[Cryptography] What is a secure conversation? (Was: online forums...)

[ianG]

On 27/12/13 14:46 PM, Jerry Leichter wrote:
> On Dec 27, 2013, at 2:03 AM, ianG wrote:
>> Another issue with content is having it escrowed.  Does it sit on the laptop mail client forever?  Or can we put a timer in that wipes it?
> Well, I have a copy of every message I've received since I joined this list.  On multiple machines, backed up multiple times, in fact.  Deleting them all would be extremely difficult, even if I wanted to.


I forgot to mention that content should be encrypted in flight, at least 
point to point :)

>> Who said what?  If all the posters are benign, and one calls for worldwide cryptographic jihad, the attacker wants details on the target...  perhaps to offer her a job, privately.
> Related to this, I've been conducting an inadvertent experiment on this list for the last week or so.  As part of an experiment (which I described) to determine how hard it was to enable S/MIME in Apple's Mail.app, I got a client cert from Comodo and installed it on one of two laptops I use on a regular basis.  It turned out not to do anything ... until I had reason to restart Mail.app.  Ever since then, it's been signing my outgoing mail - including mail I send to this list.  So about half my recent mail is signed - and half isn't.  Have any of you noticed?  Have you ascribed any different significance to signed vs. unsigned messages?


Mailing lists typically strip attachments, which is what S/MIME uses. 
Because of malware.  Which some think x509 is...

OpenPGP uses cleartext sigs to get around that and they work nicely. 
But something went wrong on the way to deployment with S/MIME, they 
never got around to re-engineering to fix it, in oh so many ways.


>> Which leads to an obvious split in individual protections:  anonymous or psuedonymous?  That is, is each post by Alice recognisably from her, or is each post unlinked?
> A valid distinction - but an *individual* distinction, not a *list* distinction.  I clearly use a pseudonym while we can all know who "ianG" is.  :-)


Well, if it was that easy remailers would be trivial.  The thing is, if 
I don't want to be iang, today, it's harder.  And if I want to be 'anon' 
it's harder still.

But, the hards are also at the list level.  Each post of the list 
includes various metadata which gives the fingerprint.  The From is a 
real give away, but other things too:

Received: from tormenta.local (skaro.afraid.org [212.169.1.61])
	by virulha.pair.com (Postfix) with ESMTPSA id 695B66D484;
	Thu, 26 Dec 2013 03:58:06 -0500 (EST)

Asserts I'm on the other end of an ADSL in Britain.  Personally, I found 
that terrible... not only because if I want to be Alice tomorrow, you'll 
pretty quickly figure out that Alice is a very close friend.

Why does being part of a conversation mean that I'm allowing anyone in 
the world to track my whereabouts?  This is privacy like Bitcoin, where 
doing a transaction means everyone gets to share it, and they only 
barrier is a little traffic analysis...


>> Moderator.  We should really model the moderator as an attacker.  Call her Trinity as a ttp.  What happens if she starts drifting the conversation towards ... oh, encouraging the IETF to standardise on DUAL_EC?  Her easy attack is to drop posts, so we might want to browse that which was censored.
> This doesn't seem like a good attack mechanism, at least not against *this* list:  The moderation is very light, and usually accompanied by a personal or public message explaining why a message is being dropped.  Any significant change - as in trying arbitrarily drop all messages with a particular theme - would be noticed.
>
> There are other lists where such an attack might work better, but on such lists it probably wouldn't be as effective.

Well, if everyone is on their guard.  Remember the poor dear users, who 
are not used to this sort of thing.  The attack can be even as benign as 
google's attack on your daughter's gmail account, by noticing her search 
for pregnancy tests and spiking the adds with baby products (c.f., the 
infamous Target case).


> I suppose you could say that much Chinese censorship of the Web is this attack "in the (very) large".  But of course that censorship's not at all a secret.


The best attacks are the ones we can say afterwards "but hey, you knew 
we were doing that ..."

>> Trinity might also start mitm'ing, by actively sending messages out to people that don't go to others.  So we might want to know that all messages got to everyone, and no selective conversations are happening.
> Nice.  Beyond that, we also want to know that *the same* messages got to everyone.  Members could periodically publish a hash representing all the contents they've seen.


More shades of Bitcoin mechanics.  I'll bet there are a few groups in 
that world trying to hijack the blockchain for sending idle chat :) 
They're trying everything over there...

One sometimes sees odd posts with gaps in conversations here, my attempt 
to deal with this is adding the CCs, so there are duplicates floating 
around.


> But:  For a mailing list and most other mechanisms, you can't require that they were received in the same order, much less at the same time.  Because of retries if nothing else, you can't even require they were *sent* in exactly the same order, at the same time.  And yet there are situations where playing around with the order of messages might constitute a useful attack.  It would be interesting to formalize some checkable bounds on how much variation is allowed.  Note that acceptable variation in order makes it harder to define an appropriate checksum - as, for mail, does legitimate variation in Received lines, other header information, and perhaps even content:  MTA's have been known to play various games with what the consider the irrelevant formatting of mail (I'm looking at you, Exchange - though you're certainly not alone).


right.  You sometimes see that effect in chat clients, where chat 
messages overtake.



iang