How is wormhole more secure than attaching something to an email?

[roim]

Hi, thanks for the service!

I'm wondering how using wormhole (eg. pasting a link to some E2E encrypted document over email, or whatever other medium you would use to send the link) is more secure than just attaching the document directly?

If anyone with access to the link can open it, wormhole only provides benefits as long as the link is more secure than an attachment in the medium of choice. Any medium I can think of is at least as secure when sending text or an attachment, and so wormhole is detrimental as it add more complexity with 0 benefit. Additionally, most mediums are less secure over text. E.g. text body in an email can be accessed by the browser and any extensions when using an web-browser based client, while attachments might not be.

I can see the benefit of using wormhole if your medium doesn't support attachments (and so you would resort to, say, uploading something publicly on imgur.com), but sadly that is not how people are using this service.

For context, a health insurance provider asked me to send them sensitive information over a completely insecure medium, but said it was secure because it is using wormhole's E2E encryption. This type of behavior completely defeats the purpose of a service like this (it makes people use insecure mechanisms when more secure options are available). Unless I'm missing something, could wormhole add a warning to their users?

[feross]

Thanks for the thoughtful question. I'll try my best to answer:

You shouldn't send important documents that contain sensitive information using email for two main reasons:

1. Your files will sit in the recipient's inbox forever.

   Given the way that most people use email – never deleting mail – it is very likely that your files will sit in the recipient's inbox indefinitely. You're trusting the security of their email provider, their local device, their personal password management practices, etc. to be secure indefinitely into the future. If they slip up, your files are compromised and available to an attacker.

   With Wormhole, your end-to-end encrypted files are deleted from our servers and so the link that sticks around in their inbox is useless to an attacker.

2. Your files will be used by your and the recipient's email provider (Google, Microsoft, etc.)

   While Google has finally stopped its long-standing practice of scanning the contents of individual Gmail inboxes for advertising purposes, there is still risk with giving a copies of your files to providers. For one, they can change these policies in the future at any time. And second, companies must process government data requests (both legal and illegal ones) and may be subject to illegal dragnet spying programs. By attaching a file in plaintext, you're making it easier for these programs to work effectively. A Wormhole link, on the other hand, will likely be expired by the time anyone attempts to (illegally) look at it.

I'm intentionally not discussing the scenario where your email is being actively monitored by an adversary. In this case, you are correct that the adversary can just click on the Wormhole link before it expires and they will have be able to access your files. This is not ideal, but it's still an improvement over sending the data directly over insecure email because it increases the requirements for a successful attack. A successful attacker must now process emails in real-time, parse out Wormhole links, visit them, trigger file downloads of potentially multi-GB files, store them, and associate them with the original email in question. Obviously, this is possible, but it's a much higher bar than a passive attacker who e.g. searches through somone's emails years after the fact.

Finally, if you are concerned about an active attacker, you can remove the secret key (the part after the # character) from the URL and send it separately over another medium (read it over the phone, secure chat, or just send it through another insecure medium to make it harder to figure out what the key is for).

We're planning to add optional password protection – it's on our roadmap – which will help with this scenario. If you add a password and take care to send it to the recipient securely out-of-band, then you have additional protection against an active attacker. Stay tuned for that.

Hope this was helpful!

[roim]

Thanks @feross, this clarifies what the potential use cases for wormhole vs email are.

I like the password idea, although that seems similar to just sending the secret key out of band (except, I assume, the password can be chosen arbitrarily?).

I still think it's problematic if users don't understand what the limitations of wormhole are, and so just send their links over insecure channels. At that point the only material benefit seems to be 24h expiration--maybe that deserves a warning, FAQ entry, or similar--but that's orthogonal to my original question.