Ruhrsec 2023 - Content-Type: Multipart/Oracle

Abstract

Email is an offline protocol - oracle attacks against its end-to-end encryption are impractical. - This statement has been made time and time again. However, is it really true? Can we perform real oracle attacks, like Vaudenay’s CBC Padding Oracle Attack and Bleichenbacher’s infamous Million Message Attack against E2EE email?

We survey how the decryption state of E2EE email can be made visible through the interplay of MIME and IMAP and describe side-channels caused by specific MIME trees. We analyze 19 OpenPGP and S/MIME email clients and exploit side-channels to decrypt S/MIME messages in iOS Mail and Google Workspaces. We discuss why exploiting the other clients is impractical and that the unintended countermeasures create dangerous conflicts between usability and security. Finally, we present more rigid countermeasures for developers and the standards.