshit

[MatthiasF]

If you watch the video and take the demonstration as genuine, clicking the link somehow shares the content of a different email message.

That's kind of a leap for even a plugin vulnerability with the remote execution turned off.

Mind you, this could all be bull. He could have staged it by hiding the pass phrase sentence mentioned in a hash in the link from the second email.

We won't know until someone confirms.

Always mention Apple for the most Clicks...

[TheFakeTimCook]

According to TFS, Apple Mail is not the ONLY Mail Client/Plugin that is affected:

"The Intercept reports that developers of email clients and encryption plugins are still scrambling to come up with a permanent fix. "

That sentence tells me it is more than Apple Mail that is affected; yet the Title makes it sound that way.

Why?

Oh, right: Clickbait.

Was this ever an issue?

What rational thinking person would default-load remote content from an encrypted email to begin with? It was an obviously horrible idea from t=0. Do people seriously do it? I've always had my mailer configured to not do that. In fact also for non-encrypted mail, because that's a bad idea too.

Re:Was this ever an issue?

This variant exploits Apple Mail even if remote content loading is disabled.

POSTED BY MSMASH?!?!?!

A negative Apple story posted by msmash? Must be a day that ends with "-day"!

Just use the command line tools

I always have always just used the command line tools to encrypt messages. Just cut and paste. Much easier to learn, understand and use overall when you think of it from the big picture perspective.

Solution:

[Heebie]

Easy solution: Don't set up encryption in your e-mail products, but instead, (en|de)crypt all messages outside of the e-mailer, using copy/paste to get the messages into or out of your e-mail client, or even by using attachments and .ASC files etc.. If you have a clue, getting around that flaw is child's play.

msmash is lame

Either doesn't understand the vulnerability or is calling out Apple because it will attract more eyes.

Isn't GPGTools redundant?

Apple Mail already has public-key encryption built in, albeit S/MIME rather than PGP. I don't see why it would make a difference for most people.