Deutsch | English
This blog does not contain official statements of CERT.at, only personal opinions of the individual contributors.

Mac OS X tip: how to protect your mail client

2018/05/14

Based on some background knowledge that we received (update 2018/5/14 14:00 UTC+1: we now know it's the efail.de bug. The researchers went forward with the public release today), I am taking the liberty to document a setup which protects an Apple Mail installation that I have.

The security measure is simple: disable remote content on Apple Mail. Go to Preferences -> General and uncheck the checkbox "Load Remote content in messages".

However, there is an even stricter mechanism which does not rely on Apple Mail directly. Think of it as a second, very secure safety net. The idea: should any software component get hacked in my Apple Mail or should it leak information (such as encrypted Mail content), I want to make sure that my Apple Mail talks to one and only one single point of enforcement: the IMAP server it should talk to. And nothing else. Therefore, data exfiltration gets much harder.

Luckily there is a good tool for this: Little Snitch (and as far as I know, this is the only tool of its kind on OS X). With Little Snitch, which acts as an outgoing firewall, I am able to protect and filter the communication flows.

My Little Snitch setup only allows port 25 (SMTP) as well as IMAPs (port 993) connection for Apple Mail. HTTP(s) connects are definitely forbidden. That means that , yes, I won't see all images which reside on some web server. But in practice this does not matter. Either such a mail was spam / marketing in the first place or it was legit and is also visible via a browser if really needed (remember those "can't see this in your mail client? click here..." links in mails?).

In other words: this is a super simple trick to get rid of a whole class of exfiltration attacks. I'd appreciate it if we had such a tool on Linux. Though... hang on... there is an initial attempt by @evilsocket: https://github.com/evilsocket/opensnitch. Haven't tested that yet. Eager to hear some feedback from you if it works on Linux.

Anyway, thanks to Little Snitch (and maybe opensnitch), mail client hacking data exfiltration is not a threat anymore.

 

Author: L. Aaron Kaplan

Last Change: 2018/5/14 - 14:40:17
Haftungsausschluss / Data Protection & Privacy Policy