core icon indicating copy to clipboard operation
core copied to clipboard
Published 1 week ago • verified publisher icon chatmail

Could deltachat be vulnerable to marvin attack?

Open vinniec2 opened this issue 1 year ago • 8 comments

I have been trying deltachat for a few days now, and apart from some *little annoyances due to using mail servers, I really like the idea. However, I was wondering if deltachat was in any way vulnerable to marvin-type attacks.

*For the record I want to mention them but I don't think they deserve the "bug" qualification:

  1. if the mail server has problems at a certain time, unsent messages could be sent later so that the chronological order of messages is not respected
  2. I wanted to report that the email provider “libero.it” works without having to do any special preparation, then I reconsidered when I saw that they can temporarily block sending and receiving of messages when you have sent too many emails

vinniec2 avatar Sep 02 '24 21:09 vinniec2

https://github.com/RustCrypto/RSA/issues/19 is an open issue in the RSA implementation used by Delta Chat. New generated keys are Ed25519 so they are not affected. I also don't think timing attacks on OpenPGP are practical, but it is indeed better not to use RSA keys until the issue is fixed.

WIP fix is at https://github.com/RustCrypto/RSA/pull/394

Here is a previous discussion: https://github.com/deltachat/deltachat-core-rust/pull/5054

link2xt avatar Sep 02 '24 21:09 link2xt

@vinniec2 with respect to the inconveniences you mentioned, in fact that depends in the email server you use, the one you mentioned is likely unpractical to use it for chatting actively, so better use it for email-speed relaxed conversations and add another account to your Delta Chat using one of the many available chatmail servers that don't have such rate limits in the number of messages sent per hour/day, check https://delta.chat/chatmail

adbenitez avatar Sep 03 '24 21:09 adbenitez

if the mail server has problems at a certain time, unsent messages could be sent later so that the chronological order of messages is not respected

This is partially addressed by reordering unseen messages based on the sender timestamp on the receiver. As long as control messages such as member additions and removal to the chat are not reordered, this should not be the problem.

link2xt avatar Sep 03 '24 21:09 link2xt

@vinniec2 with respect to the inconveniences you mentioned ... check https://delta.chat/chatmail

Yes I have tried them and those servers work very well (also I have seen that they support double check marks for successful receipt). However, I may be a strange user, but I find Deltachat's feature of working even with common mail servers to be the outstanding feature. Being able to have the chat open and still receive my emails has meant that I have adopted Deltachat even without knowing almost anyone who uses it (I have shared it with two people and am trying to seduce a third). Today for the first time I tried to send a classic email to an address, it seems to work even though isn't possible to enter the subject line. I don't think the ability to insert the subject works well with deltachat style (it aggregates all the emails exchanged with an address into one single conversation) and not having folders to separate the emails makes the contact list too confusing, however the simplicity with which I can have an email client with the ability to incorporate an encrypted chat client makes me a Deltachat enthusiast!

This is partially addressed by reordering unseen messages based on the sender timestamp on the receiver. As long as control messages such as member additions and removal to the chat are not reordered, this should not be the problem.

but when this reordering is done is there a notification? because then you might not see the messages if they are put back in the history.

vinniec2 avatar Sep 28 '24 08:09 vinniec2

Yes I have tried them and those servers work very well (also I have seen that they support double check marks for successful receipt).

Double checkmark for read receipts works even outside chatmail, this feature existed even before the first chatmail setup.

Today for the first time I tried to send a classic email to an address, it seems to work even though isn't possible to enter the subject line.

If you want to set the subject, you can create a new chat. Chat name goes into subject, so you essentially start a new email thread this way.

but when this reordering is done is there a notification? because then you might not see the messages if they are put back in the history.

New messages are always added below the most recent read message so you will not miss messages because they are mixed in the chat history.

link2xt avatar Sep 28 '24 10:09 link2xt

Double checkmark for read receipts works even outside chatmail, this feature existed even before the first chatmail setup.

Strange because I am using a normal email (precisely from “libero.it”) with people who use instead a quick email provided by Deltachat and there is no double check mark. (The messages are encrypted, there is also the little lock icon). The double check appear when we both use Deltachat-specific emails instead. I just verified.

If you want to set the subject, you can create a new chat. Chat name goes into subject, so you essentially start a new email thread this way.

great, I will try as soon as possible

New messages are always added below the most recent read message so you will not miss messages because they are mixed in the chat history.

And then at what time are they reordered in the history?

vinniec2 avatar Sep 28 '24 11:09 vinniec2

The double check appear when we both use Deltachat-specific emails instead.

Do you have "Read Receipts" enabled in your non-chatmail profile? If yes, could you try to disable and re-enable it, maybe there's some bug with the setting display?

And then at what time are they reordered in the history?

Once a message is displayed in the chat, it preserves its order forever. Reordering happens only when a message is added -- if the message is not yet seen, even if it's old as per its "Date", it is sorted down so that the user sees it when they open the chat next time. So, messages aren't always sorted chronologically, but i have no better idea here.

iequidoo avatar Sep 28 '24 16:09 iequidoo

On Sat, Sep 28, 2024 at 01:57 -0700, vinniec2 wrote:

I don't think the ability to insert the subject works well with how deltachat style (it aggregates all the emails exchanged with an address into one single conversation) and not having folders to separate the emails makes the contact list too confusing, however the simplicity with which I can have an email client with the ability to incorporate an encrypted chat client makes me a Deltachat enthusiast!

great to hear :)

Please be aware that there are more deficiencies when using it as a regular e-mail client, and the "real" fix for that would probably be an extra "classic compose-mail" UI interface, with subject lines, To/CC recipients, multiple attachments etc. We are generally careful to not complicate the "classic chatting experience" with the "classic e-mail experience" as much as we can. Moreover, the focus is currently on new "chatmail" onboarding folks who don't really care that it's e-mail under the hood but appreciate its "no-private-data decentralized secure messaging solution".

hpk42 avatar Oct 11 '24 15:10 hpk42

i think, that can be closed, it is getting offtopic and the initial question is answered at https://github.com/deltachat/deltachat-core-rust/issues/5947#issuecomment-2325310930 -

discussion of course can continue, but closing this as there is no actionable item.

r10s avatar Nov 11 '24 00:11 r10s