Forums Community Version 1.7 Reply To: Version 1.7

#4492 Reply

Disappointed

This scenario has occurred to me:

  • Alice encrypts a file with AxCrypt, secured with an account key
    • Alice emails the file to Bob
  • Mallory has an ongoing MitM attack against Bob’s email (or some other attack)
    • Mallory receives the encrypted file
    • Mallory receives an AxCrypt invite
    • Mallory signs up for AxCrypt and prevents the invitation being sent to Bob
      • Or, Mallory forwards on either or both emails to Bob to avoid raising suspicion
  • Bob receives the encrypted file
    • Bob receives an AxCrypt invite
    • Bob tries to sign up but can’t (Mallory has already signed up before him)
    • Alice and Bob blame AxCrypt

Apart from sharing a non-sensitive file first, or sending really sensitive encrypted files over a different medium, how does AxCrypt mitigate this type of attack?

  • Where is the private key stored?
  • Is the key on AxCrypt’s servers and, if so, who has access to it? (I realise that it’s protected with the user password)
  • What is there to stop a hacker from changing the key on your servers and encrypting a user’s data with their key so that they can decrypt the file/s?
  • Can a user export his key?