Re: [openpgp] New encryption formats for messaging

[Christoph Anton Mitterer <calestyo@scientia.net>]

On Tue, 2015-03-24 at 01:03 +0000, ianG wrote: 
> Yahoo and google are at the forefront of secure email delivery.  They 
> are trying something nobody else has got anywhere near - so I don't see 
> how they can be called laggards.
Uhm? Forefront? All these technologies were implemented long before by
others...
I remember that not so long ago Yahoo was even criticised every now and
then since they didn't even offer https to their webmail.


And what can they do better/more than what we already do?
If they implement e2e crypto within their webinterfaces, one cannot
really trust it - not because they're evil per se, but because *if* some
bored NSA agent sends them a national security letter they'll have to
comply, and when there's a gag order they couldn't even tell.
If they "secure" the TOFU step it's the same,...


> the joke of security known as S/MIME... 
I can't say anything against that :D


> > Then we can probably abolish fingerprints verification in the next
> > versions of OpenPGP implementations altogether,... if TOFU works, why
> > should anyone bother to check their keys o.O
> The essence of TOFU is that it works in default mode, and gives you 
> tools to do better if you so desire.
And exactly this is also the point where it fails in practise:
None of the masses typically do so ever.


Worse, since the products/programs are now marketed as being secure,
everyone is even convinced that he'd be secure so doing more work (i.e.
real mutual authentication), which people were already reluctant to do
before, is now totally out of motivation.


And even worse, many applications/program actually stop giving you the
tools to do better - since nowadays it's enough to say "we do e2e crypto
with super-duper-algo XZY".

Take the current hype apps like TextSecure, which some campaigners
(heise and friends) advertise as the "good" tools (and as "usable"
instead of gnupg/PGP):
The mutual authentication step is basically completely hidden from the
user, much more than it used to be with most OTR implementations where
you got at least some dialogue that told you to do something.
But even if you know about that, you cannot do proper mutual
authentication - well it shows you the keys, but you cannot mark your
peers as trusted or not, which makes it useless when you have more than
a hand full of them.


>   Now, of course, the concept works 
> so well that one never bothers to check for the most part, so 
> fingerprint verification could be dropped and would still provide more 
> security than not using it.  Which is the goal.  So what you suggest is 
> not incompatible with the goal.
If at a certain point, everyone would believe in TOFU, what would
prevent NSA&Co. from simply MitM every single communication?
There'd be not mutual authentication, so they could be Mallory.
And technically they're definitely capable, even today. We know they sit
at all big internet exchanges, undersea cables, satellites and probably
even at the big players (Google, Cogent, and so on) whether they know
and are part of this or not.

Even if you assume, that *something* would happen, if they're caught by
MitM attacking connections, when someone finally actually does the
mutual authentication.
What do you think would happen? We found already out that they do mass
surveillance, hack devices, routers and break into our computers... and
did anything happen?


> But Mozilla
Which distributes clearly untrustworthy CAs (and this is not the only
outrageous security issue, when you look at many issues in their BTS).

>  and Microsoft have always been emotionally contorted 
> over it, and google has only recently started being serious, before 
> there mantra was "all your data base belong to us'.  The only player 
> that was ever serious about *the user* was Apple.
In the end, all of these would need to comply with their intelligence
agencies, and it's no so unlikely that they actually do.
Even security companies like RSA were caught.



> Those who push the old 'perfect 
> security models' mantra typically end up with an extremely narrow set of 
> compliance customers, or nothing.
I wouldn't say "nothing" ... it's simply the set of users who
*seriously* care about their security.
And yes, the set of e.g. OpenPGP users is probably small,... so what?


> But the fact remains:  Skype has other than yesterday never directly 
> harmed me.
Neither has me the NSA or the GHCQ, nevertheless I wouldn't want to
share my secret world domination plans with them ;)

>   Can't say the same for email, browsing, ...
Well I guess you can't really compare these.
Skype is a singly system completely in the hand of one company with only
little numbers of users compare to mail or web.
Of course it's much easier to "secure" that.


> So, what's my risk?  Microsoft (yawn).  NSA could get narked at my 
> repeated jabs at their Stasi behaviour, and stop me at the border.  Grab 
> my skype records and accuse me of naughty behaviour.  OK, I'll take that 
> risk.
If you feel like you want to share your stuff with them it's of course
okay,... but others might not want to.


> > Actually I don't. I just don't prioritise lesser experienced users over
> > experienced ones.
> > What I prioritise is the intention of crypto, which is security.
> Security is only measured by delivered results.  Let's say you improve 
> the lot of the experts by offering them cipher suites to choose from. 
> Hypothetically that improves the 0.1%, those that actually know what 
> those words mean.  OK, 1 billion browser users, that would say about 1 
> million know what a cipher suite is.  Exaggerated, but let's see where 
> this goes.
> 
> Let's say we double their utility.
> 
> But, putting in vanity ciphers as we used to call them causes 
> complexity.  A lot of problems in SSL would sweep away if we cut that 
> crap out.  E.g., Heartbleed and somewhere it was claimed $500m costs... 
>   So, let's say this all costs 1% for the masses.
> 
> Result:
> 
> Security = 1,000,000 * 2 + 1,000,000,000 * 0.99
> 
> Guess what?  Only the security delivered to the masses matters.
That's IMHO quite some weird argumentation...
- First it again prioritises one group over other, i.e. the minority of
  people who could be really secure don't count - just the masses who
  anyway reach just a certain security level.
- With the same argumentation you could also drop OpenPGP,... in
  practise X.509 is enough for the masses.
  Yes I know it's broken, and yes fraud happens, but not to an extent
  that it would really bother anyone (neither from the point of loosing
  confidentiality or authenticity, nor from financial reasons).
  Or do you see the masses demonstrating against X.509? Do you see many
  people from big banks sitting around in our IETF WGs demanding for
  security systems for their online banking?
  No.
- Actually even more, you could completely drop ALL encryption (not to
  confuse with authenticity/integrity protection).
  As you said yourself, the NSA probably never did anything very evil to
  the masses that they really effectively noticed (i.e. they didn't rob
  our bank accounts, or stole our private pictures).
  The same for online criminals,... integrity protection/authenticity
  would be largely enough do to secure shopping and online banking.
  What else could they do the masses? Okay stealing all private kinds of
  data, nude pictures transferred to the cloud or the secret diary.
  But if one sends such stuff to the iCloud,... well *owned*.
- Or you could project this to other areas,... take
  Linux/Unix/OpenSource.
  The masses were just happy with there Windoze boxes. Thus, by your
  argumentation, experts/others don't count, thus they have to use
  proprietary cr** as well.

This analogously works for the typical argumentation of opposing people
which typically say "it's useless to secure XZY, because there's still
the weaker element ABC of the chain".
Well there always is a weaker element in the chain, if you focus on that
you could never secure anything else.

Long story short:
I don't think that OpenPGP was ever the system of the masses, and
perhaps it even shouldn't be.
It's mostly used in areas and by people where TOFU isn't enough, or at
least I wouldn't want to get my signed Debian packages just by good luck
authentic.

All this doesn't mean that one should intentionally try to lock out the
masses by making things overly complex. It just means
- we shouldn't weaken the security/functionality of those who can
  actually use it, just for another group of people wo even doesn't care
  so much
- we shouldn't give people the wrong impression that security is for
  free, just by activating the "i-want-to-be-secure" switch.


> Which is why Skype worked and everything else fell in a hole.  Simple maths.
I don't think this WG's or standard's intent should be to strive for the
highest popularity, market share or for making big money.

This is the path e.g. Mozilla chose at a certain point and that's why
the nowadays sell the interests/security/freedom of their users by
making all kinds of questionable choices.

OpenPGP already has a user base who likes its current philosophy. If we
can improve things so that we get more users, great, but not at the
expense of the current user base.


> > The biggest "usability" problem we likely have nowadays in crypto is
> > that people would need to understand what they do and mutually
> > authenticate each other.
> Well, right.  Systems that try and "authenticate" each other are 
> typically usability nightmares.
I don't even think there's a usability problem from the software side.
The point is simply: people don't want to do the verification step,
regardless of how nicely the software assists that process.


>   Change the paradigm.
Well, if you have a crypto system which is secure and doesn't need
mutual authentication or some exchange of data on a secure path... just
tell us.
Apart from that, if you change the paradigm you rather end up at
something like X.509 where the responsibility for the trust is delegated
to some other party (which usually gives a sh** about that).


> > Apart from that we have quite nice UIs at all levels, don't we?
> > gnupg is actually quite nice for people who want to use command line, we
> > have fine tools like enigmail.
> Not for the masses, sorry, not of any interest.
Just speak for yourself... =)


> MD5 was deprecated in 1995
and is still used even in security critical fields...

> If they're using SHA1, then 
> they'd better be sure it ain't a collision risk (I do and it isn't) and 
> if goes full belly up they still won't be in trouble.
git


> Very few users - the masses - rush out and say "I wanna six-pack o' 
> crypto and 3 jars of authentication with some random side orders..."
But why then prioritising those who don't even care? 



> > So if diversity enhances security or at least allows one to switch more
> > easily in case it gets necessary (which of course you disputed above),
> > then it benefits the user by helping with his original goal (being
> > secure).
> Yeah, sure.  Just doesn't work in practice, and doesn't work in theory, 
> if we actually think about how it is supposed to work.
Any proofs for this claims?
We have e.g. OpenPGP which uses multiple algos and that works quite
well.


> >> Well, sure, on paper.  But if you had a process to switch then you could
> >> also ... use that process to switch!  Why not just roll out v+1 ?
> > How long does it usually take us to roll out v+1? Take SSL/TLS, how many
> > years have SSL still been used while it should have not? The same for
> > MD5, the same for RC4, and so on.
> I measured a 3.5 years OODA cycle for the first big SSL oops.  I haven't 
> been following the others but I have a feeling they've got a lot faster.
You think? I kinda remember that when the first papers came out about
the CBC issues or the compression oracles, the responsible engineers
said this was just theoretical.
Then we saw BEAST.

Or we had CRIME, and after it was fixed for SPDY, not really much
happened immediately (even though the authors already warned that this
would also work in general)... and... surprise... BREACH.


> Point is however, it's still all ad hoc.  We don't actually know what 
> we're going to be switching, and pretty much each time it is a download 
> / reinstall.
Well the download/reinstall is the least of the problems.
It's rather the standardisation/development.
And if we follow the original paradigm that was claimed here, and around
which all our discussion is motivated, and implement just single
security paradigms/alogs, it won't for sure get easier to exchange
something once necessary.


Cheers,
Chris.