Hagai Bar-El

...
Well, I can't implement it :) It's so trivial,
it's all there ... but the people who *own* the
S/MIME applications and emailers don't subscribe
to the vision. (Or at least, my experiences in
discussing this with one application group, the
Thunderbird people, have been unfruitful.)

So nice as it is, it isn't going to happen.
Sorry to get your hopes up!

I've been using PGP for over 10 years now,
and it's not been an issue, you just burn
your current setup and start again.

Introducing automatic encryption with
email is (I claim) trivial. It won't
happen of course, but it is trivial to
do. Here's how.
1. all email clients generate their
keys on demand.
2. public keys are sent at end of
emails.
3. public keys received are cached with
the name in the address book.
4. auto-encryption to those emails where
the keys are cached.
5. show the fingerprint of the key on
the chrome.
END OF STORY. The funny thing is that
almost all the code is already in place.
(snip)

What's the risk? Someone gets MITM'd. It
would be like one in a million. What's the
benefit? The million.

--
Ian G wrote:

1. all email clients generate their keys on demand.
2. public keys are sent at end of emails.
3. public keys received are cached with the name
in the address book.
4. auto-encryption to those emails where the
keys are cached.
5. show the fingerprint of the key on the chrome.

What you are describing is close to Crypto Kong built
into the email client, Crypto Kong as Thunderbird
extension, but with key fingerprints in place of Zooko's
triangle.

Of course, as an extension, it is of limited value -
network effects. Handier if everyone uses it, and those
of them that do not need to use it don't know or care
that they are using it. (Which would probably require
encryption off by default, public keys and signature
sent in header on by default.)

Crypto Kong was written back before we had a popular
environment supporting extensions, and contains Zooko's
triangle before it was so lucidly explained by Zooko.

Probably needs a total rewrite to move it to being an
extension. Management of all those keys and the
relationship of keys to identities and documents
requires a fair bit of database code - the Crypto Kong
database has five tables containing 24 fields linked by
four relationships. Moving this to Thunderbird would
require linking to its existing database of documents,
and Thunderbird's existing database of documents and
identities is not well documented to my knowledge.
(snip)

Crypto Kong uses a signature to ensure message integrity
of encrypted messages as well as to prevent MITM
attacks. Without message integrity, its RC4 encryption
would be vulnerable to substitution attacks. Universal
signing is arguably a vulnerability, since it reduces
deniability, but if your adversary has your emails, he
probably has provenance of those emails, making denial
difficult, and if his provenance for the emails is weak,
his provenance for the nym is is weaker. Encryption
(snip)

To ensure authenticity of mail without signing - so that
the recipient can prove it is authentic, but unpleasant
people who have seized the backup of your email cannot
prove it is authentic, requires we use a different
protocol in place of email - an email like protocol
layered on top of IM, or perhaps on top of VOIP, as SMS
is layered on top of telephony.

Hostile people seizing central email records has proven
to be a major and radical problem with email, and is a
very serious concern for businesses, something they
would pay serious money to remedy. A major reason for
teleconferencing plus hand scribbled notes is to avoid
the unnecessary multiplication of dangerous records.
Observe the ongoing confrontation with the courts by
Microsoft and other deep pocketed companies over email
records.

If the central corporate authority can set everyone's
client to encrypt everything by default, and only
decrypt on demand at the client computer, this
considerably reduces the hazard from lawyers engaged in
fishing expeditions. The fisher has to troll through
each individual executive's computer, most of which,
will, alas, have suffered a recent crash, and lack
backups of critical data. The inconvenience of possibly
losing data needs to be balanced against the convenience
(snip)

Such an extension could be produced in two versions -
for sale version with corporate friendly extensions, and
an individual version for free so that people using the
corporate version would be able to have secure
conversations with anyone anywhere. (Not sure whether
the Thunderbird license permits this - how viral is it?)

On the other hand, most businesses now use mail servers
with a "lets not be too paranoid about keeping backups"
mode, so perhaps it is not worth their while to switch
to encryption. I have not been keeping track of the
problem of lawyers trolling through emails looking for
lawsuits - what remedies are corporations using these
days? What is that market like? How are lawyers
striking back? What do encryption based remedies
provide that existing remedies fail to provide?

I'm curious - is Crypto Kong compatible with PGP or > S/MIME?

Wouldn't the network effects be more surmountable if > it had been so compatible?

Message integrity is pretty much expected these days.
I don't think much of the "OTR" concept, [deniable > message integrity] as it clashes with what we know > about court procedures - denying a message is a huge > huge risk in court, and if OTR leads someone to deny > a message in court, then that could really be serious.
OTOH, I do think it is best to declare up front that > digsigs are not human sigs and have no legal intent.

Hostile people seizing central email records has > > proven to be a major and radical problem with email, > > and is a very serious concern for businesses, > > something they would pay serious money to remedy. A > > major reason for teleconferencing plus hand > > scribbled notes is to avoid the unnecessary > > multiplication of dangerous records. Observe the > > ongoing confrontation with the courts by Microsoft > > and other deep pocketed companies over email > > records.

Massive. The biggest risk for email is court > discovery. By far. And it generally happens at the > node - either yours, your opponents, or the company > servers.
Encryption may help you protect at the company nodes.
But protecting your node or your opponent's node > remains a challenge.

I have not been keeping track of the problem of > > lawyers trolling through emails looking for lawsuits > > - what remedies are corporations using these days?
What is that market like? How are lawyers striking > > back? What do encryption based remedies provide > > that existing remedies fail to provide?

Well, the high value stuff is in areas like banking / > finance / securities where all comms must be kept.
That means all emails, all voice, all chat! So on the > one hand they are fighting to keep it all, and on the > other hand they are fighting to reduce the stuff kept.
So lots of money to be had if you can talk out both > sides of your mouth :-)

Hi,
Okay, let's get to one point at a time...

At 23/05/06 23:36, Ian G wrote:

Small risk which means small expected cost, by orders
of magnitude.
Large benefit, because much cheaper deployment, by
orders of magnitude.
Orders of magnitude multipled by orders of magnitude :)

I think you got the expectancy screwed up in this calculation...
In 1/1E6 case, the case of MITM, the probability is low, but the stakes
(damage) is high.

It was a person who got a false sense of security,
trusted your system, and got screwed.

For the (1E6-1)/1E6 you are likely to get good protection, but good
protection against nothing, because there was nothing at stake, which
means you get close to zero. My initial point was that most e-mail
message do not need any security and are not put at any risk by not
being encrypted.

Of course not many messages will be MITM'ed, but not many messages are
worth it, or any protection, either...

a. There are truly very few circumstances where
a usable MITM-vulnerable system is worse than an
unusable MITM-resistant system. Kerchkoffs' 6th
principle is his most important, IMO - the system
must be usable under field conditions.

The law was written for a very specific scenario. It's a military
scenario where the average stake of a message is high.

This is not
commercial e-mail where you have one message worth, say, $100K and a
million worth absolutely nothing. You can also assume that the $100K
message senders are a bit more aware than the rest, in average, so you
can expect just a bit more of them. They are the ones by whom the
success of the system will be determined, not the masses that just send
porn links to each other.

The MITM case you will suffer is indeed one of a million, but it's
probably the only one that counts. People that encrypt messages for no
reason cannot be counted into the success rate of the system.

b. Above, there is point 5. For those who make
a risk management decision that they are concerned
with the MITM risk, they can simply phone up their
other contact and do a key exchange over the phone,
like as in PGP. The system covers the initial MITM
threat - it just asks you to do the heavy lifting
of the phone in the case where you need that.

Right, and this is why I like your method. This option is probably the
most useful one, but unfortunately, it brings us back to the
inconveniences of today's systems...

I am just afraid of the 70% or so
of the 1/1E6 who will skip step 5 because of a false sense of security...

c. You could make the case that there are people
that need MITM protection but don't know it. I
choose not to bother to protect those people,
because if they don't know, then they will do
something else which will compromise themselves,
such as install windows. (Not because I'm being
snarky or anything, just another risk management
decision.)

You see, but they (the MITM people) are your real customers, not the
masses.

The masses don't need your e-mail encryption - they are fine
enough without it.

The to-be-MITM'ed guys, the ones who do send secrets
and who are subject to MITM may not know they have to fear MITM. They
are executives, lawyers, etc., and they do not even know what MITM is.
It *is* your business to bother with them because you are designing
their solution - they trust you and your security system (hopefully for
a pay :) )

d. You could make the case that people do know
but won't do the phone-up MITM. Again, I choose
not to make the phone call for them :)

You should not do the phone for them, but you should disclaim your
system properly. "Pick up the phone and verify this number, otherwise
you are subject to an attack that can be launched with $40 cost".

e. Of course, if MITM was easy to solve, we would
solve it in the code. It's just not easy to solve.
Luckily it is so rare and so "high value" that we
can safely ignore it for the vast majority who fall
in the "low value" threats class.

My claim was that of the 1% messages that are worth encryption at all,
maybe 80% are worth a MITM.

MITM is difficult, but it's difficult when it's in real-time. E-mail
messages just lurk in your Internet-accessible mailbox for anything
between 5 minutes to five days until you pick them up. If you assume
that your opponent does not have the capability of breaking into your
POP mailbox then who exactly are you protecting yourself against?

Well, it is all about raising the bar. Are we
agreed that the system substantially raises the
bar?

Yes, it raises the bar. A generic pick-one-of-a-pile message sniffing
would become orders of magnitude harder, but I am not sure this is our
goal. It's great against wholesale surveillance, and this is a good
feature, but it's not all we're looking for.

Consider the MITM's attack. 1. he has to get
access to the wire. That means he is either an
insider, or he is mounting an active attack.
Which means the bar is already set a meter or
two above the ground.

That's the point of my previous post. He does not need access to the
wire, and he does not need to be an insider (although he could). The
attack does not even need to be on-line. He just needs access to your
mail files on the server, either by being an insider or by compromising
the server. If the key is not yet cached then he doesn't even need that
- he just needs to send the first mail with a forged "from" address.

Of course, a casual lamer running Ethereal on his laptop in Starbucks
will be helpless against this scheme, but is this whom you're using
PGP (or alike) against?

(Hmmm... I'm not sure I follow ... do you mean
that the "casual lamer" is the attacker or the
defender?)

Sorry.
The "casual lamer" was intended as the attacker. He is probably the only
one who can sniff but who cannot MITM you. I believe that a real
opponent can do both.

I agree that using your scheme will give something that is way above
the zero security that is granted today, but it is far off what
people expect when they actually turn to use encryption. For anyone
seeking "pretty good privacy" this will just provide a false sense of
security, I believe.

When they turn to use "high" security, they will
read about part 5, and phone up their contacts.

Agreed. Just make a proper disclaimer for the rest... :)

It's just like PGP. I use PGP all the time...
But I don't bother to do a key exchange except
once every 20 contacts, if that.

So do I.
Keep in mind, though, that you're still better off getting keys in
"manual" e-mails than over an automated protocol. I do not call to check
every key fingerprint either, but I would if this key would be cached
automatically.

But *I know when I need to do it*. I don't expect
PRZ to know when I need to do it. I don't expect
to blame PRZ because he didn't fix it for me.

Leave the guy alone, he was blamed enough in his life for his PGP :)

Seriously, he's not expected to, and no system is expected to, and this
is why we don't have any system that does... They all leave it to you,
and it's probably the only way to do it securely.

What's the risk? Someone gets MITM'd. It
would be like one in a million. What's the
benefit? The million.

But who is this one? This one would be the one who really needed
security, while the other million are the million messages that are
not even worth the wiretap and never needed security in the first place.

Who cares who is the one?

You should. Me also...

We're supposed to design security systems for people who need it. That's
at least what I do for a living...

We aren't responsible for the one. The one
didn't pay us. The one just wanted some
basic security, and didn't get it. The one
didn't read part 5.

Okay, I think that we will all agree that such a system is good, but
just as long as it does not create a false sense of security for that
one. People should all know that the system as it is in steps 1-4 is
only mildly safe, and anyone who really needs security should do #5.
This should probably solve our debate.

I think that it is crucial that this one knows the limits of the system,
because this one is the only one for whom the system is actually useful.
If he doesn't get it - we got nothing. That's my opinion... (You don't
care about the one who needs security and I don't care about the 1E6 who
don't...)

P.S. You would at least want to fix the situation in which the
opponent simply sends a single "Hi, what's up?" message with a fake
"from" address and his own key to his victim to get his own key
registered for any address. This is worse than a weak MITM - it's a
weak race condition... :)

Sure. Let's fix that after the first 100 users
are out there.... Let's play around with some
solutions.

Sure. Are you working on having this deployed?

The difference between SSH and SSLv2 is just that.
SSH was a fix for the password sniffing. SSLv2
was a fix for the MITM that didn't exist in SSLv1
(the cert-less variety). The difference was that
SSH exists wherever we want it, and SSL exists
only where we are so desperate we are out of
business if we don't have it.

I'm not sure about that. I find SSL very useful, not just for commerce,
also for corporate applications. It does not solve all security
problems, of course; nothing does. Yet, it does take a threat and
address it quite well. Same for SSH.

He just needs access to your mail files on the server, > either by being an insider or by compromising the > server. If the key is not yet cached then he doesn't > even need that - he just needs to send the first mail > with a forged "from" address.

The "casual lamer" was intended as the attacker. He is > probably the only one who can sniff but who cannot > MITM you. I believe that a real opponent can do both.

For example if one establishes a login that involves > > an email address, the web site setting up the > > account will usually send you an expected email.
Since the email is expected, cannot be forged, and > > establishes the keys.

It could be circumvented by malicious code on the > server, waiting for this e-mail with a new key to be > cached.

Also, imagine a case in which a spam message forged to > be coming from known bank sites, attempts to lock into > known address-book slots, such as
"reports at citibank.com". If one day you actually enroll > with Citibank your messages may be compromised, at > least for a short while until this is found out.

Small risk which means small expected cost, by orders
of magnitude.
Large benefit, because much cheaper deployment, by
orders of magnitude.
Orders of magnitude multipled by orders of magnitude :)

a. There are truly very few circumstances where
a usable MITM-vulnerable system is worse than an
unusable MITM-resistant system. Kerchkoffs' 6th
principle is his most important, IMO - the system
must be usable under field conditions.

b. Above, there is point 5. For those who make
a risk management decision that they are concerned
with the MITM risk, they can simply phone up their
other contact and do a key exchange over the phone,
like as in PGP. The system covers the initial MITM
threat - it just asks you to do the heavy lifting
of the phone in the case where you need that.

c. You could make the case that there are people
that need MITM protection but don't know it. I
choose not to bother to protect those people,
because if they don't know, then they will do
something else which will compromise themselves,
such as install windows. (Not because I'm being
snarky or anything, just another risk management
decision.)

d. You could make the case that people do know
but won't do the phone-up MITM. Again, I choose
not to make the phone call for them :)

e. Of course, if MITM was easy to solve, we would
solve it in the code. It's just not easy to solve.
Luckily it is so rare and so "high value" that we
can safely ignore it for the vast majority who fall
in the "low value" threats class.

MITM is difficult, but it's difficult when it's in real-time.
E-mail messages just lurk in your Internet-accessible mailbox for
anything between 5 minutes to five days until you pick them up. If
you assume that your opponent does not have the capability of
breaking into your POP mailbox then who exactly are you protecting
yourself against?

Well, it is all about raising the bar. Are we
agreed that the system substantially raises the
bar?

Consider the MITM's attack. 1. he has to get
access to the wire. That means he is either an
insider, or he is mounting an active attack.
Which means the bar is already set a meter or
two above the ground.

Of course, a casual lamer running Ethereal on his laptop in
Starbucks will be helpless against this scheme, but is this whom
you're using PGP (or alike) against?

(Hmmm... I'm not sure I follow ... do you mean
that the "casual lamer" is the attacker or the
defender?)

I agree that using your scheme will give something that is way
above the zero security that is granted today, but it is far off
what people expect when they actually turn to use encryption. For
anyone seeking "pretty good privacy" this will just provide a false
sense of security, I believe.

When they turn to use "high" security, they will
read about part 5, and phone up their contacts.

It's just like PGP. I use PGP all the time...
But I don't bother to do a key exchange except
once every 20 contacts, if that.

But *I know when I need to do it*. I don't expect
PRZ to know when I need to do it. I don't expect
to blame PRZ because he didn't fix it for me.

What's the risk? Someone gets MITM'd. It
would be like one in a million. What's the
benefit? The million.

But who is this one? This one would be the one who really needed
security, while the other million are the million messages that are
not even worth the wiretap and never needed security in the first place.

Who cares who is the one?

We aren't responsible for the one. The one
didn't pay us. The one just wanted some
basic security, and didn't get it. The one
didn't read part 5.

P.S. You would at least want to fix the situation in which the
opponent simply sends a single "Hi, what's up?" message with a fake
"from" address and his own key to his victim to get his own key
registered for any address. This is worse than a weak MITM - it's a
weak race condition... :)

Sure. Let's fix that after the first 100 users
are out there.... Let's play around with some
solutions.

The difference between SSH and SSLv2 is just that.
SSH was a fix for the password sniffing. SSLv2
was a fix for the MITM that didn't exist in SSLv1
(the cert-less variety). The difference was that
SSH exists wherever we want it, and SSL exists
only where we are so desperate we are out of
business if we don't have it.

The proposed system takes care of most forms of MITM. It
is vulnerable to MITM on initial establishment of
communications, which is not a problem because nothing
much is at stake during initial establishment of
communications, and there is usually some out of band
reason for establishing communications that provides an
authenticity check during initial establishment of
communications.

For example if one establishes a login that involves an
email address, the web site setting up the account will
usually send you an expected email. Since the email is
expected, cannot be forged, and establishes the keys.

More interestingly, the FBI and KGB will be helpless
against this scheme.

Suppose I start conspiring with Ian to overthrow the
state and the NSA, CIA, FBI, KGB, IRS and Mossad want to
find out what we are saying. How are they going to use
MITM to penetrate our emails if we are using this
scheme?

Similarly the payments processor scam involves a false
claim of relationship, not a false name. Everyone in
the scam uses his true email address, true website, and
his true DBA. PKI is entirely irrelevant to the payment
processor scam. To defeat the payment processor scam we
need cryptographic linkage of a communication to an
agreement between nyms, not to a nym, and the concept of
a "true" nym is entirely irrelevant.

I think you got the expectancy screwed up in this calculation...
In 1/1E6 case, the case of MITM, the probability is low, but the stakes
(damage) is high.

I'm sorry, how did you decide the stakes / damage
was high? Have you any logic or evidence to
support that?

Also, how high? It has to be *exceptionally* high
to make a difference - we are probably talking in
millions here - given that we routinely accept
MITMs of $1000 in phishing being not worth worrying
about.

It was a person who got a false sense of security,
trusted your system, and got screwed.

Nah :) My system reveals that it doesn't cover
the MITM for the first instance. If they
trusted that to, er, be the reverse of what
it said, then they *will* get screwed no matter
what system we give them.

For the (1E6-1)/1E6 you are likely to get good protection, but good
protection against nothing, because there was nothing at stake, which
means you get close to zero. My initial point was that most e-mail
message do not need any security and are not put at any risk by not
being encrypted.

LOL.... yes, this is to some extent true. If
there is no risk there is no protection needed.
Which is *precisely* what I'm arguing for MITMs.
So how do I argue the reverse for the great mass
of email users?

Of course not many messages will be MITM'ed, but not many messages are
worth it, or any protection, either...

Right, but look at the difference: We have
some good numbers for eavesdropping. Not many,
but thanks to recent news we can start to get a
picture. Something like 10m people's phone calls
in the US, and something similar in email (again,
details are spotty). We have to stab in the dark
here and make some wild estimates.

What's our numbers for MITM? I suppose we would
have to look at phishing, now, and then reduce it
for the "first opportunity MITM."
Either way - we should be able to agree that
the risk / frequency of eavesdropping is many
magnitudes over the risk / frequency of MITM.

a. There are truly very few circumstances where
a usable MITM-vulnerable system is worse than an
unusable MITM-resistant system. Kerchkoffs' 6th
principle is his most important, IMO - the system
must be usable under field conditions.

The law was written for a very specific scenario. It's a military
scenario where the average stake of a message is high.

No, I disagree. I've done military crypto, as a
field grunt, and the stakes were low. The law is
entirely applicable - in fact more applicable -
for the grunt in the field. Try scribbling a
cryptogram when it's raining, dark, your fingers
are frozen, there's mud in your eyes, your pencil
keeps slipping, and the red-covered torch under the
honcho isn't worth squat ...

This is not
commercial e-mail where you have one message worth, say, $100K and a
million worth absolutely nothing. You can also assume that the $100K
message senders are a bit more aware than the rest, in average, so you
can expect just a bit more of them. They are the ones by whom the
success of the system will be determined, not the masses that just send
porn links to each other.

Yowsa! I hope we can keep these assumptions intact
when we get to the MITM case. Coz, if the message
truly is worth $100k, did you assume that they were
allowed to run on a Windows platform? And how did
you enforce that?

The MITM case you will suffer is indeed one of a million, but it's
probably the only one that counts. People that encrypt messages for no
reason cannot be counted into the success rate of the system.

Nope. People that encrypt messages that don't
need encryption - that's a strawman. You don't
know in advance what messages need protection.
You can't even ask the user, coz she doesn't
know, and won't even know with any reliability
_after_ she sent it.
The only tractable assumption is to encrypt
everything the best you can. There is zero
merit in assuming that in advance there are
a few messages we just have to get right,
unless you happen to have a big fat contract
that specifies that.

(If you have one of those, do you feel like
sharing it?? :)

b. Above, there is point 5. For those who make
a risk management decision that they are concerned
with the MITM risk, they can simply phone up their
other contact and do a key exchange over the phone,
like as in PGP. The system covers the initial MITM
threat - it just asks you to do the heavy lifting
of the phone in the case where you need that.

Right, and this is why I like your method. This option is probably the
most useful one, but unfortunately, it brings us back to the
inconveniences of today's systems...

Well, it doesn't bring us back to the inconveniences
of today's systems, except in the 1% of cases where
people decide to do it.

Then they decide. Excellent, their choice, we now
have a system that segregates itself between people
who care, and people who'll take what they can get
for free.

I am just afraid of the 70% or so
of the 1/1E6 who will skip step 5 because of a false sense of security...

Nah, 99% at least. And, they won't do it because
of a false sense of security. They'll do it because
of risk management - it isn't worth it to them to do
that step.
(They could be wrong of course. That's another story.)

c. You could make the case that there are people
that need MITM protection but don't know it. I
choose not to bother to protect those people,
because if they don't know, then they will do
something else which will compromise themselves,
such as install windows. (Not because I'm being
snarky or anything, just another risk management
decision.)

You see, but they (the MITM people) are your real customers, not the
masses.

?? I grant that if they were paying me, I'd
do something different. But they ain't. So
I won't.

The masses don't need your e-mail encryption - they are fine
enough without it.

Yowsa! Where did this "need" thing come from?

The masses don't "need" the Internet, is that
what you mean?

The to-be-MITM'ed guys, the ones who do send secrets
and who are subject to MITM may not know they have to fear MITM. They
are executives, lawyers, etc., and they do not even know what MITM is.
It *is* your business to bother with them because you are designing
their solution - they trust you and your security system (hopefully for
a pay :) )

Nope. It is their business to *pay* me for a
system, and advice. Until they do that, they
can go hang.

e. Of course, if MITM was easy to solve, we would
solve it in the code. It's just not easy to solve.
Luckily it is so rare and so "high value" that we
can safely ignore it for the vast majority who fall
in the "low value" threats class.

My claim was that of the 1% messages that are worth encryption at all,
maybe 80% are worth a MITM.

Well, all of them are worth attacking. How we
do the attack is simply economics. The big
difference of the MITM v. eavesdropping is that
the MITM is orders of magnitude times more
expensive, in general.

MITM is difficult, but it's difficult when it's in real-time. E-mail
messages just lurk in your Internet-accessible mailbox for anything
between 5 minutes to five days until you pick them up. If you assume
that your opponent does not have the capability of breaking into your
POP mailbox then who exactly are you protecting yourself against?

Well, it is all about raising the bar. Are we
agreed that the system substantially raises the
bar?

Yes, it raises the bar. A generic pick-one-of-a-pile message sniffing
would become orders of magnitude harder, but I am not sure this is our
goal. It's great against wholesale surveillance, and this is a good
feature, but it's not all we're looking for.

Right. So what is our goal?

If my goal was here, it would be something like the
largest amount of free crypto possible. That's just
me. For e.g., my company wrote the Cryptix library,
and we pushed it out under BSD licence. Although
we watched Baltimore, RSA, and that German company
rise to billions on stock exchange values doing much
the same thing, we never thought of changing the price.
(Call me dumb ... many do ... but my market was in
transactions, not crypto.)
(Call me stupidly dumb.)

Of course, a casual lamer running Ethereal on his laptop in Starbucks
will be helpless against this scheme, but is this whom you're using
PGP (or alike) against?

(Hmmm... I'm not sure I follow ... do you mean
that the "casual lamer" is the attacker or the
defender?)

Sorry.
The "casual lamer" was intended as the attacker. He is probably the only
one who can sniff but who cannot MITM you. I believe that a real
opponent can do both.

Sure. A real opponent can beat this scheme. So
when these dastardly types turn up, we'll improve
it.

Secure, being, completely and correctly covers those
things I choose to include.
I choose not to include "first MITM opportunity."
I also choose not to include "trojan on Windows OS."
And, there is no protection included for "meteors,
unicorns, sniper bullets."
And I'll argue certain threats are more likely than
others :)

But *I know when I need to do it*. I don't expect
PRZ to know when I need to do it. I don't expect
to blame PRZ because he didn't fix it for me.

Leave the guy alone, he was blamed enough in his life for his PGP :)

Ha!

Seriously, he's not expected to, and no system is expected to, and this
is why we don't have any system that does... They all leave it to you,
and it's probably the only way to do it securely.

Right. I say the same thing about MITM and the
value of the message. Let's deliver a system that
works, and sod the rest.
There are reasons for taking this attitude...

We're supposed to design security systems for people who need it. That's
at least what I do for a living...

Right, so we need to negotiate on goals.

We aren't responsible for the one. The one
didn't pay us. The one just wanted some
basic security, and didn't get it. The one
didn't read part 5.

Okay, I think that we will all agree that such a system is good, but
just as long as it does not create a false sense of security for that
one. People should all know that the system as it is in steps 1-4 is
only mildly safe, and anyone who really needs security should do #5.
This should probably solve our debate.

Yes.
The false sense of security is one of the
biggest boguss-arsed arguments ever used :)
It generally is imposed totally incorrectly.
It is easy to avoid a false sense of security.
You just state the security.
Easy. Done. End of story.

I think that it is crucial that this one knows the limits of the system,
because this one is the only one for whom the system is actually useful.
If he doesn't get it - we got nothing. That's my opinion... (You don't
care about the one who needs security and I don't care about the 1E6 who
don't...)

Right. We have *different* definitions of
"secure" and different ideas about the market.

Hagai Bar-El wrote:

He just needs access to your mail files on the server,
either by being an insider or by compromising the
server. If the key is not yet cached then he doesn't
even need that - he just needs to send the first mail
with a forged "from" address.

But if there is no existing relationship, there is
nothing to steal. We do not actually want to secure true
names. We want to secure true relationships, which are
represented by names, names that seldom correspond
precisely to true names.

There are two ways the establishment of a new
relationship can be part of a scam:
One is the 419 scam, previously known as the Spanish
Prisoner scam. "I am the niece of Charles Taylor, who
desperately needs to sneak forty three million dollars
out of Nigeria."
The other is the trusted name scam: "Amazing new offer
from Rolex". Somewhat to my surprise, though huge
numbers of people claimed to be offering "affordable
Rolex" watches for sale, not one of them claimed to *be*
(snip)

Similarly the payments processor scam involves a false
claim of relationship, not a false name. Everyone in
the scam uses his true email address, true website, and
his true DBA. PKI is entirely irrelevant to the payment
processor scam. To defeat the payment processor scam we
need cryptographic linkage of a communication to an
agreement between nyms, not to a nym, and the concept of
a "true" nym is entirely irrelevant.

The "casual lamer" was intended as the attacker. He is
probably the only one who can sniff but who cannot
MITM you. I believe that a real opponent can do both.

But the KBG, the CIA, the FBI, and the IRS cannot MITM
an existing relationship which is all that they are
likely to want to MITM, if keys are routinely and
automatically exchanged, indexed, and archived on setup
of the relationship,

Hagai Bar-El wrote:

It could be circumvented by malicious code on the
server, waiting for this e-mail with a new key to be
cached.

If there is malicious code on the server, or someone
persistently watching and maliciously modifying what is
on the wire, we are probably talking about the FBI or
the CIA, not some random scammer. (And if there is
malicious code on the client, which is rather more
likely than the server, PKI is just as useless)

If the FBI owns the server, it is of high importance to
keep that ownership secret. Active attacks are trivial
to detect by out of band communications. So the FBI is
only going to use active attacks on known high value
targets in high value cases, who will be correspondingly
inclined to test for active attacks. It is not going to
actively attack the standardized messages sent out when
setting up a bank account or joining an email mailing
list - and conspiracies to overthrow the state are
(snip)

High value cases are usually an attack on a company, and
the company generally owns its own server, keeps the
server physically secure, and has people connect to it
by VPN - and when we set up a VPN connection, we are
back to securing true relationships, not true names.

Also, imagine a case in which a spam message forged to
be coming from known bank sites, attempts to lock into
known address-book slots, such as
"reports at citibank.com". If one day you actually enroll
with Citibank your messages may be compromised, at
least for a short while until this is found out.

The attack you suggest involves using apparent
commonality of domain as evidence of relationship. This
is a subcase of the problem of attacks based on false
claims of relationship, which most commonly manifests as
the payments processor scam. In the case you suggest,
the attacker falsely using the domain name as evidence
of relationship, which can be defeated by a DK system,
which would also take care of a great many of today's
scams. It is however not sufficiently general to take
(snip)

There is some question about the relative benefits of
different philosophies of protection. I personally
sing to this rhythm:
do what you can for free,
then extend!
Call that 'A'. Others often set other targets. Many
love to dance to this tune:
Cover all threats in the set 'B'
coz the paying customers deserve it!
So why would we choose one over the other?

The case for set B is based on custom. The set of
threats included are those that have been selected
by an arcane and tricky process but let's assume
they are "good" for now.

The case for set A is based on economics. It walks
like this.
Free is defined to be something that is of lesser
or equal cost to the activity in question. Say we
are sending an email. Free means there is no other
activity or cost imposed on the sending of the email
other than ... already necessary in sending the email.
(See earlier mail!)
Now, if we assume away (rotate arms like windmills here)
the costs of implementation and deployment then that
means that all people on the planet of email could
(snip)

Back to set B. Let's say (this is a *challengable*
assumption but it suits today's logic) that Set B is
"better" than Set A, and in fact is so much better
we can call it "totally secure." Let's also assume
there is 1% of the population that is "discerning"
enough to demand set A and go through the cost of
deploying it.
(Paying for it!) (Paying good money!) (Spending time!)
So we now have 99% using Set A, for free, and with
"known weaknesses." Also, we have Set B which we
(snip)

What happens?
Well, I'm sorry to say that normal *business* processes
will kick in and totally destroy Set B. Completely
and utterly. No matter how much better it is.

If 99% of the people in the corporation use Set A,
then it will be the standard. It will be demanded
to be the basis of everything. It will become the
new lingua franca, the new way, the only way.
Verily, the definition of email.
Even if the corporation has a small group that needs
securing, they will simply use Set A and bolster it.
It is far more economic to bolster Set A than to
deploy Set B as well as Set A. They could even
layer Set B over Set A... if they so decide.

Set A of course does not *preclude* the features
in Set B. It just doesn't deliver them by default.
OTOH, Set B definately precludes the 99% usage
base that is available to Set A. There is no way
you can "reduce" Set B to cover the other 99%,
because to do so means either you require them
to pay (run away screaming!) or you need to break
your assumptions about customary security (crawl
in a hole and die!)

We know this to be true from experience. SSH
covers 100% of its market area - telnet is now
effectively only used for testing. Yet SSH has
this tiny known weakness.

SSH actually went up against SSL-telnet. Not-
withstanding that SSL-telnet had some sort of
claim that it had "no weaknesses," it was trounced.
Not just trounced, it was destroyed, scattered to
the winds, blown into the milky way.
The reason was costs.

The result was not pretty. Probably there are
only a handful of people who even remember that
SSL-telnet existed. And even fewer of those are
prepared to admit that they used it, briefly.

OTOH, we still have a situation where SSL is only
used in <1% of browsing. SSL claims complete
security, but it never broke out of 1% usage.

Prediction: if someone invented HTTP tunnelling
over SSH (of course, this is crazy talk), it
would wipe out SSL within 2 years.

The reason: coz SSH costs $0. Economics rules
over "security" whatever that latter word means.

And, "free" rules over "costs" no matter what the
threats.

This business analysis is entirely stable (econ-
speak for "better") no matter what you care to
say about security. But even better, Set 'A'
has the wonderful ability of improvement - as
the threats arise, it can improve. It is this
ability which makes it the honest, better choice;
the ability to improve to keep pace with new threats.

It's a winner! But more importantly the price
is right - as the threat is low, the price is
low. As the threat rises, we can raise the
price and meet more of the threat.

Try that with your Set 'B' !

PS: We are about to see this experiment run in the VPN > market.

PPS: We have the same situation with S/MIME, and PGP, > although to properly contrast would be a rant for > another day.

PPPS: There is only one way in which Set B can live in > such a world. I'll leave that as an exercise for the > reader.

Maybe that's because only 1% of the browsing requires > security... Don't forget that SSL does have it's cost > in terms of performance. If people don't need security > they will not switch it on just because it's there. It > has nothing to do with the design of SSL as requiring > certificates.

But if there is no existing relationship, there is > > nothing to steal. We do not actually want to secure > > true names. We want to secure true relationships, > > which are represented by names, names that seldom > > correspond precisely to true names.

Right, but if the establishment phase of a
relationship is also your
root of trust then it is not that meaningless anymore.

But the KBG, the CIA, the FBI, and the IRS cannot > > MITM an existing relationship which is all that they > > are likely to want to MITM, if keys are routinely > > and automatically exchanged, indexed, and archived > > on setup of the relationship,

They cannot MITM an existing relationship, but they > can MITM when such starts.

I agree we're not protecting against the "random > scammer". He is the Starbucks lamer from my thread > with Ian. However, our opponent is not the FBI either.
He can be anyone the business people who use e-mail > encryption are afraid of. A hacker hired by a rival > business, or alike (all the financially motivated > break-ins).

The FBI is not my main threat. However, to your point, > if the FBI really owns the server they can do all the > MITM they want without you having a chance to discover > it.

--
Ian G wrote:

PS: We are about to see this experiment run in the VPN
market.

Not sure what you are referring to. What system do see
providing or going to provide routine VPN encryption?
IKEv2?

PPS: We have the same situation with S/MIME, and PGP,
although to properly contrast would be a rant for
another day.

S/MIME and PGP are both expensive, especially S/MIME,
and so neither one is much used. What is the
"situation" to which you refer.

PPPS: There is only one way in which Set B can live in
such a world. I'll leave that as an exercise for the
reader.

This reader fails that exercise.

Hi,
At 26/05/06 01:58, Ian G wrote:

I think you got the expectancy screwed up in this calculation...
In 1/1E6 case, the case of MITM, the probability is low, but the stakes
(damage) is high.

I'm sorry, how did you decide the stakes / damage
was high? Have you any logic or evidence to
support that?

My logic is that people who need security usually need it for a reason
while people who just use it because it's automatic do not. A MITM is
not done for nothing - if an opponent does a MITM then it's for
something much more valuable than the typical random e-mail message that
can be picked up (and which you do protect).

Also, how high? It has to be *exceptionally* high
to make a difference - we are probably talking in
millions here - given that we routinely accept
MITMs of $1000 in phishing being not worth worrying
about.

I do not know the actual average damage of a MITM, of course.
However, I do know the gain of protecting messages that do not require
protection and it close to zero. Okay, if you're worried about wholesale
surveillance then it's above zero, but it's close to zero otherwise.

It was a person who got a false sense of security,
trusted your system, and got screwed.

Nah :) My system reveals that it doesn't cover
the MITM for the first instance. If they
trusted that to, er, be the reverse of what
it said, then they *will* get screwed no matter
what system we give them.

I agree. All I was asking for is for the system to declare it's threat
model.

My claim was that it does not solve the usability problems of
e-mail encryption (as PGP) for the cases where"real" security is needed
and just lifts the bar for the rest.

For the (1E6-1)/1E6 you are likely to get good protection, but good
protection against nothing, because there was nothing at stake, which
means you get close to zero. My initial point was that most e-mail
message do not need any security and are not put at any risk by not
being encrypted.

LOL.... yes, this is to some extent true. If
there is no risk there is no protection needed.
Which is *precisely* what I'm arguing for MITMs.
So how do I argue the reverse for the great mass
of email users?

There is no risk for the masses, there *is* risk in the cases that are
worth a MITM, because they are the 1/1E6 that are worth it. I will try
to phrase it clearly: the great mass of e-mail messages do not care
about MITM, but they do not care about your system either, because they
have nothing at stake. The few messages that are at stake are also the
messages that are worth being MITM'ed, and you don't help them much
(well, you do, by step #5, but without improving the usability, which
(snip)

Of course not many messages will be MITM'ed, but not many messages are
worth it, or any protection, either...

Right, but look at the difference: We have
some good numbers for eavesdropping. Not many,
but thanks to recent news we can start to get a
picture. Something like 10m people's phone calls
in the US, and something similar in email (again,
details are spotty). We have to stab in the dark
here and make some wild estimates.

I agree. This is wholesale surveillance. I may be old fashioned, but I
still don't see this as part of my threat model.

What's our numbers for MITM? I suppose we would
have to look at phishing, now, and then reduce it
for the "first opportunity MITM."
Either way - we should be able to agree that
the risk / frequency of eavesdropping is many
magnitudes over the risk / frequency of MITM.

What is the risk? 10m people were wiretapped; so? What damage was caused?

I believe that there is no damage in MITM because most people who write
e-mails that are worth a MITM, *do* use PGP or alike, or don't use e-mail.

a. There are truly very few circumstances where
a usable MITM-vulnerable system is worse than an
unusable MITM-resistant system. Kerchkoffs' 6th
principle is his most important, IMO - the system
must be usable under field conditions.

The law was written for a very specific scenario. It's a military
scenario where the average stake of a message is high.

No, I disagree. I've done military crypto, as a
field grunt, and the stakes were low. The law is
entirely applicable - in fact more applicable -
for the grunt in the field. Try scribbling a
cryptogram when it's raining, dark, your fingers
are frozen, there's mud in your eyes, your pencil
keeps slipping, and the red-covered torch under the
honcho isn't worth squat ...

Done that... ;)

I agree that a system must always be usable in field conditions, of
course, but the term "usable" is lax and does not translate well from
the military field into the commercial field. How usable? Does the need
to negotiate keys make a system unusable? Is it like writing crypto in
the rain, dark, with frozen fingers, etc.? I doubt...
I wrote what I wrote before about the average stakes to point out that
"lifting the bar" for the masses is worth more with an unusable military
system than with an unusable commercial system.

This is not
commercial e-mail where you have one message worth, say, $100K and a
million worth absolutely nothing. You can also assume that the $100K
message senders are a bit more aware than the rest, in average, so you
can expect just a bit more of them. They are the ones by whom the
success of the system will be determined, not the masses that just send
porn links to each other.

Yowsa! I hope we can keep these assumptions intact
when we get to the MITM case. Coz, if the message
truly is worth $100k, did you assume that they were
allowed to run on a Windows platform? And how did
you enforce that?

The $100K is not a final quote. :)

I wouldn't store a $100K value asset on Win32 either.
The point is that 1/1E6 messages are worth a lot (enough for a MITM -
the number in dollars doesn't matter) and the rest are worth zero.

The MITM case you will suffer is indeed one of a million, but it's
probably the only one that counts. People that encrypt messages for no
reason cannot be counted into the success rate of the system.

Nope. People that encrypt messages that don't
need encryption - that's a strawman. You don't
know in advance what messages need protection.
You can't even ask the user, coz she doesn't
know, and won't even know with any reliability
_after_ she sent it.
The only tractable assumption is to encrypt
everything the best you can. There is zero
merit in assuming that in advance there are
a few messages we just have to get right,
unless you happen to have a big fat contract
that specifies that.

I am not sure I agree with the actual value of encrypting everything.
The only risk that you face with messages that were not considered as
"sensitive" at the time of sending is with legal stuff, and this is
outside your threat model anyway, because you must keep the keys and
disclose them anyway when it gets to court.

Okay, I agree to attribute some benefit to all-inclusive encryption, but
this is not the way, I believe, e-mail encryption success is to be
determined. This probably takes us back to the first message of the thread.

(If you have one of those, do you feel like
sharing it?? :)

I would if I had. :)

b. Above, there is point 5. For those who make
a risk management decision that they are concerned
with the MITM risk, they can simply phone up their
other contact and do a key exchange over the phone,
like as in PGP. The system covers the initial MITM
threat - it just asks you to do the heavy lifting
of the phone in the case where you need that.

Right, and this is why I like your method. This option is probably the
most useful one, but unfortunately, it brings us back to the
inconveniences of today's systems...

Well, it doesn't bring us back to the inconveniences
of today's systems, except in the 1% of cases where
people decide to do it.

...And I claim that this is the only 1% that counts... I guess this is
the root for the debate between us.

I am just afraid of the 70% or so
of the 1/1E6 who will skip step 5 because of a false sense of

security...
Nah, 99% at least. And, they won't do it because
of a false sense of security. They'll do it because
of risk management - it isn't worth it to them to do
that step.
(They could be wrong of course. That's another story.)

I was more pessimistic - I did not say 70% but 70% of the 1/1E6...

c. You could make the case that there are people
that need MITM protection but don't know it. I
choose not to bother to protect those people,
because if they don't know, then they will do
something else which will compromise themselves,
such as install windows. (Not because I'm being
snarky or anything, just another risk management
decision.)

You see, but they (the MITM people) are your real customers, not the
masses.

?? I grant that if they were paying me, I'd
do something different. But they ain't. So
I won't.

You do it voluntarily, but you still do it for them... At least that's
how I see it.
(BTW, after realizing that they are 1/1E6, even if they were paying it
would probably not be worth it. :) )

The masses don't need your e-mail encryption - they are fine
enough without it.

Yowsa! Where did this "need" thing come from?

It's not "need" but "lack of need" and it came from the observation that
nobody asked for e-mail encryption, nobody uses it (and don't give me
this usability excuse - people do things less "usable" than PGP when
they need to - like fighting with MS-Word indentation).
That's how it all started. Why don't people use encryption... Is it not
usable or do they just don't think they need it... I claim the latter.

The masses don't "need" the Internet, is that
what you mean?

The masses do need the Internet, at least the porn sites... :)

The to-be-MITM'ed guys, the ones who do send secrets
and who are subject to MITM may not know they have to fear MITM. They
are executives, lawyers, etc., and they do not even know what MITM is.
It *is* your business to bother with them because you are designing
their solution - they trust you and your security system (hopefully for
a pay :) )

Nope. It is their business to *pay* me for a
system, and advice. Until they do that, they
can go hang.

This brings me to my original claim that the rest don't need e-mail
encryption. They don't ask for it, and they don't use it. I agree that
your system is useful, and will lift the bar; I just don't think that
this is our main goal. The main goal are the people hanging above...

Right. So what is our goal?

Making security easier where strong security is needed. (not just
lawyers etc., also you and I when needing strong security for privacy or
business reasons).

Secure, being, completely and correctly covers those
things I choose to include.
I choose not to include "first MITM opportunity."
I also choose not to include "trojan on Windows OS."
And, there is no protection included for "meteors,
unicorns, sniper bullets."
And I'll argue certain threats are more likely than
others :)

I agree about the applicability of all claims but the MITM one of
course. If you don't mitigate unicorns, it's okay, because people don't
expect you to. However, if you don't protect against MITM in some modes,
these modes are not worth much (only to the masses, which is what I
don't count, and where we disagree).

This is why I said that regardless of my "concerns" I still think your
system should be deployed.

We're supposed to design security systems for people who need it.

That's

at least what I do for a living...

Right, so we need to negotiate on goals.

Indeed...

The false sense of security is one of the
biggest boguss-arsed arguments ever used :)
It generally is imposed totally incorrectly.
It is easy to avoid a false sense of security.
You just state the security.
Easy. Done. End of story.

I actually agree with this.
False sense of security is not always such a big issue to resolve.

I think that it is crucial that this one knows the limits of the

system,

because this one is the only one for whom the system is actually

useful.

If he doesn't get it - we got nothing. That's my opinion... (You don't
care about the one who needs security and I don't care about the 1E6

who

don't...)

Right. We have *different* definitions of
"secure" and different ideas about the market.

Yap.
Actually, I think we have different views only of the market. The
"secure" is implied from it.

At 26/05/06 11:48, Ian G wrote:

There is some question about the relative benefits of
different philosophies of protection. I personally
sing to this rhythm:
do what you can for free,
then extend!
Call that 'A'. Others often set other targets. Many
love to dance to this tune:
Cover all threats in the set 'B'
coz the paying customers deserve it!
So why would we choose one over the other?

I trust I am your endorser for "Set B"...
I don't think we should choose one over the other. Having two modes
(with step #5 [Set B] and without step #5 [Set A]) is just great by me,
and that's what I keep saying from the start.

The case for set B is based on custom. The set of
threats included are those that have been selected
by an arcane and tricky process but let's assume
they are "good" for now.

The "tricky process" is called a threat-analysis.

I think I was convincing enough about the ease of off-line MITM.

The case for set A is based on economics. It walks
like this.
Free is defined to be something that is of lesser
or equal cost to the activity in question. Say we
are sending an email. Free means there is no other
activity or cost imposed on the sending of the email
other than ... already necessary in sending the email.
(See earlier mail!)
Now, if we assume away (rotate arms like windmills here)
the costs of implementation and deployment then that
means that all people on the planet of email could
have set A. For nothing.
Let's call that 99% of the emailing population.

Agreed.
The 99% get it for free. They don't necessarily need it, but they get
it, and since it's free, no one has any reason to object.

What happens?
Well, I'm sorry to say that normal *business* processes
will kick in and totally destroy Set B. Completely
and utterly. No matter how much better it is.

Really? Like TABs destroyed SecureID? (LOL)

Like FedEx destroyed Brink's?

Like downloadable browser applets with PINs destroyed smartcards?

Many people need little security (or none). Some people need strong
security. Some products give low security (Set A) and some products, or
enhancements to the same products, give more security (Set B). These Set
B's can be and are sometimes orders of magnitude more expensive and they
still live; live well.

If 99% of the people in the corporation use Set A,
then it will be the standard. It will be demanded
to be the basis of everything. It will become the
new lingua franca, the new way, the only way.
Verily, the definition of email.
Even if the corporation has a small group that needs
securing, they will simply use Set A and bolster it.
It is far more economic to bolster Set A than to
deploy Set B as well as Set A. They could even
layer Set B over Set A... if they so decide.

Right. In our case, Set B (steps 1-5) is a superset of Set A (steps 1-4)
that costs more (manual key management) and gives more. What's wrong?

Set A of course does not *preclude* the features
in Set B. It just doesn't deliver them by default.
OTOH, Set B definately precludes the 99% usage
base that is available to Set A. There is no way
you can "reduce" Set B to cover the other 99%,
because to do so means either you require them
to pay (run away screaming!) or you need to break
your assumptions about customary security (crawl
in a hole and die!)

This is a system-design issue. Nobody said that a single product cannot
do both Set A and Set B and fall-back if this is desired.

I don't get
your point. Even your own suggestion was a single system that supports
both (with or without step #5). I was only claiming that the "with step
#5" is no more usable than e-mail security today, and without step #5 is
not secure enough for most cases where security is needed.

We know this to be true from experience. SSH
covers 100% of its market area - telnet is now
effectively only used for testing. Yet SSH has
this tiny known weakness.

Right, and I have no problem with that. I use SSH myself. I have no
problem because:
1. The MITM needs to be on-line, which is tough. In your case it can be
off-line.
2. I engage in the "risky" process once in five years, not once in a
month (when introducing a new correspondent).

SSH actually went up against SSL-telnet. Not-
withstanding that SSL-telnet had some sort of
claim that it had "no weaknesses," it was trounced.
Not just trounced, it was destroyed, scattered to
the winds, blown into the milky way.
The reason was costs.

Cost-benefit, to be exact.

SSL-Telnet gave too little added benefit for its added cost. I agree. I
would never use it.

The result was not pretty. Probably there are
only a handful of people who even remember that
SSL-telnet existed. And even fewer of those are
prepared to admit that they used it, briefly.

To be honest, I did not even know it ever existed...

OTOH, we still have a situation where SSL is only
used in <1% of browsing. SSL claims complete
security, but it never broke out of 1% usage.

Maybe that's because only 1% of the browsing requires security...

Don't forget that SSL does have it's cost in terms of performance.

If
people don't need security they will not switch it on just because it's
there.

It has nothing to do with the design of SSL as requiring
certificates.
Fact is, even on the servers that support SSL and have the certificates
and all (added cost over SSH was already paid), most pages are not
encrypted even though it's a checkbox away with no extra cost.

Prediction: if someone invented HTTP tunnelling
over SSH (of course, this is crazy talk), it
would wipe out SSL within 2 years.

Yeah, unless common browsers start caching self signed certificates.

However, even though SSH will kill SSL for its low setup costs, no more
than 1% of the pages will be encrypted, for the reasons I wrote above.

The reason: coz SSH costs $0. Economics rules
over "security" whatever that latter word means.

"security", whatever the word means, is part of "economics" - they are
not ones against the other. This is what risk management is all about.

And, "free" rules over "costs" no matter what the
threats.

I strongly disagree.
It's not true anywhere and it's not true in security, otherwise people
would still use passwords for the VPN's and not bother with HW tokens,
and there are dozens of other examples.

Let's assume that the rant itself is plausible and the > conclusion - that Set A wipes out Set B in a fair > fight - is solid.
In which case, the only thing left is an unfair fight.
Set B, or the proponents thereof, have to basically > destroy Set A in *other* ways. E.g., ban it or > otherwise downgrade it so severely that it is treated > as "worse than any alternate."

Now however if you go to email client suppliers, and > explain this model, you'll be treated like Satan.
It's too late for email.

No, it's a marketing issue. And yes, people do say > that the single product can only do Set B, and you > cannot fall back.
There is no fallback mode in SSL. In fact, the ADH > protocol is considered to be "deprecated" in the RFC > because it is "insecure". In OpenSSL it is turned off > by default, not compiled, so it is simply not > available in Apache. Because it is too dangerous for > you to fall-back to it, you "might not know what you > are doing."
(snip)

--
Ian G wrote:

Now however if you go to email client suppliers, and
explain this model, you'll be treated like Satan.
It's too late for email.

I observed a similar resistance in SIP, where it is not
too late. My impression was that they were supporting
PKI for reasons unrelated to security - that it was
somehow stuffed into the specification - and indeed, if
they had their druthers, they would not bother with any
security at all.

Security is hard, people tend to get it wrong (WEP and
PKI) you cannot really test it into workability, because
attacks do not manifest until widely deployed. You
cannot tell the real experts from the bullshit artists
by real world criteria. Therefore, if someone disagrees
with orthodoxy, the rational response is to ignore him,
even though orthodoxy is likely to be garbage, for the
same reasons as it is rational to ignore those that
disagree with orthodoxy.

Hagai Bar-El wrote:

Maybe that's because only 1% of the browsing requires
security... Don't forget that SSL does have it's cost
in terms of performance. If people don't need security
they will not switch it on just because it's there. It
has nothing to do with the design of SSL as requiring
certificates.

It has everything to do with its cost as requiring
certificates. It takes a skilled engineer half a day to
drop in a new certificate. Sites that do serious money,
such as the Gold Casino run for weeks with an expired
certificate, because introducing a new certificate is
frighteningly hard.

James A. Donald:

But if there is no existing relationship, there is
nothing to steal. We do not actually want to secure
true names. We want to secure true relationships,
which are represented by names, names that seldom
correspond precisely to true names.

Hagai Bar-El

Right, but if the establishment phase of a
relationship is also your
root of trust then it is not that meaningless anymore.

He has to keep the active attack going over a long
period while your relationship becomes valuable. If he
does this to any significant number of targets, his scam
will be detected before it yields anything of value.
Persistent active attacks are extremely vulnerable to
detection. Plus, it is simply hard to do. A persistent
active attack has to be done perfectly every time, over
a long time. By and large, the CIA is composed of
blundering idiots.

It raises the bar beyond that achievable by the typical
Nigerian scammer, to levels that present a major
obstacle to the KGB and CIA.

But the KBG, the CIA, the FBI, and the IRS cannot
MITM an existing relationship which is all that they
are likely to want to MITM, if keys are routinely
and automatically exchanged, indexed, and archived
on setup of the relationship,

Hagai Bar-El

They cannot MITM an existing relationship, but they
can MITM when such starts.

But when it starts they will not know, the participants
generally will not know, that it is conspiracy to do
things that the CIA is interested in. If they
persistently MITM everyone, or even any substantial
number of people, or even one person in the entire world
for any lengthy period, they are going to be detected.

Many people need little security (or none). Some people need strong
security. Some products give low security (Set A) and some products, or
enhancements to the same products, give more security (Set B). These Set
B's can be and are sometimes orders of magnitude more expensive and they
still live; live well.

Maybe that's because only 1% of the browsing requires security...
Don't forget that SSL does have it's cost in terms of performance. If
people don't need security they will not switch it on just because it's
there. It has nothing to do with the design of SSL as requiring
certificates.
Fact is, even on the servers that support SSL and have the certificates
and all (added cost over SSH was already paid), most pages are not
encrypted even though it's a checkbox away with no extra cost.

However, even though SSH will kill SSL for its low setup costs, no more
than 1% of the pages will be encrypted, for the reasons I wrote above.

Maybe, and maybe not. They do not need a constant MITM, but just to
sample mailboxes. Given you already accuse them for tapping each and
every wire, this should not even be a problem. They can tell when a
relationship is established and get into the mailbox (or actively
MITM) just then.

The case in which they care about a relationship only after it is
formed may occur, but does not reflect all cases. In some cases they
may just as well be interested in a relationship as it is formed.

But forget the CIA, what about typical Trojans that sit on a server
and sniff for new messages from banks, etc.?

Or do you back up everything?
Some people backup everything - because they
couldn't be bothered working out which files
to backup.
Some people backup only their "own" files, and
they regenerate the system files. Or they backup
"dailies" and "monthlies" separately.
But this only works because ... there is an easy
way to determine what is important and what is not.
Same with email.

Is this post important? I don't know. I could
hazard a guess that in a future life, those people
on the evil practicalsecurity list will be hunted
and gunned down in cold blood.

It's just so much easier to encrypt everything.

Over in Euroland they will shortly be rolling out new
systems to bypass SSL security. It will involve the user
*travelling into their branches* and 'personalising'
(that is, forming a relationship) their mobile phones.
With this system in place, they will not need SSL at all.
(Well, I *think* that's the case, but it is conjecture,
there are no published details on this as yet. I am
sure they will continue to use SSL, but they won't
need it.)

My logic is that people who need security usually need it for a reason
while people who just use it because it's automatic do not. A MITM is
not done for nothing - if an opponent does a MITM then it's for
something much more valuable than the typical random e-mail message that
can be picked up (and which you do protect).

I have to think about that for a bit, but here's
my intuition - it sounds dangerously circular. It
sounds like you would be saying that you are looking
for a market that truly appreciates the need for
MITM protection, and then you will be comfortable
specifying MITM to protect them, because they are
by definition needy for it.

Try this pop quiz. If all your email was worth
$100 to you, would that make it worth protecting
at the "all" level, even if that left out some
protections such as MITM?
Or, at what point would you say, "ok, let's do
all of it?" $10? $1000?

Another is that it is possible to solve the "real"
security for the 99% once they have a system in
place - they just upgrade. So if you like, it can
be treated as a two-phase operation: First, give
them the free thing. Second, upgrade them to the
real thing.

There is no risk for the masses, there *is* risk in the cases that are
worth a MITM, because they are the 1/1E6 that are worth it. I will try
to phrase it clearly: the great mass of e-mail messages do not care
about MITM, but they do not care about your system either, because they
have nothing at stake. The few messages that are at stake are also the
messages that are worth being MITM'ed, and you don't help them much
(well, you do, by step #5, but without improving the usability, which
was the problem at hand).

See above. Bear in mind that you are assuming that
there is zero threat to the masses - I would point
out that this is a convenient assumption, and isn't
really true.

I believe that there is no damage in MITM because most people who write
e-mails that are worth a MITM, *do* use PGP or alike, or don't use e-mail.

Well, again, that's now drifting into self-selection
and circular logic.

My point was simply that usability dominates all.
If the system is unusable, it won't be used, and
messages will bypass the system. So the higher
goal won't be achieved; I think this is true
across all domains, but the details differ of
course.

I wouldn't store a $100K value asset on Win32 either.
The point is that 1/1E6 messages are worth a lot (enough for a MITM -
the number in dollars doesn't matter) and the rest are worth zero.

I doubt that's sustainable! We simply don't know
which messages are worth a lot, a priori. Neither
does the sender.
(See case above. If you asked that opponent whether
her sex-chat was worth $1,000,000 before hand she
wouldn't have known what you were talking about.)

...And I claim that this is the only 1% that counts... I guess this is
the root for the debate between us.

It may well be! In order to put meat on the debate,
I claim to better serve the 1% by ignoring them!

You do it voluntarily, but you still do it for them... At least that's
how I see it.
(BTW, after realizing that they are 1/1E6, even if they were paying it
would probably not be worth it. :) )

Bingo! Once we really concentrate on those who are
prepared to pay for it, we discover an awful truth
about the market for security - they are too few
to make it profitable.

That's why I basically stick to the mass market -
because the honest paid market won't pay the bills,
and the dishonest paid market is ... well, dishonest :P)

I agree about the applicability of all claims but the MITM one of
course. If you don't mitigate unicorns, it's okay, because people don't
expect you to. However, if you don't protect against MITM in some modes,
these modes are not worth much (only to the masses, which is what I
don't count, and where we disagree).

That's an important point. Can we agree that
the reason we protect against the MITM is because
people expect us to?

Now however if you go to email client suppliers,
and explain this model, you'll be treated like
Satan. It's too late for email.

Unless it is falsely stated. For example, people
often think that SSH suffers from a false sense
of security but SSL doesn't. In practice it is
exactly the reverse, and the claims indicate this.
The SSH weakness is open and in your face. Everyone
knows that SSH has this weakness.
But the SSL weakness - exactly the same weakness
of the MITM - is hidden, and pretended to be non-
existance. It is in fact existant in the CA.
The CA is the TTP which is the centralised MITM
(snip)

That's what I'm claiming. You know what is worth encryption and what is
not.

Is this post important? I don't know. I could
hazard a guess that in a future life, those people
on the evil practicalsecurity list will be hunted
and gunned down in cold blood.

If it makes you feel any better, if this would ever be the case, I will
probably go first... :)

It's just so much easier to encrypt everything.

The only point that is missing is that when encryption is "really"
needed, this same method used for encrypting everything shall not be
applied (this is the Set B part). So, Set A alone solves only the
marginal part - those system files that are backed up.

At 30/05/06 00:25, you wrote:

Over in Euroland they will shortly be rolling out new
systems to bypass SSL security. It will involve the user
*travelling into their branches* and 'personalising'
(that is, forming a relationship) their mobile phones.
With this system in place, they will not need SSL at all.
(Well, I *think* that's the case, but it is conjecture,
there are no published details on this as yet. I am
sure they will continue to use SSL, but they won't
need it.)

They may still need SSL, or at least decide to use it. The
personalization process will solve the need for certification of clients
and possibly also of the server, but they will still need to form some
secure authenticated channel, based on the credentials that they rolled
out. They may, of course, rely completely on application-level security
(secure the transactions and not the session) but they are not likely to
be bald enough to do so...

My guess is that they would provision you with a nice X5.09 client
certificate, and a trusted server certificate that will not pop up any
unwanted dialog boxes, and use SSL on top of that... It's just a guess,
considering that banks like to conform...