On 16 February 2013 04:25, Nick M. Daly <[email protected]> wrote:
> Hi folks, here's an active question that I'd appreciate your input on. > > What is an appropriate threat-model for the FreedomBox's > client-server communications? > > Please discuss on list or feel free to add to the FBX wiki: > > http://wiki.debian.org/FreedomBox/ClientServerCommunication > > This question has a number of obvious answers, but keep in mind the > project's end-goals: to bring communication freedom to as many folks in > as many situations as possible. To that end, what are appropriate > compromises between server and client security, accessibility, and > availability? > > It seems to me that client devices fall into one of two basic > categories: > > 1. Those on which the user has root privileges and fully trusts (like > their own laptop, running a fully free operating system and BIOS, in > which no mal/spy/inscrutable-ware exists). > > 2. Those on which the user doesn't have root privileges and therefore > can't fully trust (an iPhone, a laptop with non-free software and/or > binary kernel blobs, a desktop with a non-free BIOS). > > I've illustrated the fact that there's a range of trustworthiness, > though I don't know how to meaningfully measure this quantitatively (I'd > like to survey and classify devices, but I don't know how to massively > and remotely detect un-trustworthy or malicious software, suggestions > are welcome). > > At this point, I'm worried about secret key (identity) material. This, > being the most important and secret of data, can teach lessons that can > be applied to nearly all other data. > > I'll start by throwing out a few more directed questions to start off > the discussion: > > 1. Who can be trusted with which secret key material? > > 1.A. Can servers be trusted with the client's key? > > 1.B. Which clients can be trusted with parts of the server's key? > > 2. In what ways is it acceptable for devices to give up which secrets? > > For example, is it acceptable if the client's secret key be exposed > when the box is rooted by attackers? (Probably not, but that does > let the host act as a trust proxy without relying on subkeys, or > other weird yet conceptually interesting trust models). > > 3. What is the client application delivery model? Is it: > > 3.A. Browser-based interaction between client and server? > > 3.B. Browser-plugin-based interaction? > > 3.C. Appstore-based interaction? > Hi Nick, great topic. Which client/server interactions would you envisage as being high on the priority list? e.g. ssh to box, login to dashboard via a browser, using gpg based tools for email etc. ... a specific context may be slightly easier to visualize the possible attack surface ... > > Thanks for your time, > Nick > > _______________________________________________ > Freedombox-discuss mailing list > [email protected] > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss >
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
