End-to-End encrypted (E2EE) email protects sensitive email contents of company emails and privacy advocates from attackers. The researchers analyzed the two E2EE standards, S/MIME and OpenPGP, for weakness against "oracle attacks", in which attackers use subtle side-channels to decrypt messages. They show that Google Workspaces and Mail on iOS allow attackers to decrypt e2ee emails in specific scenarios. They also evaluate why the other applications are not vulnerable and show that the defenses are not rigorous but seem 'accidental', e.g., due to missing feature support. The researchers argue that this creates a dangerous conflict between usability and security.

Content-Type: multipart/oracle - Tapping into Format Oracles in Email End-to-End Encryption
Authors: Fabian Ising, Münster University of Applied Sciences and ATHENE; Damian Poddebniak and Tobias Kappert, Münster University of Applied Sciences; Christoph Saatjohann and Sebastian Schinzel, Münster University of Applied Sciences and ATHENE
More information about the paper

The researchers will present their paper in August at the 32. USENIX in Anahheim, USA.