Re: What's Up Johnny? -- Covert Content Attacks on Email End-to-End Encryption

04/16/2019
by   Jens Müller, et al.
0

We show practical attacks against OpenPGP and S/MIME encryption and digital signatures in the context of email. Instead of targeting the underlying cryptographic primitives, our attacks abuse legitimate features of the MIME standard and HTML, as supported by email clients, to deceive the user regarding the actual message content. We demonstrate how the attacker can unknowingly abuse the user as a decryption oracle by replying to an unsuspicious looking email. Using this technique, the plaintext of hundreds of encrypted emails can be leaked at once. Furthermore, we show how users could be tricked into signing arbitrary text by replying to emails containing CSS conditional rules. An evaluation shows that 17 out of 19 OpenPGP-capable email clients, as well as 21 out of 22 clients supporting S/MIME, are vulnerable to at least one attack. We provide different countermeasures and discuss their advantages and disadvantages.

READ FULL TEXT

Authors

page 1

page 2

page 3

page 4

10/19/2020

The Impact of DNS Insecurity on Time

We demonstrate the first practical off-path time shifting attacks agains...
08/16/2020

SoK: Why Johnny Can't Fix PGP Standardization

Pretty Good Privacy (PGP) has long been the primary IETF standard for en...
09/22/2021

Statistical Analysis of ReRAM-PUF based Keyless Encryption Protocol Against Frequency Analysis Attack

There has been a growing interest in fully integrating Physical Unclonab...
07/02/2019

Enhancing Email Functionality using Late Bound Content

Email is one of the most successful computer applications yet devised. C...
02/09/2022

Outside Looking In: Approaches to Content Moderation in End-to-End Encrypted Systems

In this paper, we assess existing technical proposals for content modera...
02/04/2020

Bicycle Attacks Considered Harmful: Quantifying the Damage of Widespread Password Length Leakage

We examine the issue of password length leakage via encrypted traffic i....
05/19/2022

A Rule Search Framework for the Early Identification of Chronic Emergency Homeless Shelter Clients

This paper uses rule search techniques for the early identification of e...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.