Successful submission at USENIX 2023 - summer submission


In the "summer submission" of the 32nd USENIX Security Symposium, a contribution from researchers participating in ATHENE was accepted. USENIX is one of the four most important conferences in the field of security. Scientists, practitioners, system administrators and programmers from all over the world come together to share the latest advances in the security and privacy of computer systems and networks.

End-to-End encrypted (E2EE) email protects sensitive email contents of company emails and privacy advocates from attackers. The researchers analyzed the two E2EE standards, S/MIME and OpenPGP, for weakness against "oracle attacks", in which attackers use subtle side-channels to decrypt messages. They show that Google Workspaces and Mail on iOS allow attackers to decrypt e2ee emails in specific scenarios. They also evaluate why the other applications are not vulnerable and show that the defenses are not rigorous but seem 'accidental', e.g., due to missing feature support. The researchers argue that this creates a dangerous conflict between usability and security.

Content-Type: multipart/oracle - Tapping into Format Oracles in Email End-to-End Encryption
Authors: Fabian Ising, Münster University of Applied Sciences and ATHENE; Damian Poddebniak and Tobias Kappert, Münster University of Applied Sciences; Christoph Saatjohann and Sebastian Schinzel, Münster University of Applied Sciences and ATHENE
More information about the paper

The researchers will present their paper in August at the 32. USENIX in Anahheim, USA.

show all news