The Efail bug against encrypted e-mails showed a variety of problems with the interaction of outdated cryptography and HTML e-mails. This talk will give an overview of the flaws that led to Efail and some other fun attacks that followed it.
Efail is an attack against E-Mail encryption with both S/MIME and OpenPGP. It often allows attackers, able to observe the encrypted message, to construct modified messages that will send the encrypted content back to the attacker. When Efail was published earlier this year only incomplete fixes were available. For S/MIME the issue is still completely unfixed and it's likely to stay that way.
Efail combines two weaknesses: Both E-Mail encryption standards use outdated cryptography, particularly they don't use proper authenticated encryption. This allows attackers to modify transmitted messages. HTML mails give the sender of a mail a huge amount of control over what happens when rendering a mail. This can be abused in a variety of ways to send decrypted e-mail content to the attacker. After the first incomplete fixes for Efail the speaker was able to bypass the implemented fixes in Enigmail multiple times. The talk will go over the basics of Efail, discuss attacks and variations that followed it, and discuss some further attacks including SigSpoof and two yet undisclosed attacks.