Een reactie van een student op een vraag tijdens awareness training: "Wat vinden jullie van ZIVVER, als vervanging voor PGP,S/MIME"

--
"Ik ben geen security expert, dus ik doe er maar een gooi naar:

1) ZIVVER stores all the private keys encrypted by symmetrical encryption on their server. Once a user obtains the symmetric key, they have access to all private keys; Unless the private keys are protected by a passphrase an attacker can decrypt all messages on the server.

Looking at the chapter:
- 8.8 Regrant access to the message history of a user
- 8.8 Regrant access to the message history of a user

it does not look like the private keys are protected by a passphrase, because it is possible for an admin to decrypt all old private keys with the old derived key, when a user has forgotten his password.
After these actions the users can re-access their messages and files sent and received before their password was reset;

ZIVVER should use a HSM to store the private key instead of a symmetrical key; https://www.ciphermail.com/blog/using-an-hsm-to-protect-your-encryption-and-signing-keys.html

2) The ZIVVER web application uses TLS 1.2; TLS 1.2 can be attacked by the ‘New Zombie POODLE vulnerability’ or by the GOLDENDOODLE attack.

Background:
“Researchers have revealed two new vulnerabilities in TLS 1.2 protocol which allows attacks similar to POODLE to breach it. The source of the attack is in TLS 1.2’s support for the outdated cryptographic method, cipher block chaining (CBC).
Using the CBC method allows man-in-the-middle attacks (MITM) on users’ encrypted web and VPN sessions. By tweaking a little the familiar POODLE attack, it is possible to hack systems that still hadn’t fully stopped using outdated crypto methods.

Another vulnerability was also found in TLS 1.2 which allows GOLDENDOODLE attack to breach outdated crypto methods. GOLDENDOODLE is similar, yet more powerful than the POODLE attack. It has more powerful and rapid hacking abilities, and even if
a system has fully eradicated the POODLE flaw, it could still be vulnerable to GOLDENDOODLE attacks.”
3) Long lifetime for tokens;

“The refresh token is valid for 30 days and can only be renewed by the user specifying the password. A session can be terminated (i.e. logged out) at any moment by
presenting either the access or refresh token to the revoke endpoint (RFC7009). Existing JWTs are invalidated server side, because the JWT lifetime cannot be changed in retrospect after being issued to the client.”

So there is a risk that when captured data has been decrypted using the POODLE or GOLGDENDOODLE attack, you can gain access to a refresh token, and thus have access to all messages;

4) Decryption is not end-to-end, which means that the whole reason of having asymmetrical encryption is useless.
- One uses a public keys to verify the identity of the sender;
- One uses the public key to create a secure channel with the sender, by encrypting the message with the public key;

5) A last remark:

Het bedrijf richt zich op compliance. Dat is voor bedrijven een steeds waardevollere functie bij communicatie en hoewel ZIVVER dus misschien onderliggend enkele open technologieen gebruikt hebben ze het eco-systeem gesloten
gehouden en alles closed-source gemaakt om te voorkomen dat concurrenten de zelfde service aan bedrijven kunnen aanbieden.
https://tweakers.net/nieuws/141417/protonmail-introduceert-pgp-ondersteuning-en-adresverificatie.html
"