Re: What's up Johnny? – Covert Content Attacks on Email End-to-End Encryption

The presentation discusses the vulnerabilities of email clients to decryption and signing Oracle attacks, and the challenges of building security on top of email.

• Email clients are vulnerable to decryption and signing Oracle attacks due to standard email features such as MIME wrapping and HTML email.
• PGP and S/MIME are equally affected by these vulnerabilities.
• Countermeasures such as accepting only ASCII text or warning the user of partially encrypted emails are not effective.
• Building security on top of email is challenging due to these vulnerabilities.

The presenter gives an example of a bypass that has existed for four decades, where an attacker can capture hundreds of emails over years and wrap them into one email to the victim, containing both visible and invisible parts. The victim's email client can be tricked into displaying only the visible part, while the attacker can use the invisible part as a decryption or signing Oracle. This illustrates the vulnerability of email clients to these attacks.

We show practical attacks against OpenPGP and S/MIME encryption and digital signatures in the context of email. Instead of targeting the underlying cryptographic primitives, our attacks abuse legitimate features of the MIME standard and HTML, as supported by email clients, to deceive the user regarding the actual message content. We demonstrate how the attacker can unknowingly abuse the user as a decryption oracle by replying to an unsuspicious looking email. Using this technique, the plaintext of hundreds of encrypted emails can be leaked at once. Furthermore, we show how users could be tricked into signing arbitrary text by replying to emails containing CSS conditional rules. An evaluation shows that 17 out of 19 OpenPGP-capable email clients, as well as 21 out of 22 clients supporting S/MIME, are vulnerable to at least one attack. We provide different countermeasures and discuss their advantages and disadvantages