- eco Association recommends workaround until updates are installed
- “No encryption is also no solution”
Despite the recently detected security vulnerability “Efail,” companies and consumers should continue to send encrypted emails. This is recommended by experts from eco, the Internet Association. In principle, only encrypted emails can ensure that the confidentiality of the messages is maintained. On no account does the vulnerability mean that email encryption with the widely used OpenPGP and S/MIME standards is not to be recommended.
However, users should make sure that they actively turn off automatic decryption, which is often preset, as well as switching off the automatic reloading of items such as images in their mail software. They should also immediately install any updates provided.
No encryption is no solution
“Not having encryption is not a solution, but rather increases the risk,” says Norbert Pohlmann, Member of the Board at eco – Association of the Internet Industry and Professor at the Institute for Internet Security (if)is at the Westphalian University of Applied Sciences, Gelsenkirchen. “We shouldn’t trivialize the problems, but in order to protect patent secrets or personal data, for example, there really is no alternative to encryption.”
Just because computer scientists from Münster University of Applied Sciences, Ruhr University Bochum, and Leuven University (Belgium) have proven that hacking is possible, does not mean that OpenPGP and S/MIME are no longer secure. The vulnerability could be closed by improving the two standards and implementing these in the respective applications. Until then, the BSI (German Federal Office for Information Security) offers workaround tips and settings for common email clients on its website. “These tips are good, even for less experienced users.”
Until the relevant software updates have kicked in, anyone who has switched off automatic encryption will have to decide individually for each encrypted email whether it is credible and should be decrypted. “That's certainly inconvenient, but nonetheless advisable for purposes of security,” notes Pohlmann. Subsequently, updates provided by the software providers in the coming days and weeks should be immediately installed and then augmented encryption should be deployed.
Pohlmann advises keeping the security vulnerability in perspective and points out that an exploitation of the flaw would not be straightforward. “Not everybody could do that. Even for IT experts, attacking a user’s PC in such a manner would be difficult. But it is nonetheless possible, which is why PC users should not treat this matter lightly and should switch off automatic decryption.”
An unencrypted email, on the other hand, is as easy to read as plain text. “Encryption is a significant mechanism that helps to adequately secure electronic assets,” Pohlmann concludes.