October 23, 2016 at 22:58 #4492
This scenario has occurred to me:
- Alice encrypts a file with AxCrypt, secured with an account key
- Alice emails the file to Bob
- Mallory has an ongoing MitM attack against Bob’s email (or some other attack)
- Mallory receives the encrypted file
- Mallory receives an AxCrypt invite
- Mallory signs up for AxCrypt and prevents the invitation being sent to Bob
- Or, Mallory forwards on either or both emails to Bob to avoid raising suspicion
- Bob receives the encrypted file
- Bob receives an AxCrypt invite
- Bob tries to sign up but can’t (Mallory has already signed up before him)
- Alice and Bob blame AxCrypt
Apart from sharing a non-sensitive file first, or sending really sensitive encrypted files over a different medium, how does AxCrypt mitigate this type of attack?
- Where is the private key stored?
- Is the key on AxCrypt’s servers and, if so, who has access to it? (I realise that it’s protected with the user password)
- What is there to stop a hacker from changing the key on your servers and encrypting a user’s data with their key so that they can decrypt the file/s?
- Can a user export his key?