‘eFAIL’ Flaw Illustrates Need for New Email Encryption Solutions

Email is a great business communication tool because it is fast, easy and inexpensive. Privacy has never been among its better features, however, and recently discovered vulnerabilities in common email encryption technologies cast even more doubt on the confidentiality of the messaging platform.

Emails have always been prone to data theft and data leakage because they are predominantly transmitted in plain text form with little protection from prying eyes. Email encryption is supposed to protect confidentiality by scrambling messages so they cannot be read unless you have the right encryption key.

However, a group of German and Belgium researchers recently discovered a critical flaw in the two most common email encryption standards, PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions). The flaw, which the researchers dubbed “eFAIL,” allows hackers to read an encrypted email by making changes to its HTML, which essentially tricks the affected email applications into decrypting the rest of the message.

The Electronic Frontier Foundation (EFF), a technology advocacy group, has recommended that users disable any third-party software they have installed that allows their email apps to use PGP or S/MIME. The group provides step-by-step instructions for various mail clients, including Apple Mail, Outlook and Thunderbird.

Some security experts say the EFF’s concerns are overblown, with patches available to correct the flaws. In truth, however, PGP and S/MIME have always had drawbacks that prevented them from being widely adopted. They have a reputation for being notoriously difficult to implement, with users often struggling to encrypt and sign messages, find and verify other people’s encryption keys, and share their own keys.

The eFAIL scare may lead many organizations to take a closer look at their email privacy. That could mean a boost for standalone messaging platforms that provide simplified end-to-end encryption not only for email but for text messages as well.

In addition, Microsoft recently announced that a series of new security measures for Outlook will include an end-to-end encryption solution. Users will be able to turn on a feature that sends messages through a secure connection, shielding them from cybercriminals and hackers.

The features will appear on Outlook.com once you create a new message. An “encrypt” drop-down menu resides next to the Attach button, and it provides options to simply encrypt the message, or encrypt and prevent forwarding.

Outlook.com email recipients who view the encrypted email in Outlook.com, the Outlook for iOS and Android app, or the Windows Mail app can read and reply just like they can with any other email— no extra steps needed. Users without an Outlook account receive a link to a trusted webpage where they can choose to receive a one-time passcode or re-authenticate with a trusted provider before viewing the email.

When composing an email, Outlook will detect sensitive information such as Social Security numbers and generate a suggestion to send with encryption. You can also restrict recipients from forwarding or copying emails sent from Outlook.com. Additionally, Microsoft Office documents you attach to these emails are encrypted even after downloading, so if the original recipient shares or forwards your attachment, the recipient of the forwarded email will not be able to open the attachment. Emails sent with the “prevent forwarding” option are also encrypted.

Although many security experts say the eFAIL threat has been exaggerated, the discovery serves to illustrate email’s privacy shortcomings. For years, most organizations have simply chosen not to employ email encryption solutions because of the complexity and inconvenience. That’s a serious gamble considering the very real threat of data theft. However, new security tools in Outlook along with emerging standalone messaging platforms offer a simplified approach to email encryption.