[Cryptography] What is a secure conversation? (Was: online forums...)

Jerry Leichter leichter at lrw.com
Fri Dec 27 06:46:54 EST 2013 

On Dec 27, 2013, at 2:03 AM, ianG wrote:
> Another issue with content is having it escrowed.  Does it sit on the laptop mail client forever?  Or can we put a timer in that wipes it?
Well, I have a copy of every message I've received since I joined this list.  On multiple machines, backed up multiple times, in fact.  Deleting them all would be extremely difficult, even if I wanted to.

> Who said what?  If all the posters are benign, and one calls for worldwide cryptographic jihad, the attacker wants details on the target...  perhaps to offer her a job, privately.
Related to this, I've been conducting an inadvertent experiment on this list for the last week or so.  As part of an experiment (which I described) to determine how hard it was to enable S/MIME in Apple's Mail.app, I got a client cert from Comodo and installed it on one of two laptops I use on a regular basis.  It turned out not to do anything ... until I had reason to restart Mail.app.  Ever since then, it's been signing my outgoing mail - including mail I send to this list.  So about half my recent mail is signed - and half isn't.  Have any of you noticed?  Have you ascribed any different significance to signed vs. unsigned messages?

> Which leads to an obvious split in individual protections:  anonymous or psuedonymous?  That is, is each post by Alice recognisably from her, or is each post unlinked?
A valid distinction - but an *individual* distinction, not a *list* distinction.  I clearly use a pseudonym while we can all know who "ianG" is.  :-)

> Moderator.  We should really model the moderator as an attacker.  Call her Trinity as a ttp.  What happens if she starts drifting the conversation towards ... oh, encouraging the IETF to standardise on DUAL_EC?  Her easy attack is to drop posts, so we might want to browse that which was censored.
This doesn't seem like a good attack mechanism, at least not against *this* list:  The moderation is very light, and usually accompanied by a personal or public message explaining why a message is being dropped.  Any significant change - as in trying arbitrarily drop all messages with a particular theme - would be noticed.

There are other lists where such an attack might work better, but on such lists it probably wouldn't be as effective.

I suppose you could say that much Chinese censorship of the Web is this attack "in the (very) large".  But of course that censorship's not at all a secret.

> Trinity might also start mitm'ing, by actively sending messages out to people that don't go to others.  So we might want to know that all messages got to everyone, and no selective conversations are happening.
Nice.  Beyond that, we also want to know that *the same* messages got to everyone.  Members could periodically publish a hash representing all the contents they've seen.  But:  For a mailing list and most other mechanisms, you can't require that they were received in the same order, much less at the same time.  Because of retries if nothing else, you can't even require they were *sent* in exactly the same order, at the same time.  And yet there are situations where playing around with the order of messages might constitute a useful attack.  It would be interesting to formalize some checkable bounds on how much variation is allowed.  Note that acceptable variation in order makes it harder to define an appropriate checksum - as, for mail, does legitimate variation in Received lines, other header information, and perhaps even content:  MTA's have been known to play various games with what the consider the irrelevant formatting of mail (I'm looking at you, Exchange - though you're certainly not alone).

                                                        -- Jerry

More information about the cryptography mailing list