On Wed, Jan 15, 2014 at 01:34:01AM -0800, coderman wrote: > On Tue, Jan 14, 2014 at 6:44 PM, Uncle Zzzen <unclezz...@gmail.com> wrote: > > > >> 3. "Passive" global adversary attack: > >> > > As long as the JS is what the owner claims it is (assuming it's code that > > has been peer reviewed enough according to your standards), it doesn't > > matter whether they confiscate the hard drive or just listen.
as coderman said, uncle zzzen, you are wrong. but for other reasons than the three he mentions. it doesn't matter if the JS safely makes it to both users' browsers if the adversary can access both the encrypted message and the private key to decrypt it. also you're living in the past if you think a server hard drive needs to be confiscated to be examined. in the case of a VPS it's enough to have a root shell on the physical host. in the case of either a VPS or a dedicated server it's enough to p0wn the SMM. see the recent spiegel publications that came out at 30c3. backdoors against DELL server products are specifically described in detail, but it is appropriate to presume that there are more of the kind. these days, server owners have no chance to know whether their servers are under surveillance or not. the amount of effort however can vary. if servers require targeted attacks then we must avoid creating honeypots like 0bin that are worthwhile to target... if. if large scale server surveillance is already in place, then it doesn't really matter where we try to entrust servers. it will always fail. unfortunately it's not easy to tell how bad the situation is. when was the last time you dumped and examined the contents of your server's SMM? > i hate the term "passive global adversary". the adversary active > across the global theater is able and active. i find it relevant that the adversary doesn't need to become detectable to apply this attack. not even the admin of such a pastebin service can tell when the day strikes that it is being surveilled. > also, you're wrong three ways: > > 1) if entropy is compromised (see history of RNG tampering) this > assumption is actionable-ly false. don't get me started on the > OpenSSL/* RDRAND fiasco... i think discussing the capability of the end-user devices to provide reasonable cryptographic service is outside the scope of my attack description. i presume this is fixable if anyone has an interest in fixing it. > 2) "JS is what the owner claims it is" is suspect in BULLRUN situation > where private keys pilfered. (not to mention all the other subversive > techniques applied) yes, as i described in scenario (2) > 3) the attack surface of the browser. nuff said! (or said again, > "just listen" is only harmless if no prior active intervention has > occurred) it is reasonable to argue that the web browser is such a complex monster it is impossible to secure. i presumed that to be obvious but maybe it should be mentioned for completeness. -- http://youbroketheinternet.org ircs://psyced.org/youbroketheinternet -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.