Thunderbird and OpenPGP - Autocrypt

holger krekel holger at
Sun Dec 8 17:10:19 UTC 2019

Hi Kai, all, 

On Sun, Dec 08, 2019 at 10:14 +0100, Kai Engert wrote:
> I claim that a smart and powerful adversary has an interest of not being
> caught by specialists, and not cause trouble to the businesses that are
> involved. If my claim is correct, the adversary would only use their ability
> if the anticipated risk of getting caught is minimal.
> If an adversary knows that their target is a specialist who verifies keys
> before using them, or knows based on email agent headers that automatic key
> replacement won't be performed, there's no point in trying to trick them in
> this way.

Lots of people in the last decade have just used keys attached in e-mails
and from key servers where anyone has uploaded. How would an adversary 
consistently know exactly who of them also verifies out-of-band? 

Beides, if you can hack the likes of Gmail, Proton Mail, Posteo or Riseup, and do 
very targeted MITM attacks against intelligently selected users, then you can probably 
much more easily directly hack the phone/device of your target and get everything,
not just the cleartext of some mails.

> With Autocrypt, the likelihood of an active adversary being noticed is much
> lower than with specialists using a non-Autocrypt trust model.

An Autocrypt user might well be a specialist - i know some :) 

Anyway, why not offer verification protocols on top of an otherwise opportunistic
experience that just works, and converts a lot of currently cleartext into encrypted mail?  
We can make it so that the mediating provider would not know if people verified.  
This is discussed with the "key history verification" protocol which detects 
MITM against opportunistic key distribution after the fact: 


> However, if non-specialists use a system that automatically replaces keys
> without telling them, the risk of detection for an adversary is much lower.
> If Alice is known to use software that implements Autocrypt, the adversary
> can temporarily trick Alice into using the adversary's key when encrypting
> to Bob. Once the advery is done and it's time to take down the active attack
> configuration, the adversary can restore the previous situation, by sending
> email to Alice, which restores Bob's original key.
> The adversary would have re-encrypted all mail that left Alice's computer
> with Bob's key, so Bob cannot notice the attack.
> The only evidence are some emails in Alice's Sent folder, which were
> encrypted with the adversary's key, instead of Bob's key. It seems unlikely
> she would notice. (If Alice stores the Sent folder on IMAP, the adversary
> could potentially clean that up, too.)
> You quoted a lack of evidence of active attacks on specialists. I think this
> cannot be used to conclude that active attacks wouldn't occasionally be
> performed on non-specialists using software that makes the attack almost
> imperceptible.
> Our objective is to provide end-to-end encryption (e2ee) for Thunderbird.
> In my opinion, the security of e2ee shouldn't depend on the hope that no
> adversary abuses an attack vector, which when used, is almost imperceptible.
> Kai

More information about the tb-planning mailing list