On distrusting trust.

[reddragdiva]

Enigmail keeps nagging me to set it up properly. (It came with my copy of Thunderbird.) But I can't remember my GPG pass phrase. I should be able to, as it's based on [garble] of [garble], which I can't imagine forgetting. It's just I need to [garble]. I could just create a new one, but giving it verifiably to the few people who care would be even more of a nuisance.

I don't remember it because I don't use it. Cryptographic protection of privacy sounds like a good idea and something I should do. But I don't get the public-key infrastructure model at all. Keep in mind that I am intelligent and technically literate and have had ten years' geek culture exposure to the concept. How would one communicate it to someone without that at all?

(Excuse me while I pontificate on a subject I admit I don't understand properly.)

• The user is overwhelmingly the most insecure part of any network. The company I work for has all sorts of security policies, but the users are scientists and swap passwords the way they swap information. A security system that leaves any user writing passwords on Post-It notes is fundamentally broken. Most credit card fraud is by people and companies you gave the number to, not someone eavesdropping on the transaction. When your restricted LJ post gets out, you know damn well it was cut-and-paste fairies.

• Trust is not transitive - even if you don't confuse the technical and conventional meanings of the word. Just because someone signs someone else's key, why on Earth should I put the same trust in that as I do in my personal verification? I suspect a variation of geek social fallacy #4. And even with one's closest friends, trusting them in one respect in no way implies trusting them in another.

  I find someone's writing style a surer verification of identity - their writing is their public self on the Net. If the cryptographic signature was right but the writing style was wrong, I would first assume their computer had been cracked rather than that they had suddenly acquired a jarringly foreign turn of phrase.

• The Internet threat model - completely secure computers at either end, possibly-compromised wires in the middle - is completely arse-backwards. Pretty much no-one is eavesdropping (modulo insecure WiFi), but if you put the average Windows computer out on the wild Net, you may as well grease up, bend over and put up a neon sign flashing COME AND GET IT.

  (This is why all the silly crap your web browser does when it comes to a 'secure' page that hasn't bothered paying protection money to Verisign seems to make no goddamn sense - it's because it actually doesn't.)

There are many people reading who know this stuff better than I ever will. I ask you to take the time to shred the above.

Comments

[arkady.livejournal.com]

Might be worth posting this to alt.security?

[reddragdiva]

I'm mostly ranting, and I'd like to hear what people who know me think :-)

The links seem to indicate concern over these matters has been discussed at length. How would someone who knows it thoroughly explain it simply to someone who knows nothing at all about it?

[arkady.livejournal.com]

I suspect ciphergoth is possibly the person you need to talk to about this.

[reddragdiva]

He would be one of the people I meant in the last paragraph, yes :-)

[ciphergoth.livejournal.com]

Heh :-) hello!

I can't find a thing to disagree with in what you write. SSL is for the most part a complete waste of time - the attacks it protects against are not mostly those it is practical to mount. The "Verisign Tax" you pay to avoid users of your website getting nasty warning messages contributes almost nothing to security. The information you sign when you sign a key is not that you need to know in order to choose which key to use for encryption and authentication. And given the choice between dancing pigs and security, users will choose the dancing pigs every time.

For the record, I have probably sent or receieved at most a dozen encrypted emails in my life.

Apart from the parlous state of Windows security and its disastrous consequences for security everywhere, a lot of what you write about actually comes down to the way that PKI has been thoroughly misconsidered over the years. Here's some of what I've written about it, with links to people I agree with:

http://www.livejournal.com/users/ciphergoth/110893.html

[ciphergoth.livejournal.com]

Check this out:

http://www.mail-archive.com/cryptography%40metzdowd.com/msg01276.html

Subsequent discussion is good; I also agree with Rescorla's point that if we know how to protect against attacks A but not B, and B is a greater danger, we might as well protect against A anyway.

[reddragdiva]

That would be the 'completely arse backwards' link in my original post ;-)

I'd love to know who Patient Zero of the PKI "trust shall be transitive" meme was.

[reddragdiva]

Also - one has to weigh up whether attempting to protect against A is useful, useless or actually worse than useless (as the https:// certificate dance presently is).

[reddragdiva]

I actually have stuff that could benefit from cryptographically-afforded security, which is fine between any two people. But I'm really not convinced of the entire PKI model.

[vatine]

I see occasional uses for PKI, but the one lpace where I've been involved (shiver) writing code for (shiver) encrypted EDI with (shivershiver) home-designed EDIFACT whole-transmission (shiver) signing and encryption regularly needed to verify AT LEAST that the sending machine was (with high probability) the right machine and that it was non-trivial to snoop any data en-route. You do *not* want Joe Bloggs reading your reports from the blood lab. A limited PKI was (I think rightly) the Way To Go. Now I need a lie-down and a bullet through my brain, them projects are bringing some damned horrible memoryes back to the surface.

[lproven.livejournal.com]

[Suddenly feels very, very old]

[reddragdiva]

You're younger than me, and I'm nineteen.

[lproven.livejournal.com]

Inside, I'm about 14. Sadly, this is not always what counts.

[ewx.livejournal.com]

I still hear fairly regular reports of packet sniffers being installed on compromised systems, though I've always assumed that they're after passwords, not email. Perhaps they look for credit card numbers too now.

Governments do eavesdrop on email - obviously how much they are likely to look at yours, and how much this matters to you, depends which government you're talking about, what you're up to and how much you value your privacy. (But we already know that (i) people planning kilodeath terrorist attacks don't bother encrypting their email and (ii) governments know how to compromise the end systemsm.)

I bet writing styles can be relatively easily faked.

[reddragdiva]

The writing styles bit is more complicated than I make out in the original post. I noticed this on alt.gothic a few years ago. Writing styles break down into three categories:

1. Bad writers, whose particular problems can be imitated mechanically (particular misspellings, grammatical errors, etc).

2. Middling writers. These all write like each other and are hard to distinguish.

3. Good writers with their own style. These are the people you identify immediately without having to read the From: line.

1. are easy to fake on the surface, though being aware of an underlying style would be a bit more effort. 2. aren't very distinguishable from the writing itself. 3. are quite difficult to imitate convincingly (rather than, say, parody).

[ewx.livejournal.com]

Number 1 reminds me of the time I satirized a particularly random writer on a local newsgroup using lex.

[reddragdiva]

Pisstaking of 1. or 3. on writing style alone is very easy. Plausibly faking either is harder, particularly 3 - the voice has to ring true.

The other factor I find is that it's quite difficult for me to write in a manner that doesn't immediately sound like me - I think exactly how I write.

[dennyd.livejournal.com]

You don't actually trust people in a PKI to do anything except identify each other... that's within most people's grasp, I suspect. Is the depth to which you trust configurable? I can't remember.

Personally I stopped signing all my emails with evolution/GPG because it used the neat and tidy MIME method, which apparently pissed off a small minority of the people I correspond with. Most particularly, Outlook can't cope with it, and neither can Mutt I think - they render the body text into a text attachment of a blank email, or something equally helpful.

[reddragdiva]

Mutt configured to use GPG does the Right Thing, I thought (based on the little I've used said configuration). Is that not the case?

"Is the depth to which you trust configurable?"

I maintain that any level beyond those I've verified to my own satisfaction is a ridiculous idea. Some of the amount of verification I've seen crypto zealots claim was needed, I wouldn't know about people I've gone out with for significant lengths of time ...

[kraant.livejournal.com]

I don't have time to shred it so it's just a quick comment.

But I use https all the time.

I use it when I trust the other end at least somewhat and I don't want anyone sniffing the password.

It doesn't make sense to secure a system if you're going to have people sniffing passwords and then using that to root the server or fuck with the service.

[kraant.livejournal.com]

I just re-read it and I realised that what you're complaining about is verisign.

Heh,

As far as verisign goes it's pretty useless. The only real use I can see for it is something similar to a badge.

I would argue that trust is transitive to some small extent. Not in the sense of being able to trust a signed site as much as you trust verisign or whoever signed the key.

But with something like verisign where they're being paid money to supposedly prove that a site really is what it says it is, you can put a certain small level of trust in that if they fuck up too much no-one will trust them.

Think of it as branding more than trust. Like where a brand of food causes a wave of food poisoning you can know to avoid that brand and give other brands a go instead.

An unsigned certificate is equivalent to a brand you don't know anything about.

[reddragdiva]

"I just re-read it and I realised that what you're complaining about is verisign."

Actually, it's an incoherent ramble in point form ;-)

[reddragdiva]

It is true that I prefer https:// connections myself for many things. Certainly for my web mail, for example. I happen to have root access to the proxy server and its logs at work, but most people aren't in that position.

[mendel.livejournal.com]

Re "trust is not transitive":

It can be, and that's how that works in PGP. If I see one person I absolutely trust (both not to lie, and not to screw up a keysigning) has signed someone's key, then I'm fine; and if I see that five hundred people, about a hundred of which I think have clue not to screw up, have signed someone's key, then I'll probably trust it. That's why PGP has a bunch of different trust levels in the first place; section 3 of this paper (http://www.cs.ucl.ac.uk/staff/F.AbdulRahman/docs/pgptrust.html) talks about trust levels. The whole paper is a useful read, really.

In short, the answer to your question is "You shouldn't put the same level of trust in that as your personal verification; put slightly less, but slightly more than if it had nothing at all. Here, have a tool to do exactly that."

[reddragdiva]

I don't trust anyone that much.

[reddragdiva]

By which I mean, "I don't trust anyone at all to assign the level of how much I trust someone else."

[hellsop.livejournal.com]

Okay! I think that's the root of the issue. The whole babbling about trust levels is pretty irrelevant because you're not wanting to use it that way. I'm by no means criticizing your choice; I don't depend on it either. For most people, there's very little reason to do more than that. Get keys from the people that they want to correspond with, check key fingerprints out of band, and they're good to go.

[reddragdiva]

Certainly. But look at fucked-up shit like this:

http://www.cryptnet.net/fdp/crypto/gpg-party.html

Fuck, I haven't required that level of ID verification from people I've shacked up with. These geeks really think this will build a 'web of trust' involving someone other than fanatic drones for the Cause those with an obsession with "Key signing parties also serve as great opportunities to discuss the political and social issues surrounding strong cryptography, individual liberties, individual sovereignty, and even implementing encryption technologies or perhaps future work on free encryption software." It really is Geek Social Fallacy #4 as a Taylorised procedure.

I think the essential problem I have is that it tries to make social trust into the binary absolute of cryptographic trust, and so looks like it was created by people with no damn clue what social interaction is. Social interaction is all about the grey areas.

[steer.livejournal.com]

The Internet threat model - completely secure computers at either end, possibly-compromised wires in the middle - is completely arse-backwards.

Disagree -- I want the possibility of allowing access to any port of my home computer to any traffic I so choose. In other words, I want the possibility of a free flow of untampered information from any port of any computer in the world to any port of my machine. I dislike in the extreme ISP level firewalling which would block me from sending or receiving. The correct (indeed only sensible) place for computer security is on the machine you wish made secure.

I can see why companies implement their own firewalls -- for their protection. But it sucks. As a user I want to be able to make my own choice about what is and isn't open.

The secure the ends and let the middle be free approach is certainly the best.

[reddragdiva]

No, no - I mean as a description of how things are now. The wire is largely unwatched.

[steer.livejournal.com]

I'm afraid I'm not sure I understand you. What are you saying is arse-backwards? The article you reference seems to me to be about the fact that we can get secure end-to-end communication easily but the end points get hacked lots. Isn't this just what everyone knows? You rarely hear about hacking which occurs via intermediate routers because that's difficult (because those systems typically have a higher clue-to-administrator ratio than end-user systems).

If I get my credit card details nicked online, I fully expect it to be because an end system (mine or theirs) is compromised because, although there's a vast number of intervening systems they are largely competently adminstered and secured.

[reddragdiva]

I mean that the conventional threat model - secure endpoints, insecure wire - is rubbish, not at all that I think it would be desirable to enforce.

[steer.livejournal.com]

Ah... but even after reading the articles linked I don't think that _IS_ the conventional threat model nor has it ever been. The writers mount a convincing attack on a straw man. Both people are attacking an idea that nobody has ever proposed.

The reason that the internet protocols concentrate on making a secure end-to-end transaction is because that is what they were designed to do (they are internet protocols, their job wasn't ensuring that the end system was secure but was ensuring that the communication was secure).

[reddragdiva]

No, TCP (and not IP - compare UDP/IP) is meant for reliability, not security. Completely different thing.

[steer.livejournal.com]

Indeed... I was using internet protocols in the loose of protocols used for internet communications rather than referring to TCP/IP specifically. (Though even then, TCP/IP has loose security checks built in -- e.g. those "don't route via here" flags which are never used -- but you are essentially correct.)

[rbarclay.livejournal.com]

What flag are you talking about? I only know of source-route, and that does the exact reverse of what you talked about.

[steer.livejournal.com]

I should have probably said IP option not flag. Check out RFC791 an RFC1108 (he says unhelpfully).

From: http://www.ietf.org/rfc/rfc1108.txt

This option is used by end systems and intermediate systems of an internet to:

a. Transmit from source to destination in a network standard representation the common security labels required by computer security models,

b. Validate the datagram as appropriate for transmission from the source and delivery to the destination,

c. Ensure that the route taken by the datagram is protected to the level required by all protection authorities indicated on the datagram. In order to provide this facility in a general Internet environment, interior and exterior gateway protocol must be augmented to include security label information in support of routing control.

---

I'm not at all sure how often used or how supported it is.

[rbarclay.livejournal.com]

I use GPG a lot, to the extent that in the meantime sign+encrypt is the default for outgoing messages. Not that 99.999 % of the stuff I send couldn't well do without encryption, that's just that those few mails where it does matter don't stand suspiciously out. But that doesn't mean I have absolute trust, neither in PKI itself nor in keys whose owners I have personally verified. I use it for the same reason that I use https where that's available: at the start of the second communication I can be reasonably sure that it's the same person/machine I talk to, nothing more, nothing less.
(BTW, kuvert and q-agent make doing nearly everything automagic nearly as easy as Just Writing An Email.)

[elisteran.livejournal.com]

Note, however, the difference between encrypting your email with gpg, and signing it. Encrypting is a pain because you do have to get your encryption key verifiably to other people before they can decipher your messages; but anything you want to be able to prove you sent, you can sign it, and then when convenient get the key out to other people. People who care can start verifying your signature as they get the key, and otherwise it doesn't really matter.

(OK, signing is still solving the inverse problem; you ideally want to be able to prove you didn't send a message, but establishing a pattern of signing is better than nothing).