Very cool open-source project VeraCrypt is all over the news this
week, it seems. First when they announced that they were going to
perform a formal third-party code audit, and had come up with
the funds to pay for it; and then today when they claimed their
emails were being intercepted by a “nation-state” level actor.
The audit is great news, and once it’s complete I think we’ll have
even more confidence in VeraCrypt as a successor to TrueCrypt (which
suffered from a bizarre developer meltdown1 back
The case of the missing messages
However, I’m a bit skeptical about the email-interception claim, at
least based on the evidence put forward so far. It may be the case —
and, let’s face it, should be assumed — that their email really is
being intercepted by someone, probably multiple someones. Frankly, if
you’re doing security research on a “dual use” tool2 like
TrueCrypt and don’t think that your email is being intercepted and
analyzed, you’re not participating in the same consensus reality as
the rest of us. So, not totally surprising on the whole. Entirely
What is weird, though, is that the evidence for the interception is
that some messages have mysteriously disappeared in transit.
That doesn’t really make sense. It doesn’t really make sense from the
standpoint of the mysterious nation-state-level interceptor, because
making the messages disappear tips your hand, and it also isn’t really
consistent with how most modern man-in-the-middle style attacks work.
Most MITM attacks require that the attacker be in the middle, that is,
talking to both ends of the connection and passing information. You
can’t successfully do most TLS-based attacks otherwise. If you’re
sophisticated enough to do most of those attacks, you’re already in a
position to pass the message through, so why not do it?
There’s no reason not to just pass the message along, and that plus
Occam’s Razor is why I think the mysteriously disappearing messages
aren’t a symptom of spying at all. I think there’s a much more
prosaic explanation. Which is not to say that their email isn’t
being intercepted. It probably is. But I don’t think the missing
messages are necessarily a smoking gun displaying a nation-state’s
An alternative, if more boring, explanation to why some messages
aren’t going through has to do with how Gmail handles outgoing email.
Most non-Gmail mailhosts have entirely separate servers for incoming
and outgoing mail. Outgoing mail goes through SMTP servers, while
incoming mail is routed to IMAP (or sometimes POP) servers. The
messages users see when looking at their mail client (MUA) are all
stored on the incoming server. This includes, most critically, the
content of the “Sent” folder.
In order to show you messages that you’ve sent, the default
configuration of many MUAs, including Mutt and older versions of Apple
Mail and Microsoft Outlook, is to save a copy of the outgoing message
in the IMAP server’s “Sent” folder at the same time that it’s sent to
the SMTP server for transmission to the recipient.
This is a reasonable default for most ISPs, but not for Gmail. Google
handles outgoing messages a bit differently, and their SMTP servers
have more-than-average intelligence for an outgoing mail server. If
you’re a Gmail user and you send your outgoing mail using a Gmail SMTP
server, the SMTP server will automatically communicate with the IMAP
server and put a copy of the outgoing message into your “Sent”
folder. Pretty neat, actually. (A nice effect of this is that you
get a lot more headers on your sent messages than you’d get by doing
the save-to-IMAP route.)
So as a result of Gmail’s behavior, virtually all Gmail users have
their MUAs configured not to save copies of outgoing messages via
IMAP, and depend on the SMTP server to do it instead. This avoids
duplicate messages ending up in the “Sent” folder, a common problem
with older MUAs.
This is all fine, but it does have one odd effect: if your MUA is
configured to use Gmail’s SMTP servers and then you suddenly use a
different, non-Google SMTP server for some reason, you won’t get the
sent messages in your “Sent” box anymore. All it takes is an
intermittent connectivity problem to Google’s servers, causing the MUA
to fail over to a different SMTP server (maybe an old ISP SMTP or some
other configuration), and messages won’t show up anymore. And if the
SMTP server it rolls over to isn’t correctly configured, messages
might just get silently dropped.
I know this, because it’s happened to me: I have Gmail’s SMTP servers
configured as primary, but also have my ISPs SMTP set up in my MUA,
because I have to use them for some other email accounts that don’t
come with a non-port-25 SMTP server (and my ISP helpfully blocks
outgoing connections on port 25). It’s probably not an uncommon
configuration at all.
Absent some other evidence that the missing messages are being caused
by a particular attack (and it’d have to be a fairly blunt one, which
makes me think someone less competent than nation-state actors), I
think it’s easier to chalk the behavior up to misconfiguration than to
Ultimately though, it doesn’t really matter, because everyone ought
to be acting as though their messages are going to be intercepted as
they go over the wire anyway. The Internet is a public network: by
definition, there’s no security guarantees in transit. If you want to
prevent snooping, the only solution is end-to-end crypto combined with
good endpoint hygiene.
Here’s wishing all the best to the VeraCrypt team as they work towards
the code audit.
1: Those looking for more information on the TrueCrypt debacle
can refer to this Register article or this MetaFilter
discussion, both from mid-2014. This 2015 report
may also be of interest. But as far as I know, the details of what
happened to the developers to prompt the project’s digital
self-immolation are still unknown and speculation abounds
about the security of the original TrueCrypt.
2: “Dual use” in the sense that it is made available for use by
anyone, and can be therefore used for both legitimate/legal and
illegitimate/illegal purposes. I think it goes almost without saying
that most people in the open-source development community accept the
use of their software by bad actors as simply a cost of doing business
and a reasonable trade-off for freedom, but this is clearly not an
attitude that is universally shared by governments.