resisting_a_rest t1_j0sdfie wrote on December 19, 2022 at 1:25 AM

Reply to comment by uhoreg in Google introduces end-to-end encryption for Gmail on the web by psychothumbs

Why is that? If you are sending an email to a specific email address, and you encrypt the message using an incorrect public key, that address just gets sent an encrypted message that they cannot decrypt.

I suppose if their email is already compromised, that could be a problem, but this would require both the Key directory and the email account to be compromised.

If only the key server is compromised, I would think the best you could do is a denial of service.

uhoreg t1_j0w26gb wrote on December 19, 2022 at 9:09 PM

> I suppose if their email is already compromised, that could be a problem, but this would require both the Key directory and the email account to be compromised.

How does the key directory get the keys, and how does it ensure that the keys are valid? Traditionally, key servers accepted any keys that were uploaded to them, and told people to verify them before trusting them. Some key servers will try to verify keys ... by emailing you. But, of course, if an attacker has compromised your email account, that doesn't help much.

With WKD, you contact the domain that owns your email account (e.g. if you are something at emailprovider.com, you would fetch the key from emailprovider.com). But if someone compromises emailprovider.com, then they could just serve the wrong key.

One of the goals of end-to-end encryption is that you don't want your service providers to be able to read your things. Both of the existing systems are vulnerable to attacks from your service provider (either if they become malicious, or have a rogue employee) unless you verify the key in some other way.