[Cryptography] What is a secure conversation? (Was: online forums...)
ianG
iang at iang.org
Sun Dec 29 23:56:39 EST 2013
On 27/12/13 14:46 PM, Jerry Leichter wrote:
> On Dec 27, 2013, at 2:03 AM, ianG wrote:
>> Another issue with content is having it escrowed. Does it sit on the laptop mail client forever? Or can we put a timer in that wipes it?
> Well, I have a copy of every message I've received since I joined this list. On multiple machines, backed up multiple times, in fact. Deleting them all would be extremely difficult, even if I wanted to.
I forgot to mention that content should be encrypted in flight, at least
point to point :)
>> Who said what? If all the posters are benign, and one calls for worldwide cryptographic jihad, the attacker wants details on the target... perhaps to offer her a job, privately.
> Related to this, I've been conducting an inadvertent experiment on this list for the last week or so. As part of an experiment (which I described) to determine how hard it was to enable S/MIME in Apple's Mail.app, I got a client cert from Comodo and installed it on one of two laptops I use on a regular basis. It turned out not to do anything ... until I had reason to restart Mail.app. Ever since then, it's been signing my outgoing mail - including mail I send to this list. So about half my recent mail is signed - and half isn't. Have any of you noticed? Have you ascribed any different significance to signed vs. unsigned messages?
Mailing lists typically strip attachments, which is what S/MIME uses.
Because of malware. Which some think x509 is...
OpenPGP uses cleartext sigs to get around that and they work nicely.
But something went wrong on the way to deployment with S/MIME, they
never got around to re-engineering to fix it, in oh so many ways.
>> Which leads to an obvious split in individual protections: anonymous or psuedonymous? That is, is each post by Alice recognisably from her, or is each post unlinked?
> A valid distinction - but an *individual* distinction, not a *list* distinction. I clearly use a pseudonym while we can all know who "ianG" is. :-)
Well, if it was that easy remailers would be trivial. The thing is, if
I don't want to be iang, today, it's harder. And if I want to be 'anon'
it's harder still.
But, the hards are also at the list level. Each post of the list
includes various metadata which gives the fingerprint. The From is a
real give away, but other things too:
Received: from tormenta.local (skaro.afraid.org [212.169.1.61])
by virulha.pair.com (Postfix) with ESMTPSA id 695B66D484;
Thu, 26 Dec 2013 03:58:06 -0500 (EST)
Asserts I'm on the other end of an ADSL in Britain. Personally, I found
that terrible... not only because if I want to be Alice tomorrow, you'll
pretty quickly figure out that Alice is a very close friend.
Why does being part of a conversation mean that I'm allowing anyone in
the world to track my whereabouts? This is privacy like Bitcoin, where
doing a transaction means everyone gets to share it, and they only
barrier is a little traffic analysis...
>> Moderator. We should really model the moderator as an attacker. Call her Trinity as a ttp. What happens if she starts drifting the conversation towards ... oh, encouraging the IETF to standardise on DUAL_EC? Her easy attack is to drop posts, so we might want to browse that which was censored.
> This doesn't seem like a good attack mechanism, at least not against *this* list: The moderation is very light, and usually accompanied by a personal or public message explaining why a message is being dropped. Any significant change - as in trying arbitrarily drop all messages with a particular theme - would be noticed.
>
> There are other lists where such an attack might work better, but on such lists it probably wouldn't be as effective.
Well, if everyone is on their guard. Remember the poor dear users, who
are not used to this sort of thing. The attack can be even as benign as
google's attack on your daughter's gmail account, by noticing her search
for pregnancy tests and spiking the adds with baby products (c.f., the
infamous Target case).
> I suppose you could say that much Chinese censorship of the Web is this attack "in the (very) large". But of course that censorship's not at all a secret.
The best attacks are the ones we can say afterwards "but hey, you knew
we were doing that ..."
>> Trinity might also start mitm'ing, by actively sending messages out to people that don't go to others. So we might want to know that all messages got to everyone, and no selective conversations are happening.
> Nice. Beyond that, we also want to know that *the same* messages got to everyone. Members could periodically publish a hash representing all the contents they've seen.
More shades of Bitcoin mechanics. I'll bet there are a few groups in
that world trying to hijack the blockchain for sending idle chat :)
They're trying everything over there...
One sometimes sees odd posts with gaps in conversations here, my attempt
to deal with this is adding the CCs, so there are duplicates floating
around.
> But: For a mailing list and most other mechanisms, you can't require that they were received in the same order, much less at the same time. Because of retries if nothing else, you can't even require they were *sent* in exactly the same order, at the same time. And yet there are situations where playing around with the order of messages might constitute a useful attack. It would be interesting to formalize some checkable bounds on how much variation is allowed. Note that acceptable variation in order makes it harder to define an appropriate checksum - as, for mail, does legitimate variation in Received lines, other header information, and perhaps even content: MTA's have been known to play various games with what the consider the irrelevant formatting of mail (I'm looking at you, Exchange - though you're certainly not alone).
right. You sometimes see that effect in chat clients, where chat
messages overtake.
iang
More information about the cryptography
mailing list