TOFU: showing statistics is important

Neal H. Walfield neal at walfield.org
Wed Oct 21 15:15:30 CEST 2015 

Hi Andre,

At Tue, 20 Oct 2015 19:46:23 +0200,
Andre Heinecke wrote:
> - In KMail / with Kleopatra  messages signed with previously unknown keys are 
> shown as a good (green) signature with the details:

Green should mean that not only is the signature correct, but the key
is fully trusted (manually verified).  If the signature is correct but
the key hasn't been verified (e.g., marginal) then it should be yellow
and a tooltip should explain (or provide a link explaining) how to
verify the key.

> The signature is valid and the key is marginally trusted.
> 
> (Btw. I think that trust is the wrong word here but that's unrelated as this 
> is KMail internal ;-) )
> 
> While this appears basically Ok to me. This is probably too little 
> information. But I think it could work (without changes to KMail or Kleopatra 
> neccessary) if we would implement gpgme getauditlog for OpenPGP and fill it 
> with the tofu statistics shown on the command line.
> More detailed verify information for OpenPGP as part of the Auditlog is 
> something we already have our TODO list for the Gpg4all project. So we could 
> probably add tofu details as part of that work?

It is essential that the statistics be shown to the user.

There is an important difference between how TOFU works with OpenPGP
and how it works with ssh.  In ssh, the user enters the hostname.  In
OpenPGP, the attacker controls the user id.  Since TOFU security
measure is to identify and warn users of conflicts (multiple keys
using the same email address), an attacker can just choose a different
email address.  To make this more difficult, we display the email
address.  If it is obviously wrong, the user will hopefully notice.
(Note: email clients should also display a warning if the sender
doesn't match a signer.  AFAIU, only Claws and KMail does this.)  This
forces the attacker to choose a similarly looking email address.  To
mitigate this attack, we show statistics about the number of messages
that we've seen that are signed by the binding.  Further, if this
number is low (< 10), we also display a warning message.  If this is
unexpectedly low, the user will hopefully become suspicious.

So, yes, you are right, the audit log should contain the TOFU output.

Thanks!

:) Neal

More information about the Gnupg-devel mailing list