Thunderbird and OpenPGP - Autocrypt
kaie at kuix.de
Sun Dec 8 09:14:07 UTC 2019
On 08.12.19 02:02, holger krekel wrote:
> On Sat, Dec 07, 2019 at 22:18 +0100, Kai Engert wrote:
>> On 05.12.19 15:38, holger krekel wrote:
>>> no one has been able to quote me *a single real-life instance*
>>> of an e-mail provider actively exchanging PGP keys in transit.
>> If a key change is silently accepted, how does the victim notice the attack?
>> If the victim doesn't notice, you don't get a report about it.
> PGP is used by a lot of specialists. Chances are that
> over the last two decades, and with MITMs actually happening,
> some people would have noticed because they verify keys,
> meet at a crypto-party etc.
Were those specialists using software that automatically accepted keys
without telling them? I assume they weren't.
I claim that a smart and powerful adversary has an interest of not being
caught by specialists, and not cause trouble to the businesses that are
involved. If my claim is correct, the adversary would only use their
ability if the anticipated risk of getting caught is minimal.
If an adversary knows that their target is a specialist who verifies
keys before using them, or knows based on email agent headers that
automatic key replacement won't be performed, there's no point in trying
to trick them in this way.
However, if non-specialists use a system that automatically replaces
keys without telling them, the risk of detection for an adversary is
If Alice is known to use software that implements Autocrypt, the
adversary can temporarily trick Alice into using the adversary's key
when encrypting to Bob. Once the advery is done and it's time to take
down the active attack configuration, the adversary can restore the
previous situation, by sending email to Alice, which restores Bob's
The adversary would have re-encrypted all mail that left Alice's
computer with Bob's key, so Bob cannot notice the attack.
The only evidence are some emails in Alice's Sent folder, which were
encrypted with the adversary's key, instead of Bob's key. It seems
unlikely she would notice. (If Alice stores the Sent folder on IMAP, the
adversary could potentially clean that up, too.)
With Autocrypt, the likelihood of an active adversary being noticed is
much lower than with specialists using a non-Autocrypt trust model.
You quoted a lack of evidence of active attacks on specialists. I think
this cannot be used to conclude that active attacks wouldn't
occasionally be performed on non-specialists using software that makes
the attack almost imperceptible.
Our objective is to provide end-to-end encryption (e2ee) for Thunderbird.
In my opinion, the security of e2ee shouldn't depend on the hope that no
adversary abuses an attack vector, which when used, is almost imperceptible.
More information about the tb-planning