Top : Open Source : Herbivore : FAQ

Frequently Asked Questions, with answers, about Herbivore.

Q: Herbivore will eventually allow for keys to change with time. Won't this make it impossible to open older emails? Or will Herbivore software remember all previous keys?

Neither. The Herbivore security model assumes that your PC is basically secure; it only attempts to encrypt stuff while it travels over the network. Therefore, once incoming email is received, it is decoded to plain text; it is then up to the email client to store the message as it would with any other email message.

Security on the PC is another issue altogether, and is best solved by an encrypted filesystem, or better still a steganographically encrypted one, so that different files become visible depending on what key you use.

Q: What would Herbivore do if Bob decided to send an email to Alice who Bob has the public key for, and Cc:'d it to Doug, whose public key Bob doesn't have?

The problem here is that an adversary could see the mail that Doug got (because it's in plain text), and infer that Alice got the same message.

I think the best default behaviour here would be to encrypt the message for Alice, but not for Doug. (This is Herbrip's behaviour as of version 0.3.1). Then if an adversary only got hold of the message to Alice, it wouldn't help them much.

Another possibility would be to send both messages unencrypted, and for the Herbivore software to tell the user that it was doing so. (Or the program could put up a dialog box and ask the user what to do, giving the choices).

This problem also arises if a Herbivore-compliant email program sends email to a mailing list; the long-term solution for this is to have Herbivore-compliant mailing list. (Fortunately, Mailman, one of the most-used open source mailing list management programs, is written in Python, as is my Herbrip software, so adding the functionality to Mailman shouldn't be too hard).

Q: How does Herbivore deal with the issue of authentication, i.e. how does Bob know that the public key in the first e-mail is really that of Alice?

At the moment, Herbrip and Herbivore don't deal with this at all. The solution is basically to transmit the key across another communication medium as well, and assume that the adversary can't impresonate Alice on that route too.

Later I will deal with it in three (and possibly more) ways.

(1) every herbivore public key broadcast will come with a X-Herbivore-Fingerprint: header. On receipt, herbrip will automatically verify that this matches the key. The two people communicating can talk by phone or whatever and exchange their fingerprints and see if they match the ones they are getting in emails.

(2) herbivore messages could also contain a X-Herbivore-URL: header, which would be the http or ftp URL containing the public key. The adversary would have to subvert this too, which might be difficult since Alice could arrange for it to be held by a web server run by a different ISP (and even on a different continent) to the ISP that publishes her email.

(3) herbivore headers could also appear on Alice's Usenet posts. Here, the adversary would have to subvert Usenet servers as well as Google's Usenet storage facility.

I don't know how easy man-in-the-middle attacks are. But I suspect they are quite hard to do, expecially in the light of 2 and 3 above. One thing that Herbivore is intended to counter is the routine collection of all email by governments; clearly a man-in-the-middle attack on everyone would be totally impractical. On one person it might be doable, but on the other hand would be as likely as not to raise the target's awareness that they are being spied on, so in practise if an adversary was prepared to go to the trouble of doing it, they'd be more likely to just burgle the target's house and get their secrets that way.

By Philip Hunt, philh@comuno.freeserve.co.uk.
Got a question about Herbivore? Then ask me.
Last altered: 15 Jan 2002.