> Snowden had forgotten to attach his key, which meant I could not encrypt my response.... His oversight was of no security consequence—it didn’t compromise his identity in any way...
Uh, didn't it compromise security by making it possible for someone else to MITM the rest of the emails Snowden received? They see the public key request before he does, send out their key instead, suppress his real response from being sent to them, decrypt mails to him and re-encrypt with his real key so he doesn't notice. AFAICT it indeed didn't compromise his identity, but the privacy and authenticity of the rest of the conversation.
Granted, like a lot of MITM scenarios, using crypto at all drastically raises the bar from permitting passive eavesdropping, to requiring a lot of access and agility to eavesdrop. At least, this is my personal, semi-informed conclusion lately -- I don't know what the experts say.
No that is not a solution.
If they swapped the public key they can read the message being sent back (it is encrypted with their public key), then encrypt it again with the real public key.
The only solution is to use another channel to authenticate the other's key, be it GPG's web of trust, or any other imperfect way (phone call, physically meeting, ...)
First, Agree on a reply latency -- say, 1 day.
Then, instead of simply replying to a message, you have an irritating four-step process:
1. Wait until one day after you received the message.
2. Send a digest of the message and your public key.
3. Wait another day.
4. Send the message itself.
All that sending would be using PGP.
The receiver must make sure that the delays for receiving the digest and the reply body are what the expect. This method requires a MITM to either anticipate what the message is or introduce an extra day of latency, which the receiving would notice.
You don't ask for your message back, you ask for the message Snowden sent again. The MITM-party can't have that, assuming that Snowden started with your correct public key.
But no more insecure than the original interaction. It's a generic problem with anonymous public key crypto. Hence the stuff with the twitter fingerprint.
Twitter fingerprint was for Laura's key. Micah's public key was already published and already signed by other known people, so Snowden was sure than only Micah can read the e-mails for Micah, unless somebody hacked Micah's computer, when all bets are off and GPG doesn't help anyway.
Yes but the Man in the Middle could very well be the author of the e-mail to Micah, didn't he? Micah would then have tweeted a fingerprint leading to eavesdropping.
No, not "eavesdropping." The fingerprint is only a fingerprint and only of the public key. It doesn't give new secrets away. Nobody can use it to read any mails of somebody else.
Uh, didn't it compromise security by making it possible for someone else to MITM the rest of the emails Snowden received? They see the public key request before he does, send out their key instead, suppress his real response from being sent to them, decrypt mails to him and re-encrypt with his real key so he doesn't notice. AFAICT it indeed didn't compromise his identity, but the privacy and authenticity of the rest of the conversation.
Granted, like a lot of MITM scenarios, using crypto at all drastically raises the bar from permitting passive eavesdropping, to requiring a lot of access and agility to eavesdrop. At least, this is my personal, semi-informed conclusion lately -- I don't know what the experts say.