LawTrust
News


EFAIL vulnerability and ZixEncrypt

This week, European security researchers released a warning that describes how PGP and S/MIME vulnerabilities, dubbed "EFAIL", can give attackers access to plaintext versions of encrypted emails.

 

This week, European security researchers released a warning that describes how PGP and S/MIME vulnerabilities, dubbed "EFAIL", can give attackers access to plaintext versions of encrypted emails.


LAWtrust customers using ZixEncrypt are NOT vulnerable to these attacks.

 

The vulnerabilities identified as EFAIL occur ONLY IF S/MIME is used without the validation of digital signatures. ZixEncrypt requires the use and validation of digital signatures to ensure the integrity of encrypted emails. Our research to-date indicates that by enforcing the validation of digital signatures, ZixEncrypt can ensure S/MIME safely encrypts all gateway-to-gateway emails between ZixEncrypt customers.

 

ZixEncrypt can also ensure it is used to safely deliver encrypted messages to your secure portal for recipients who do not have email encryption capabilities. How can we ensure the integrity of encrypted emails using ZixEncrypt?

 

Since ZixEncrypt controls both ends of the encryption, any Zix S/MIME messages with an invalid or missing digital signature are bounced. If any email is tampered with using the EFAIL method, the integrity checks used by ZixEncrypt safeguard the email. The user does not receive the compromised email, and the contents of the encrypted email would not be exposed.

 

You can remain confident in ZixEncrypt. Our promise is to keep your email secure, and we have become the leader in email encryption by delivering on that promise. 

 

If you have any follow-up questions, please do not hesitate to contact your Account Manager or support@lawtrust.co.za.