Recursive Encryption

[Roger]

As a test I added the Windows folder as a Secured Folder.

I removed it very quickly but it didn’t give any warning.

I know the software is designed to prompt if you try and use recursive encryption from the right click menu but adding it as a Secured Folder gives no warning.

This could potentially cause an inexperienced user to lose access to their system if the feature is implemented correctly!

[https://forum.axcrypt.net/pricing/Roger]

You could also update your Pricing page to show that Recursive Encryption is a benefit of becoming a Premium customer.

On or near your SHA hashes page it would be good if you showed the SSL certificate thumbprint for your website. My company intercept SSL as part of the firewall monitoring service so it’d be good for technical users to have a definitive reference of the correct thumbprint.

• SHA256 – 55:93:B8:9D:D5:85:5D:67:B1:07:33:54:DE:2B:0E:1D:11:25:6D:D7:32:FC:CB:72:48:72:7E:D9:78:11:94:1D
• SHA1 – 2F:FC:5C:E8:C6:87:FF:AE:23:18:6F:16:47:F9:EF:A7:22:D7:0A:99

Even your account page extended SSL certificate gets downgraded to a regular SSL certificate by our company firewall.

• SHA256 – 13:C1:DD:1A:D7:C4:7D:A0:70:F9:06:9B:D1:DC:9A:C9:42:D6:43:57:BF:E1:2E:95:18:32:48:48:A3:12:9B:E0
• SHA1 – B7:57:23:9E:E3:D2:1F:88:A1:64:BA:A6:A5:16:19:AD:B2:BE:50:C2

I assume these are the correct thumbprints but having them published on your website would mean that all but the most determined of attackers (who’d inject fake thumbprints in real time) would be foxed by having this information readily available.

[SvanteSpectator]

Hello Roger,

We should definitively warn (actually not accept) forbidden folders as watched folders. If it’s any consolation, they should be ignored since they are on the forbidden list. But they should not even be accepted. See https://bitbucket.org/axantum/axcrypt-net/issues/298/secured-folder-should-forbid-adding . Thanks!

As for SSL thumbprints, the thumbprint is not intended to be used for security, but for reference (i.e. to easily identify which certificate to use from a certificate store etc). You should only validate the certificate based on the trust.

An attacker can’t “inject fake tumbprints in real time”, it’s just a hash of the certificate, it’s not an integral part of the certificate.

Still, it doesn’t hurt, but the important part is really that it’s issued by the correct trusted authority. If you’d like to protect against various forms of man-in-the-middle scenarios, you should verify that it’s issued by the right authority – not any authority that your computer happens to trust, which may be more than you want – perhaps due to an attacker or your company having injected their own root certificate as trusted.

Anyway, see the updated https://forum.axcrypt.net/cryptographic-hashes-files/ .

[Roger]

An attacker can’t “inject fake tumbprints in real time”, it’s just a hash of the certificate, it’s not an integral part of the certificate.

I was meaning the attacker can inject the fake thumbprint onto your website as text if they’re using SSL interception tools. I know they can’t change the actual hash of the certificate because that’s computed.

I was suggesting that a really sophisticated attacker could strip the SSL, replace it with their own root certificate and then change any resulting text on your webapges. Very unlikely but possible. The far more common scenario is routine SSL stripping/interception.

I’ve seen the updated page – this is good now, thankyou. This makes it easy for users to check if their computer manufacturer or antivirus company is stripping ‘good’ SSL and replacing it with their own.

[Author]

Posts