CORONAVIRUS UPDATES: Get all the info about how we're responding. Learn more

By: Prakash Linga
May 16, 2018

Encryption #eFail: It’s time to get serious about email security

For better or worse, email is the most universal platform for sharing information today. People willingly trust email enough to share some of their most confidential thoughts and ideas, intellectual property, and more, without fully understanding the risks.

Last month’s PGP and S/MIME’s security flaw, dubbed eFail, reminds us all why we need to rethink the risks associated with email and email security.  Email is the foundation of every organization’s collaboration, productivity and character. That’s why email leaks aren’t just data loss events; they’re attacks on your brand and reputation.

Security keeps evolving but not around email.  

Mobile apps like Signal, iMessage, Wickr and Threema have all provided simple methods for end-to-end encrypted communications directly from our phones, yet there’s still a significant amount of difficulty associated with email encryption when it comes to scale.

For the last decade, PGP has been the gold-standard for encrypted email, but remember: 10 years ago, it was also the only option, which led to the rise of PGP as a household security tool. At the same time it also fueled a new breed of email encryption solution providers including ProtonMail, Zix and more.

Fast forward to today and a majority of businesses have still ignored or downplayed the importance of email security because its overly cumbersome to scale and manage. Therefore, companies today are still using PGP, which is why it’s no surprise that roughly 35% of security professionals feel equipped to defend against email based attacks.

It’s 2018, we can do better.

Regardless of whether or not eFail was a concern at your organization, the vulnerability demonstrates that individuals utilizing basic encryption, or solutions built on these standards, are still at risk.

We have now made a way to secure the files you share through email. Specific to eFail, VERA stores individual encryption keys separately, which makes a Vera-secured file nearly impossible to decrypt.

Must be magic, right? Here’s how it works:

  • Each VERA secured file is encrypted with a unique key that is secured within the VERA Cloud Platform.
  • These keys are transmitted securely via TLS/SSL to the clients which form a trusted key space on the end user’s device.
  • Audit logs for every successful and unsuccessful access request to a document are also recorded.
  • Keys are not stored locally on the endpoint unless the policy owner specifically grants  that privilege for offline or time-bound access.


NOTE: eFail happened May 14th

By, Prakash Linga

Co-founder and Chief Technology & Product Officer