European security experts have leveraged encryption of email. So far, encrypted e-mails have been considered safe – even before secret services like NSA. Now a team of researchers from Münster University of Applied Sciences, Ruhr-Universität Bochum and Dutch KU Löwen were able to read encrypted mails even in two different ways. This is reported by a research group from South German Zeitung, NDR and WDR.

if ( typeof AdController !== ‘undefined’ !window.Zeit.isMobileView()) { if ( !document.getElementById( ‘iqadtile8’ ) ) { var elem = document.createElement( ‘div’ ); elem.id = ‘iqadtile8’; elem.className = “ad ad-desktop ad-desktop–8 ad-desktop–8-on-article”; elem.setAttribute(‘data-banner-type’, ‘desktop’); document.getElementById(‘ad-desktop-8’).parentNode.appendChild(elem); AdController.render(‘iqadtile8’); if ( window.console typeof window.console.info === ‘function’ ) { window.console.info(‘AdController ‘ AdController.VERSION ‘ tile 8 desktop’) } } } if ( typeof AdController !== ‘undefined’ window.Zeit.isMobileView()) { if ( !document.getElementById( ‘iqadtile3’ ) ) { var elem = document.createElement( ‘div’ ); elem.id = ‘iqadtile3’; elem.className = “ad ad-mobile ad-mobile–3 ad-mobile–3-on-article”; elem.setAttribute(‘data-banner-type’, ‘mobile’); document.getElementById(‘ad-mobile-3’).parentNode.appendChild(elem); AdController.render(‘iqadtile3’); if ( window.console typeof window.console.info === ‘function’ ) { window.console.info(‘AdController ‘ AdController.VERSION ‘ tile 3 mobile’) } } }

Both S/MIME and PGP process are affected. S/MIME is usually used by companies, PGP by activists, whistleblowers and journalists. “E-mail is no longer a secure medium of communication”, Süddeutsche cites research director Sebastian Schinzel, professor of applied cryptography at Münster University of Technology. There are currently no reliable ways to close gap, twittered Schinzel. American maturing cryptographer Matw Green of Johns Hopkins University in Baltimore confirmed function of decryption procedures. The result was “very elegant,” said Green.

According to researchers, first requirement is that attackers have cipher. This is name of blob that is created after encryption. Second, HTML must be allowed in e-mail program so that certain linked content can be reloaded, such as company logo. In content to be loaded, attackers can hide cipher text and build an HTTP link around it as a camouflage. This gives you impression that you want to load a picture or a link. It actually reloads websites that researchers have defined. The e-mail program recognizes cipher text, decrypts it, and sends message to attacker.

PGP and S/MIME have been used since 1990s to make private messages readable only to recipient. They were considered to be standard in encrypting e-mails. Even Edward Snowden praised encryption practices because it was one of few things “to rely on”. However, security researcher Nicolas Weaver already declared during NSA scandal 2013 that secret services loved PGP – metadata that revealed encrypted mails were extremely treacherous.

if ( typeof AdController !== ‘undefined’ !window.Zeit.isMobileView()) { if ( !document.getElementById( ‘iqadtile4’ ) ) { var elem = document.createElement( ‘div’ ); elem.id = ‘iqadtile4’; elem.className = “ad ad-desktop ad-desktop–4 ad-desktop–4-on-article”; elem.setAttribute(‘data-banner-type’, ‘desktop’); document.getElementById(‘ad-desktop-4’).parentNode.appendChild(elem); AdController.render(‘iqadtile4’); if ( window.console typeof window.console.info === ‘function’ ) { window.console.info(‘AdController ‘ AdController.VERSION ‘ tile 4 desktop’) } } } if ( typeof AdController !== ‘undefined’ window.Zeit.isMobileView()) { if ( !document.getElementById( ‘iqadtile4’ ) ) { var elem = document.createElement( ‘div’ ); elem.id = ‘iqadtile4’; elem.className = “ad ad-mobile ad-mobile–4 ad-mobile–4-on-article”; elem.setAttribute(‘data-banner-type’, ‘mobile’); document.getElementById(‘ad-mobile-4’).parentNode.appendChild(elem); AdController.render(‘iqadtile4’); if ( window.console typeof window.console.info === ‘function’ ) { window.console.info(‘AdController ‘ AdController.VERSION ‘ tile 4 mobile’) } } }

Correction Note: It was originally said that security experts had cracked encryption of e-mails. In fact, y have leveraged encryption. We have changed headline accordingly.