Another entry in the internet security hall of shame....

Steven M. Bellovin smb at cs.columbia.edu
Fri Aug 26 11:41:42 EDT 2005


In message <20050826082432.GA1797 at bitchcake.off.net>, Adam Back writes:
>Thats broken, just like the "WAP GAP" ... for security you want
>end2end security, not a secure channel to an UTP (untrusted third
>party)!
>

What is security?  What are you trying to protect, and against whom?

I use Jabber extensively, and I utterly rely on the SSL encryption to 
the server.  I sometimes use end-to-end GPG encryption, but only when I 
need to discuss something very private.  In general, I don't bother, 
because of my threat model.

The biggest threat I face, in many situations, is people eavesdropping 
on my wireless link, or playing ARP-spoofing games on my wired link.
SSL to the server combats that nicely.  (I run psi, because it's the 
only open-source client I've found that actually checks the server's 
certificate against a pre-configured list.  I have no idea what the 
default list is, since I just replace it with my own...)

I'm not particularly worried about the server end.  I and most of my 
Jabber correspondents use one of about four different Jabber servers.  
I run one myself; the other three are also very tightly administered.  
Sure, there could be a problem with any of them; given how bad typical 
endpoints are today, I'd guess that the servers are actually safer.

I'm not even slightly worried about eavesdropping on the backbone.  
I assume NSA can do that if they really want to.  But I *know* that 
it's hard enough that they're not going to waste their time without a 
reason, and I doubt if my IM conversations are high enough on their 
list.  (They're pretty boring, as a rule...)

I'm much more worried about implementation bugs.  A previous version of 
psi had the bad habit of silently falling back to unencrypted mode if 
it couldn't find the local crypto library, and due to some glitches in 
my environment this could happen fairly easily.  I was forced to resort 
to firewalling the unencrypted port on my machines...  (The 
implementation has since been changed to make that failure much less 
likely.)

If you don't trust your (or your correspondents') IM servers, it may be 
a different situation.  I haven't read Google's privacy policies for 
IM; if it's anything like gmail, they're using automated tools that 
look at your messages and add to your behavioral profile.  As Peter 
said, though, you can always run your own server or find one that you 
do trust.  The protocol itself is quite nice, and was designed with
due attention to privacy.  (Aside: the Jabber RFCs were some of the 
best I dealt with while I was Security AD.  They were remarkably easy 
to read, given their length and the complexity of the protocol.)

Do I support e2e crypto?  Of course I do!  But the cost -- not the 
computational cost; the management cost -- is quite high; you need to 
get authentic public keys for all of your correspondents.  That's 
beyond the ability of most people.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list