Thunderbird and OpenPGP - Autocrypt

Kai Engert kaie at kuix.de
Sun Dec 8 09:14:07 UTC 2019


On 08.12.19 02:02, holger krekel wrote:
> On Sat, Dec 07, 2019 at 22:18 +0100, Kai Engert wrote:
> 
>> On 05.12.19 15:38, holger krekel wrote:
>>> no one has been able to quote me *a single real-life instance*
>>> of an e-mail provider actively exchanging PGP keys in transit.
>>
>> If a key change is silently accepted, how does the victim notice the attack?
>>
>> If the victim doesn't notice, you don't get a report about it.
> 
> PGP is used by a lot of specialists.  Chances are that
> over the last two decades, and with MITMs actually happening,
> some people would have noticed because they verify keys,
> meet at a crypto-party etc.

Were those specialists using software that automatically accepted keys 
without telling them? I assume they weren't.

I claim that a smart and powerful adversary has an interest of not being 
caught by specialists, and not cause trouble to the businesses that are 
involved. If my claim is correct, the adversary would only use their 
ability if the anticipated risk of getting caught is minimal.

If an adversary knows that their target is a specialist who verifies 
keys before using them, or knows based on email agent headers that 
automatic key replacement won't be performed, there's no point in trying 
to trick them in this way.

However, if non-specialists use a system that automatically replaces 
keys without telling them, the risk of detection for an adversary is 
much lower.

If Alice is known to use software that implements Autocrypt, the 
adversary can temporarily trick Alice into using the adversary's key 
when encrypting to Bob. Once the advery is done and it's time to take 
down the active attack configuration, the adversary can restore the 
previous situation, by sending email to Alice, which restores Bob's 
original key.

The adversary would have re-encrypted all mail that left Alice's 
computer with Bob's key, so Bob cannot notice the attack.

The only evidence are some emails in Alice's Sent folder, which were 
encrypted with the adversary's key, instead of Bob's key. It seems 
unlikely she would notice. (If Alice stores the Sent folder on IMAP, the 
adversary could potentially clean that up, too.)

With Autocrypt, the likelihood of an active adversary being noticed is 
much lower than with specialists using a non-Autocrypt trust model.

You quoted a lack of evidence of active attacks on specialists. I think 
this cannot be used to conclude that active attacks wouldn't 
occasionally be performed on non-specialists using software that makes 
the attack almost imperceptible.

Our objective is to provide end-to-end encryption (e2ee) for Thunderbird.

In my opinion, the security of e2ee shouldn't depend on the hope that no 
adversary abuses an attack vector, which when used, is almost imperceptible.

Kai


More information about the tb-planning mailing list