[Top] [All Lists]

Re: [openpgp] New encryption formats for messaging

2015-03-23 20:03:33
On 23/03/2015 19:59 pm, Christoph Anton Mitterer wrote:
On Mon, 2015-03-23 at 18:12 +0000, ianG wrote:
On 18/03/2015 23:38 pm, Christoph Anton Mitterer wrote:
Looking at the context you come from (Yahoo) I must note, that the big
players seem to have discovered security recently ... o.O
Hmmm... so our technique is to punish people for wanting to improve.
Where did I "punish" someone and/or where is my observation wrong?

Yahoo and google are at the forefront of secure email delivery. They are trying something nobody else has got anywhere near - so I don't see how they can be called laggards.

(Assuming that is we debunk the joke of security known as S/MIME... which was deployed but was crippled by committee-design.)

New to some, but it has a long history:  Kerckhoffs' 6th principle:

"6. Finally, it is necessary, given the circumstances that command its
application, that the system be easy to use, requiring neither mental
strain nor the knowledge of a long series of rules to observe."

Writing about cryptography communications systems in 1883.

I think this is simply wrong.  This is no principle.  TOFU has proved
Then we can probably abolish fingerprints verification in the next
versions of OpenPGP implementations altogether,... if TOFU works, why
should anyone bother to check their keys o.O

The essence of TOFU is that it works in default mode, and gives you tools to do better if you so desire. Now, of course, the concept works so well that one never bothers to check for the most part, so fingerprint verification could be dropped and would still provide more security than not using it. Which is the goal. So what you suggest is not incompatible with the goal.

But the PGP community came from a different age, so they do often check. Add, they have turned it into a ceremony, one that binds the community at least for the time of the 'party'. So I doubt we'll get rid of it just because it's only adding one more 9 to the 99.909% good enough.

If you don't want to use it, that's fine, but the notion that
it's "not secure" is simply rubbish because security is a relative risks
thing, not an absolute thing, and it is extremely unlikely
I kinda amused every time security based on such assumptions.

What other basis is there for security other than risk?

Some 5 years ago, the masses still thought that they're not victims of
mass surveillance and that their emails and data would be safe.

Yup, and the vendors figured that the masses aren't important enough to provide security. Go figure. As you point out, Yahoo is late to the game. But Mozilla and Microsoft have always been emotionally contorted over it, and google has only recently started being serious, before there mantra was "all your data base belong to us'. The only player that was ever serious about *the user* was Apple.

And they *all* promote the security-barrier called PKI/x.509, which delivers to compliance customers, and distracts from overall security by selling a tired old cold war military model as something to protect banks from phishing. Go figure.

Nowadays people think that TOFU would provide high security and that NSA
and friends would never dare to abuse that...

Bring it on. The point of improving security is to get from here to there, and actually improve the result. Those who push the old 'perfect security models' mantra typically end up with an extremely narrow set of compliance customers, or nothing. E.g., SSL.

Here in the PGP community we are *not interested in compliance* so much as actual ordinary users.

(Which isn't to say we don't come into connection with the compliance world; we do because business models force us there from time to time. But hearts and minds here are about real security delivered, not paper calculations.)

Empirically, I just today got my first 419 hit on Skype, which was set
up to let others see my name - their mistake on default install.  After
about a decade of usage?
Well, NSA and friends probably don't bother to attack systems like Skype
on the crypto level, one can be quite sure that they have other means
for these =)

Well, we know they now have direct access.  No need to speculate.

But the fact remains: Skype has other than yesterday never directly harmed me. Can't say the same for email, browsing, ...

Even including the notion that Microsoft now copies it all to the NSA,
that's still only 4 parties with capability to connect to me:  Me, my
friends, Microsoft and NSA.
uhm... great? o.O

So, what's my risk? Microsoft (yawn). NSA could get narked at my repeated jabs at their Stasi behaviour, and stop me at the border. Grab my skype records and accuse me of naughty behaviour. OK, I'll take that risk.

Meanwhile: I've actually lost non-trivial fortunes because my counterparties turned around and attacked me. I'm bombarded every day with spam. I have to train my family in phishing because the browser vendors don't react or when they react, they PKI-me-harder rather than looking at the information being rendered to my mother.

Granted, if I worked at a Belgian ISP or SWIFT or my payments biz took off in a bad-ass way, I'd be terrified of NSA.

To be honest, Yahoo, doesn't have the best security record, and in
general I wouldn't trust any web-based crypto app regardless of who it

That being said, I agree that it shouldn't be easy to make a well
designed crypto system insecure by settings - but not if this means that
one takes away valid functionality from the more experienced users.

Why do you prioritise "experienced users" above the lesser experienced?
   Do they pay more money?  Is this the Church Of BOFHs?  Do they pay
their dues by helping others?  From your writings it seems unlikely...
Actually I don't. I just don't prioritise lesser experienced users over
experienced ones.
What I prioritise is the intention of crypto, which is security.

Security is only measured by delivered results. Let's say you improve the lot of the experts by offering them cipher suites to choose from. Hypothetically that improves the 0.1%, those that actually know what those words mean. OK, 1 billion browser users, that would say about 1 million know what a cipher suite is. Exaggerated, but let's see where this goes.

Let's say we double their utility.

But, putting in vanity ciphers as we used to call them causes complexity. A lot of problems in SSL would sweep away if we cut that crap out. E.g., Heartbleed and somewhere it was claimed $500m costs... So, let's say this all costs 1% for the masses.


Security = 1,000,000 * 2 + 1,000,000,000 * 0.99

Guess what?  Only the security delivered to the masses matters.

Which is why Skype worked and everything else fell in a hole.  Simple maths.

b) Why should there be only one?
I think its a wrong assumption that code will become more secure by
supporting less algos/systems.
If a project cannot develop/maintain more of them securely it's rather a
sign for lack of funding/manpower.
Ah.  So you see that handling more algorithms is a cost for big
companies to meet and therefore a barrier to entry which makes for less
choice and eventual balkanisation.  What about opportunity cost - time
spent managing and debugging algorithms that are rarely if ever used -
could be better spent on getting more usability?
The biggest "usability" problem we likely have nowadays in crypto is
that people would need to understand what they do and mutually
authenticate each other.

Well, right. Systems that try and "authenticate" each other are typically usability nightmares. Change the paradigm.

Apart from that we have quite nice UIs at all levels, don't we?
gnupg is actually quite nice for people who want to use command line, we
have fine tools like enigmail.

Not for the masses, sorry, not of any interest.

I somehow have the feeling, that for many people "usability" means not
noticing crypto at all, but I guess that just won't work.


(Sad to say, it got rolled before it was sold to Microsoft, and the NSA got their dream entre. Oh well -- like we say, there's no such thing as a complete security model ... there's always a way around.)

But in an elegant way, that provded the K6 hypothesis. Skype was so darn successful that the NSA had to 'buy' its way in, breach the company.

GSM - killed the serious risk dead, which was the paparazzi listening in to the famous doing sex talk. And nobody noticed!

That argument didn't work.  Basically when ever a problem was found, it
couldn't be solved by an algorithm switch, 9 times out of 10.  The one
time that a problem was found, it was solved by ... a switch *backwards*
to RC4.  Not exactly a happy result.
So problems in the alogs themselves don't count for you?

Of course they count. But, they are pretty much down the bottom of the list. Check it out, do some historical research. If you're worried about a crypt algo breaking, you ain't in the security game, you're in the cryptography game.

I.e. we could
still use MD5 since problems in it aren't solved by e.g. SHA2?

MD5 was deprecated in 1995 by SHA0. Then 3 months later SHA0 was deprecated by SHA1. I know, coz we cursed and changed.

SHA1 was deprecated in favour of SHA2 sometime early 2000s.

If anyone is using MD5 they're negligent. If they're using SHA1, then they'd better be sure it ain't a collision risk (I do and it isn't) and if goes full belly up they still won't be in trouble.

Or we should still use DES, since an algorithm switch couldn't solve
it's problems?

to channel Santayana, those who don't study their deprecation history are doomed to have their systems deprecated?

A3. Do not specify things which are infeasible to thoroughly test.
This implies avoiding combinatorial complexity, which the OpenPGPv4
spec doesn't.
As above, I doubt you can really check every combination, and I wouldn't
want to sacrifice too much, just for being able to do so - especially
not diversity of algorithms.
When has diversity of algorithms ever bought user advantage?
Nothing in that his screen becomes more colourful or that his
"experience" would be more like 4K than just HD.

So, marketing.  Getting an upgrade to earn the fee.  OK.

*If* someone does crypto, than probably because he wants to be secure.

Not really. Vendors choose crypto because of their mastery of the security model (I'm being sarcastic here, anyone who uses SSL has no clue as to the security model) and that fits into the holistic business approach.

Very few users - the masses - rush out and say "I wanna six-pack o' crypto and 3 jars of authentication with some random side orders..."

It is *myth* perpetuated by the x.509/PKI tribe that "choosing crypto" means "wanting security". This is part of the careful marketing edifice that was used to sell certs to an blase public. Because they didn't want it, some elements were forced into being embarrassed to use it, and the rest is compliance history. Also, it's part of the marketing against self-signed certificates; if users "choose" certificates it is because they "want" security which is not allowed to include MITM possibilities so we have to deny self-signed certs. Or some such sophistry.

Sorry 'bout dat!

So if diversity enhances security or at least allows one to switch more
easily in case it gets necessary (which of course you disputed above),
then it benefits the user by helping with his original goal (being

Yeah, sure. Just doesn't work in practice, and doesn't work in theory, if we actually think about how it is supposed to work.

I can think of (been told) one case:  the "Russians GOST" requirements.
   Frankly, I'm not that keen to let them do that.  If *every* government
did it, then we'd be in a pickle, and we'd not be talking to any of them
at all.  So why do we care about the Russians?
Agreed. But hopefully the whole crypto standardisation would go anyway
rather into community hands now.

Disagreeing with the "We only need two hash functions at most.".

Diversity is good (of course we should only include secure algos),
especially when one expects that each algo sooner or later sees
Well, sure, on paper.  But if you had a process to switch then you could
also ... use that process to switch!  Why not just roll out v+1 ?
How long does it usually take us to roll out v+1? Take SSL/TLS, how many
years have SSL still been used while it should have not? The same for
MD5, the same for RC4, and so on.

I measured a 3.5 years OODA cycle for the first big SSL oops. I haven't been following the others but I have a feeling they've got a lot faster.

Point is however, it's still all ad hoc. We don't actually know what we're going to be switching, and pretty much each time it is a download / reinstall.

So why not have a v+1 waiting in the wings? Each new generation is substantially better and is far more likely to cover anything uncovered.

My point isn't that is what should be done. But that right now we've go no plan. So *anything* would do better than what we had right now.


openpgp mailing list