Re: What’s Up Johnny?

Müller, Jens; Brinkmann, Marcus; Poddebniak, Damian; Schinzel, Sebastian; Schwenk, Jörg

doi:10.1007/978-3-030-21568-2_2

Cited by 9 publications

(2 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [20], authors propose generic mitigations against different variants of EFail attacks, such as Reply [9,16], EFail-Md or Efail-Mg [18]. They do so by checking the decryption context, e.g., the SMTP headers and MIME structure during decryption, implementing their solution into the Thunderbird email client and OpenPGP with support for AEAD.…”

Section: Mitigations To Efail Attacksmentioning

confidence: 99%

Preventing EFail Attacks with Client-Side WebAssembly: The Case of Swiss Post's IncaMail

Gerig,

Ménétrey,

Lanoix

et al. 2023

Proceedings of the 17th ACM International Conference on Distributed and Event-Based Systems

View full text Add to dashboard Cite

Traditional email encryption schemes are vulnerable to EFail attacks, which exploit the lack of message authentication by manipulating ciphertexts and exfiltrating plaintext via HTML backchannels. Swiss Post's IncaMail, a secure email service for transmitting legally binding, encrypted, and verifiable emails, counters EFail attacks using an authenticatedencryption with associated data (AEAD) encryption scheme to ensure message privacy and authentication between servers. IncaMail relies on a trusted infrastructure backend and encrypts messages per user policy. This paper presents a revised IncaMail architecture that offloads the majority of cryptographic operations to clients, offering benefits such as reduced computational load and energy footprint, relaxed trust assumptions, and per-message encryption key policies. Our proof-of-concept prototype and benchmarks demonstrate the robustness of the proposed scheme, with clientside WebAssembly-based cryptographic operations yielding significant performance improvements (up to ~14×) over conventional JavaScript implementations.

show abstract

Section: Mitigations To Efail Attacksmentioning

confidence: 99%

Preventing EFail Attacks with Client-Side WebAssembly: The Case of Swiss Post's IncaMail

Gerig,

Ménétrey,

Lanoix

et al. 2023

Proceedings of the 17th ACM International Conference on Distributed and Event-Based Systems

View full text Add to dashboard Cite

show abstract

“…Not only can signatures be stolen, but all SMTP headers are unauthenticated by OpenPGP. Indeed, the surreptitious forwarding attack is made even easier due to this underlying issue [14]. For example, the From: header specifies the sender and this identity should match the identity of the OpenPGP identifier of the sender in the signature, yet this is not done.…”

Section: Unauthenticated Headersmentioning

confidence: 99%

SoK: Why Johnny Can't Fix PGP Standardization

Halpin

2020

Preprint

View full text Add to dashboard Cite

Pretty Good Privacy (PGP) has long been the primary IETF standard for encrypting email, but suffers from widespread usability and security problems that have limited its adoption. As time has marched on, the underlying cryptographic protocol has fallen out of date insofar as PGP is unauthenticated on a per message basis and compresses before encryption. There have been an increasing number of attacks on the increasingly outdated primitives and complex clients used by the PGP eco-system. However, attempts to update the OpenPGP standard have failed at the IETF except for adding modern cryptographic primitives. Outside of official standardization, Autocrypt is a "bottom-up" community attempt to fix PGP, but still falls victim to attacks on PGP involving authentication. The core reason for the inability to "fix" PGP is the lack of a simple AEAD interface which in turn requires a decentralized public key infrastructure to work with email. Yet even if standards like MLS replace PGP, the deployment of a decentralized PKI remains an open issue.

show abstract

Trackers in Your Inbox: Criticizing Current Email Tracking Practices

Kalantari

Put

Decker

2021

Privacy Technologies and Policy

View full text Add to dashboard Cite

Email is among the cornerstones of our online lives. It has evolved from carrying text-only messages to delivering well-designed HTML contents. The uptake of web protocols into email, however, has facilitated the migration of web tracking techniques into email ecosystem. While recent privacy regulations have impacted the web tracking technologies, they have not directly influenced the email tracking techniques. In this short paper, we analyze a corpus of 5216 emails, give an overview of the identified tracking techniques, and argue that the existing email tracking methods do not comply with privacy regulations.

show abstract

Re: What’s Up Johnny?

Cited by 9 publications

References 4 publications

Preventing EFail Attacks with Client-Side WebAssembly: The Case of Swiss Post's IncaMail

Preventing EFail Attacks with Client-Side WebAssembly: The Case of Swiss Post's IncaMail

SoK: Why Johnny Can't Fix PGP Standardization

Trackers in Your Inbox: Criticizing Current Email Tracking Practices

Contact Info

Product

Resources

About