| Herbivore: enhancements, pitfalls, and other issues |
Top : Open Source : Herbivore : Issues
A list of pitfalls, unresolved problems with the Herbivore specification & system, possible future enhancements, and other issues to do with Herbivore.
There is the possibility of a man-in-the-middle attack, unless the public key is verified by another pathway; such verification detracts from the aim of ease-of-use of the system: it should be as nearly as possible transparent to the user. One possibility would be to signal in a Herbivore header a URL containing the GPG key. Of course, the man-in-the-middle could simply insert a different URL. But the user could be asked to manually check that the URL given is part of a website run by the real person the email is from.
For the system to work with mailing lists, the list itself will have to know about the protocol. Even then, that wouldn't work, unless everyone on the list was using a compliant MUA, because if some MUAs wanted unencrypted email, the adversary would be able to read those copies. Similar comments apply to email sent to more than one recipient. Perhaps a Herbivore-compliant mailing list manager could be written as a separate application; this could use techniques to foil traffic analysis such as a time delay before forwarding mail, and the forwarding of randomly-sent blank mail.
Another techique for improving security would be to randomly add some garbage to the end of emails, so an adversary cannot get useful information out of knowing how big the encrypted message is. Such a block could have a 1/2 chance of being 1K long, a 1/4 chance of being 2K, a 1/8th chance of being 4K, etc, up to some arbitrary maximum length.
An adversary could use traffic analysis to gain useful information about Herbivore users. To help foil this, a Herbivore system could automatically send marked-blank emails to other Herbivore systems. These would be decoded on reception, and the receiving Herbivore system would then know they were blank and wouldn't need to bother the user. This feature could be user-configured, with a default of sending one blank email per day.
For good security, the Subject: header in emails should also be encrypted, as should any other headers which might help an adversary gain useful information.
It would be desirable to have some way of automatically altering keys. For example, a Herbivore MUA could be set up to generate a new public/private key pair once a month. The old keys would then be thrown away, with perhaps a window of a few days where both key-sets would be in operation. Herbivore MUAs would then need to have some way of interrogating each other for new keys and finding out when a key is likely to be replaced.
Herbivore could be enhanced by allowing it to automatically add a GPG signature to emails it sends. This might be especially useful in a Herbivore-aware mailing list system, where each member of the list wouldn't know who the other members were, but might want to know which emails came from the same person. (In other words, anonymous reputation by GPG-key).
A herbivore system should also put herbivore headers on Usenet posts. This broadcasts the user's public key, so other Herbivore users can communicate with them using encryption. It also makes man-in-the-middle attacks harder, by providing an alternative route of transmission of public keys.
By Philip Hunt,
philh@comuno.freeserve.co.uk
Last altered: 7 Jun 2001.