[Cryptography] Signal planning to drop support for plaintext SMS

Mon Oct 31 12:44:42 EDT 2022

On Oct 31, 2022, at 7:30 AM, John Denker <jsd at av8n.com> wrote:
> 
> I hate to flaunt my ignorance, but when and where did that
> principle originate? I don't recall seeing it in "old school"
> sources, such as Kerckhoffs's six principles ... or even in
> more modern authoritative sources such as Executive Order
> 13526.

I checked with Professor Duck Duck Go, and the NIST definition cites glossary CNSSI 4009. The concept dates back to electromechanical crypto.

Like most really strong security measures today, it’s used judiciously in strong secirity systems and ignored in generic commercial products. 

> Does this principle mean that I am required to use separate
> browsers for HTTPS: and HTTP: urls? What about FILE: urls?
> What happens if an HTTPS: page links to an HTTP: page? Or
> vice versa?

In the olden days of the Web, crypto was used out of desperation. It was too expensive to deploy everywhere. Things are better with more powerful processing. The “HTTPS Everywhere” idea probably isn’t driven by the red/black concept, but it’s a benefit. 

I’ve seen at least one browser warning saying “Web site is not encrypted. Visit anyway?” or something like that. I love it. 

> What happens if there is an explicit decision to declassify
> something (perhaps with redactions)?

I haven’t transferred a ’clean’ classified document to an unclassified environment in a couple decades. Back then we had classified and unclassified things on separate computers and networks (think red/black). Most transfers used carefully sanitized removable storage. Some sites had guard systems that could move data electronically between classified and unclassified, but the movement was heavily restricted and carefully checked for validity. 

> My point is, using two different apps, as if that were a
> substitute for judgment, is a huge step in the wrong direction.

It depends on your user community. If they are all serious security experts who never make mistakes, then by all means trust their judgement. I rely heavily on several security-oriented inconveniences because I’m old and forgetful instead of young and forgetful. 

> A "principle" that requires two different apps is even worse.

If we are using the word “app” to refer to the user experience, then I strongly disagree. There needs to be a distinct visual difference between a ‘critically secure’ activity and a less-significant one. For example, most browsers today always show a padlock whether the web page is SSL/TLS protected or not. If unprotected, the padlock is crossed out. I don’t mind this myself since I’ve been looking for the padlock for a long time now. 

On iOS and Android, separate ‘apps’ run in separate storage contexts. This is about as much ‘red black separation’ as I expect to see in security-conscious commercial software. 

Rick. 