[Cryptography] Facebook on the state of STARTTLS

Jerry Leichter leichter at lrw.com
Tue May 20 20:30:56 EDT 2014 

On May 20, 2014, at 6:34 PM, Viktor Dukhovni <cryptography at dukhovni.org> wrote:
> The end-to-end security problem for email is rather non-trivial,
> because in most cases people expect their anti-virus/anti-spam
> outsourced provider to scan the message content for malware or
> spam,
This is less of a problem than it appears to be.  One of the wonderful things about email was that it allowed anyone to send email to anyone.  But as we learned, one of the terrible things about email was that it allowed anyone (including spammers) to send email to anyone.

Let's divide received mail into two buckets:  Email from someone I already know, and email from someone I don't know.  Messages in the first bucket should use a private key agreed upon between me and that other party.  A spammer can't create mail like this.  (Well, he *can*, but only by being present "inside" my correspondent, with access to his private key store.  If my correspondent is vulnerable to that kind of thing, our communication isn't secure anyway - and in fact the spam provides me with a service, as it tells me my correspondent has been compromised.)

The second bucket - the stuff from people I don't already know, has traditionally been an example of a need for asymmetric cryptography and something like a PKI:  My new correspondent gets my public key from some key store and sends me the message.  Of course then a spammer can do the same.  But there are ways to limit that if I'm willing to limit "mail from an unknown sender".  For example, that interface might only support very restricted messages - the sender has to fill in one of a small number of forms (you don't know me but I got your address from X, I also know Y who you work with, I'd like to talk to you about Z).  The receiver can then decide if he wants to talk to this person and if so negotiates a private key; subsequent messages are in the first bucket.

No, it's not the free-wheeling open email of the early Internet, but the spammers killed that a *long* time ago.

> in regulated industries employers may be required to archive
> cleartext of email,
To deal with this, you have to assume the employer can control (to at least some degree) the endpoint device and software.  Then the problem becomes fairly straightforward:  A second copy of any encrypted message is sent to the employer's archive facility, encrypted with a key the employer knows.

Nothing that's not along these general lines can possibly work.  (I personally think the regulators are fighting a losing battle here.  There was a time not so very long ago that a stockbroker, say, worked in an office, using telephone equipment provided by his firm, sending letters and later faxes and email through firm-controlled equipment.  So archiving this stuff was easy, but for a broker to "get around" the equipment and leak significant amounts of data quickly enough to matter was a significant physical challenge.

Today, alternative communications mechanisms and tons of compute power are everywhere.  I've heard of financial firms that require people to surrender their personal cell phones as they come in to work.  But that's only workable in specialized circumstances, even in the financial world.  Many of the people who've been caught of late aren't sitting in the office all day - they are out and about meeting others, and there's no way to prevent them from communicating.  The regulatory authorities are adjusting - as in recent cases where they used wiretaps - and they're going to have to continue to adjust.

> ... and of course we still have not demonstrated
> usable human to human internet-scale key management.
You bet.  *The* big unsolved problem.
                                                        -- Jerry

More information about the cryptography mailing list