zoominfo

The EFAIL Guide for G Suite

Michael Hoff

Michael Hoff

May 16, 2018

Wursta offers industry-leading security audits and consultation services, tailored to businesses that use G Suite. If you have questions about this post, or would like to learn more about our security offerings, talk to us at info+security@wursta.com.

TL;DR

If you use G Suite, we recommend that you take the following steps in response to EFAIL:

  1. Use Chrome 65 or later for TLS 1.3 support.
  2. Force TLS for Gmail in your G Suite Admin Console.
  3. Do not disable S/MIME or PGP encryption.

What is EFAIL?

EFAIL is one of the newest email vulnerabilities that has been identified in May of 2018, and is currently receiving a lot of buzz on the Internet. EFAIL exploits S/MIME or PGP flaws that will allow an attacker to view the plaintext of compromised, encrypted emails. The vulnerability has many critics stating that security protocols such as S/MIME and PGP, standards for encryption and transport of email communications, has been made ineffective. In our educated opinion, every layer of security is important, regardless of potential vulnerabilities. It should be noted that this EFAIL vulnerability is extremely difficult to exploit, and in order to be successful requires either 1) a Man-In-The-Middle (MITM) attack, or 2) Access to your mail server or email repository. This article will break down a basic description of the vulnerability, and what you should do as an organization to protect your data.

For EFAIL to work, a hacker must first gain access to your email. This means that an attacker has already been recording your emails during transmission because you didn’t encrypt the transmissions (i.e. TLS – Transport Layer Security) or the hacker has gained access to your email server.

Take a Defensive Stance

Defense in depth using layers of security is ALWAYS the best approach. Do not turn off S/MIME or PGP encryption for email. The EFAIL vulnerability is not easy to employ and will typically be used by very motivated attackers.

Do not discount TLS for email transmission. Enforce it if you can. TLS is an “Opportunistic” solution if not configured correctly. You can read more about it here. If you are using TLS 1.2 or older,  the attacker must first launch a MITM (Man In The Middle) attack using a proxy to read your traffic. This is viable, and one of the primary flaws in TLS 1.2 and earlier.  

Disabling automatic rendering of HTML within your email client may help mitigate exfiltration of already-compromised, but encrypted, emails. Disabling this feature prevents Gmail from automatically loading any external images or content within the message that the attacker might try and use to exfiltrate content. If you are a Google customer, there are a number of simple solutions available beyond disabling HTML rendering.

Take Action

Keep in mind a methodology of defense in depth (multiple layers of security). EFAIL will Fail if you are blocking access to your email. That means you need a secure server, secure client and secure transmission. To successfully mitigate this threat, you must ensure the following:

  1. Use G Suite for email. Google’s engineers are working on your behalf to make sure that its servers are always secured.
  2. Use a secure browser and mail client. In Chrome 65 and later, TLS 1.3 will be enabled for outgoing connections, as long as this is supported by the remote server. This enforces all of the secure connectivity to mitigate this vulnerability, and blocks CBC (Cipher-Block Chaining), which has been the source of many attack vectors. You can read more about the advantages of using TLS 1.3 here.
  3. Enable TLS for Gmail in your G Suite Admin Console with enforced TLS. You must use a CA Cert for your domain. The remote recipient must also support TLS 1.3 and use a CA cert for their domain.
  4. Use S/MIME for security encryption of the content. While it may have a potential flaw, the attacker must get past all of the layers of security to compromise your email.
  5. As a side note, Chromium users also are protected with TLS 1.3.

Optional security measures may be implemented, but some do require added effort by the end user:

  1. Encrypt the payload of your email with a local tool like 7 ZIP with AES-256 encryption and attach the file/payload in the email you are sending. It may be overkill, but this provides additional security.  

Security researchers are always finding new ways to mitigate and patch these types of vulnerabilities. Expect patches to be distributed in the coming weeks for various aspects of this hack, and stay tuned for more updates on what Google is doing to make your email experience safer and more secure.

References:

[1] Official EFAIL website [https://efail.de/]
[2] Official EFAIL whitepaper [https://efail.de/efail-attack-paper.pdf]
Michael Hoff

Michael Hoff

May 16, 2018

Subscribe to Blog

Share This