Re: [liberationtech] Scramble.io, Round Two
I think my only complaint (that doesn't seem to be mentioned, though I could have missed it) is that the email address is generated with your key. This means that you have to create a whole new email account every 6 - 12 months for optimal security. I would suggest that you should allow people to alias their username to their email address, but also realize that doing so would kill one of your security advantages. On 2013-08-27, at 3:05 AM, DC wrote: Hi all, Just arrived in Seoul! I'm travelling this week, sorry for the delayed replies. Thanks for all the feedback. I'll try to answer all in one email: From: h0ost h...@mailoo.org Hi DC, Thanks for sharing this project. I'd like to install it on a server and play with it, but can't find an install doc. https://github.com/dcposch/scramble/blob/master/doc/how.md references a Quick Start, but I can't seem to find it. I'm sure I'm overlooking something, but thought I'd check first. Thanks. Host I hadn't published the Quick Start yet. My mistake. I'll try to correct that today, and I'll send out the URL. From: The Doctor dr...@virtadpt.net To: liberationtech@lists.stanford.edu [...] scramble.io does not play nicely with the Tor Browser Bundle: [...] Problematic. You're right. Unfortunately, this is tricky to fix! It's critical to security that the PGP key pair be generated on the client, and the server never sees the (plain) private key. To generate a key pair on the client, you need a secure random number generator. This is a new JS API that doesn't exist in older browsers, including the Tor Brower Bundle's version of Firefox :( So Scramble over Tor won't be solved until one of two things happens: * The Tor Browser Bundle upgrades to a more recent Firefox * Someone makes an easy-to-use Chromium+Tor bundle From: Griffin Boyce griffinbo...@gmail.com [...] It should give an option to continue anyway, tbh. See above---can't generate the key pair. Maybe I'll simply remove the Generate Account button on older browsers. When the secure RNG API is missing, you *could* log into an existing account, but can't create a new one. That feels a bit dirty, though. From: Nicolai nicolai-liberationt...@chocolatine.org Cool idea. This is also similar to CurveCP and DNSCurve. [...] But I think you meant to say the Base32 encoding of one's public key, not the hash, right? Nicolai Same format as Onion URLs: Base32 encoding of the first 80 bits of SHA1(PubKey) From: Tom Ritter t...@ritter.vg [...] I feel compelled to point out the precedence here. This is a problem known as Zooko's Triangle https://en.wikipedia.org/wiki/Zooko's_triangle Yes! Out of security, decentralization, and short names, you can only pick two. So HTTPS gives you security and short names (eg paypal.com), at the cost of placing trust in a centralized system (the CAs). Scramble, SSH fingerprints, Onion URLs, and others make the opposite tradeoff: security+decentralization, but now your identifiers are hashes. I think the consistent lesson of Prism, Lavabit, Freedom Hosting, etc is that anything centralized is inherently vulnerable. Hence the choice. From: Ali-Reza Anghaie a...@packetknife.com To: liberationtech liberationtech@lists.stanford.edu [...] I'm conceptually really curious about various aspects but before I forget - this time - I'd like to ask two broader questions first: - Is this in any way an officially backed project in any way? Part of a thesis or what-not lets say? Nope. So far, this is just my weekend project over the past four or five weekends :) Several friends have helped me refine the ideas. So far I've written all the code. Hopefully that will change soon! https://github.com/dcposch/scramble From: Michael Rogers mich...@briarproject.org Hi DC, Thanks for the reply. Responses to your responses inline. ;-) [...] 80 bits may not be enough to defend against a well-funded adversary these days - that's one aspect of the Tor hidden services design that needs some love. https://blog.torproject.org/blog/hidden-services-need-some-love Interesting! I'll read about it more carefully. (Note that in the entire history of Bitcoin, the smallest hash a miner has found starts with less than 80 zero bits. So impersonating an Onion URL or Scramble address would take roughly more than the *total* computation done by all Bitcoin miners to date. I think this is quite good.) [...] What block cipher mode of operation do you use? If the mode of operation requires padding, what padding scheme do you use? Do you authenticate the ciphertext? If so, what MAC function do you use, and how do you derive the MAC key? OpenPGP.js defaults. I'll give you a better answer soon. (Re: authenticating the ciphertext: not yet, but I should. Messages and bodies are currently PGP RSA-encrypted messages, but not
Re: [liberationtech] Scramble.io, Round Two
On Wed, Aug 28, 2013 at 9:49 AM, Travis McCrea m...@travismccrea.com wrote: I think my only complaint (that doesn't seem to be mentioned, though I could have missed it) is that the email address is generated with your key. This means that you have to create a whole new email account every 6 - 12 months for optimal security. I would suggest that you should allow people to alias their username to their email address, but also realize that doing so would kill one of your security advantages. A compromise is not necessary — in cables, the hash is based on root certificate, whereas DH peer keys are signed with a lower-level certificate's private key, which may have different lifetime. -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Scramble.io, Round Two
Hi all, Just arrived in Seoul! I'm travelling this week, sorry for the delayed replies. Thanks for all the feedback. I'll try to answer all in one email: From: h0ost h...@mailoo.org Hi DC, Thanks for sharing this project. I'd like to install it on a server and play with it, but can't find an install doc. https://github.com/dcposch/scramble/blob/master/doc/how.md references a Quick Start, but I can't seem to find it. I'm sure I'm overlooking something, but thought I'd check first. Thanks. Host I hadn't published the Quick Start yet. My mistake. I'll try to correct that today, and I'll send out the URL. From: The Doctor dr...@virtadpt.net To: liberationtech@lists.stanford.edu [...] scramble.io does not play nicely with the Tor Browser Bundle: [...] Problematic. You're right. Unfortunately, this is tricky to fix! It's critical to security that the PGP key pair be generated on the client, and the server never sees the (plain) private key. To generate a key pair on the client, you need a secure random number generator. This is a new JS API that doesn't exist in older browsers, including the Tor Brower Bundle's version of Firefox :( So Scramble over Tor won't be solved until one of two things happens: * The Tor Browser Bundle upgrades to a more recent Firefox * Someone makes an easy-to-use Chromium+Tor bundle From: Griffin Boyce griffinbo...@gmail.com [...] It should give an option to continue anyway, tbh. See above---can't generate the key pair. Maybe I'll simply remove the Generate Account button on older browsers. When the secure RNG API is missing, you *could* log into an existing account, but can't create a new one. That feels a bit dirty, though. From: Nicolai nicolai-liberationt...@chocolatine.org Cool idea. This is also similar to CurveCP and DNSCurve. [...] But I think you meant to say the Base32 encoding of one's public key, not the hash, right? Nicolai Same format as Onion URLs: Base32 encoding of the first 80 bits of SHA1(PubKey) From: Tom Ritter t...@ritter.vg [...] I feel compelled to point out the precedence here. This is a problem known as Zooko's Triangle https://en.wikipedia.org/wiki/Zooko's_triangle Yes! Out of security, decentralization, and short names, you can only pick two. So HTTPS gives you security and short names (eg paypal.com), at the cost of placing trust in a centralized system (the CAs). Scramble, SSH fingerprints, Onion URLs, and others make the opposite tradeoff: security+decentralization, but now your identifiers are hashes. I think the consistent lesson of Prism, Lavabit, Freedom Hosting, etc is that anything centralized is inherently vulnerable. Hence the choice. From: Ali-Reza Anghaie a...@packetknife.com To: liberationtech liberationtech@lists.stanford.edu [...] I'm conceptually really curious about various aspects but before I forget - this time - I'd like to ask two broader questions first: - Is this in any way an officially backed project in any way? Part of a thesis or what-not lets say? Nope. So far, this is just my weekend project over the past four or five weekends :) Several friends have helped me refine the ideas. So far I've written all the code. Hopefully that will change soon! https://github.com/dcposch/scramble From: Michael Rogers mich...@briarproject.org Hi DC, Thanks for the reply. Responses to your responses inline. ;-) [...] 80 bits may not be enough to defend against a well-funded adversary these days - that's one aspect of the Tor hidden services design that needs some love. https://blog.torproject.org/blog/hidden-services-need-some-love Interesting! I'll read about it more carefully. (Note that in the entire history of Bitcoin, the smallest hash a miner has found starts with less than 80 zero bits. So impersonating an Onion URL or Scramble address would take roughly more than the *total* computation done by all Bitcoin miners to date. I think this is quite good.) [...] What block cipher mode of operation do you use? If the mode of operation requires padding, what padding scheme do you use? Do you authenticate the ciphertext? If so, what MAC function do you use, and how do you derive the MAC key? OpenPGP.js defaults. I'll give you a better answer soon. (Re: authenticating the ciphertext: not yet, but I should. Messages and bodies are currently PGP RSA-encrypted messages, but not signed. When I fix that, sending mail will both encrypt and sign by default.) I just made a Github Issue for it so that we can have a permanent place for important details like that, better than the mailing list. https://github.com/dcposch/scramble/issues/13 Thanks again! I'm an engineer, not a cryptographer. Pointing out what I overlooked is very helpful for me. ... and finally, one message from a related thread: From: StealthMonger stealthmon...@nym.mixmin.net To: liberationtech liberationtech@lists.stanford.edu Subject: Re: [liberationtech] Why_can't_email_be_secure [...] All the problems
