Can members of the cryptoparty community please review SafeGmail?

[samthetechie]

Shoutout: Can all https://cryptoparty.org/wiki/CryptoParty that are interested in email security and privacy please review this code?

If the review is positive or enough aspects have been addressed in tickets / issues etc and these can be fixed then I will be happy to add this tool to the syllabus / teaching over at CryptopartyLondon: https://cryptoparty.org/wiki/London for the next meetup in November.
@samthetechie

[mkdesu]

Purely from the (not too verbose) design description (pdf), SafeGmail apparently relies on absence of correlation between message communication channel and SafeGmail communication channel. I.e., the message is encrypted with a symmetric key that's generated on the client side, and the key is sent to SafeGmail server. Internally, SafeGmail uses some PGP to maintain encryption and decryption of the symmetric key using challenge-response interface in the client. Recipient then gets the key using challenge-response and decrypts the message.

If the above is correct, then SafeGmail is not resistant against passive MITM attacks. E.g., retrieving both the transmitted message from GMail servers and the encryption key from SafeGmail server allows the attacker to decrypt the message. Moreover, since SafeGmail does not use SSL/TLS, an attacker can intercept one of the clients' connections to retrieve the encryption key, instead of retrieving it from SafeGmail.

[crised]

Hi,

Thanks for the comments.

Even if the attacker intercepts the key, the e-mail content is stored safely in Gmail, so the attacker still should enter client inbox to see actual message.

Please be so kind to improve the code, so we can have a better tool.

[mkdesu]

@crised , I don't understand the point of the scheme used in SafeGmail. Why is a server necessary at all? You can simply embed the question in cleartext into GMail, and encrypt the rest using the answer that must be known to the recipient. You just add weaknesses to this simple approach.

[samthetechie]

1. I think @mkdesu has made a great point. Can @mkdesu suggest a better architecture
2. Can you qualify 'not resistant to' and can we developer a threat model here in terms of risk (likelyhood vs seriousness).
3. Is there a particular technique or framework that comes to mind to perform this attack? Can we try it and demonstrate the weakness?
4. Are there any good inks to this countering passive MITM?
5. It should be very very simple to turn on SSL / TLS for SafeGmail. I have added that as a ticket: Add SSL / TLS Support for SafeGmail #2

[crised]

@mkdesu Addding a server makes this easy to use. Techie guys can have access to regular PGP, normal guys can't have access to it. SafeGmail is something in the middle.

[crised]

@samthetechie Great initiative!

[mkdesu]

@samthetechie I think you're digging too deep. This is essentially symmetric encryption. For symmetric encryption, you don't need servers — just provide an easy way to enter the passphrase and perform encryption / decryption on the client side. PGP has nothing to do with this approach, and is not necessary. As it is now, PGP is used internally on the server to hold the symmetric key.

[crised]

@mkdesu If you do a no-server approach, the recipient will be forced to have a browser extension, therefore this wouldn't be popular.

[mkdesu]

@crised So embed a link that will just install the extension, nothing more. And you don't need PGP even in the current scheme, with encryption / decryption of the AES key on the server, since it's a pure symmetric encryption scheme.

[crised]

@mkdesu, still is safer with a server than pure client side symmetric. Notice that the actual key encrypting the message it's a random key, if we don't use a server, we would have to encrypt with the pass phrase (answer to the question). SafeGmail follows PGP standards, not 100% rigorously, but the idea is to make it as close as possible.

[mkdesu]

@crised No, it is not safer. Currently, SafeGmail is:

• Broken, as it does not protect against a MITM attack
• Advertises PGP encryption, when PGP is not used in a way that's relevant to the user
• Involves a server when a server is not necessary in a much simpler protocol.

[crised]

Well we clearly have different point of views. It advertises PGP like encryption. Anyhow your welcome to fork this and make your own extension with your own schema.

[daviddahl]

Not having looked at the code yet - I will say....

If you are typing plaintext into content DOM delivered by a server, you have several attacks that cannot be 100% mitigated against. You have no control over the CSP that Google provides and the known LE backdoors in Google would keep me from using SafeGmail in the first place.

I think tools like this should first and foremost avoid bad TLDs that can be taken down on whim by the US DOJ. (See: https://gun.io/blog/secure-your-domain-where-is-safe-to-register-a-domain-name/ ) Create new communications tools (like this) but avoid SMTP and compromised services as the backbone of the system.

[xurizaemon]

http://safegmail.com says "Easy & Free PGP (Pretty Good Privacy) Encryption for Gmail" in big letters, not "PGP like".

If you aren't delivering PGP, please don't advertise it as PGP to users. Even "pgp-like" is IMO deceptive, given that it's substantially unlike PGP, and the implications of confusing people into using a tool which doesn't do what they think it does could be severe for them and their associates.