
On Mon, 17 Apr 2017 19:22:52 -0400 Rich Kulawiec <rsk@gsp.org> wrote:
On Sun, Mar 19, 2017 at 06:14:22PM +0100, Norbert Bollow wrote:
That is true, if the attacker already knows whose communications they want to snoop on. However one of the main benefit of using encrypted communications is in the area of making it much more expensive and politically risky for the attacker to determine which targets have value.
The attacker (for many values of "attacker") is and will be particularly interested in communications that are encrypted -- because they'll stand out. Granted, this will diminish as more communications become encrypted, but for the forseeable future, anyone using encryption or similar privacy measures will be targeted:
https://www.wired.com/2014/07/nsa-targets-users-of-privacy-services/
The NSA scans just about all unencrypted email communications anyway.
So not encrypting communications certainly is not a viable strategy for ordinary (i.e. non-criminal) people who would like to not have their emails scanned by the NSA. If the NSA were to make the greatest possible efforts in attempts to also scan as many encrypted communications as they can, that could, if they were to achieve 100% success in that regard, in the worst case only bring the level of their privacy violations of encrypted communications up to the level at which they violate privacy for unencrypted communications.
Another important point is that not all attackers have capabilities of attacking encrypted communications. An important class of attackers is technically relatively unsophisticated criminals going after relatively soft targets of opportunity.
Nota bene, I'm only talking about the communications of non-criminals here. I'm not interested in discussing whether it might be a viable strategy for terrorists or other criminals to intentionally not technically encrypt their communications, in order to attempt to make those communications not stand out among the mass of unencrypted communications among innocents.
I agree with you that encryption makes it more expensive, and that's an argument for deploying it, but I don't agree that it's politically risky: there are no appreciable consequences for anyone engaging in this.
I can assure you that "Digital Society Switzerland", a Swiss NGO where I happen to be serving as president, would be most delighted to have concrete evidence of even a single concrete example of a foreign intelligence service having broken into an innocent person's computer or other communication device in Switzerland for purposes of spying on encrypted communications. There are multiple ways in which we would be most eager to exploit this politically, with reputational side effects on the guilty state actor that they would certainly prefer to avoid.
Now if the foreign intelligence services deploys their intrusion capability only against terrorists and their close associates, we (Digital Society Switzerland) are not likely to get any evidence of that, and even if we got evidence of such activities, that would not help us politically.
But if it should happen that they start mass surveillance of end-to-end encrypted email communications, that would include our internal communications, so the foreign intelligence service would need to compromise a significant number of the devices that we use for communicating, and chances are that one of us would notice that something is wrong, and get the issue addressed in a professional that involves forensic analysis.
Even in the case of a foreign state actor that does not care about any diplomatic repercussions, or a foreign state actor that likes to be intentionally provocative, there would be a heavy cost to them if they were to make widespread attacks and these attacks were made widely known, because in such a case the security vulnerabilities that they exploit would become well-publicized, and many of the more interesting surveillance targets would secure their devices against those attacks.
Even at the commercial level (e.g., Verizon's insertion of unblockable cookies in order to conduct surveillance) there are no appreciable consequences for any violation of user privacy or security -- merely inconsequential slap-on-the-wrist fines and then it's right back to business as usual.
Unblockable cookies are quite different technically as well as emotionally/politically from the kinds of attacks that we're discussing here.
In the absence of encryption, that can be achieved by means of mass surveillance anywhere between the communications endpoints followed by (possibly AI-based) pattern analysis, at near-zero incremental cost and near-zero incremental risk per additional group that is subjected to such surveillance for reasons of its communications being possibly of interest to the attacker.
I almost entirely agree with you on this, but want to point out that if an attacker has compromised an endpoint, they can stop there: there's no need to worry about the rest. And endpoints are already compromised by the hundreds of millions, with more every day. (And as more endpoints become part of the IOT, the rate of compromise will increase drastically.) I think it's quite reasonable to extrapolate a billion compromised endpoints sometime in the next couple of years. (I also think that in a couple of years I'll shake my head at how much of an underestimate that turned out to be.)
All of that is true, although of course even when an endpoint is compromised by one attacker, it may still be inaccessible to other adversaries (e.g. because some of the other adversaries will be less sophisticated, or because the first attacker's rootkit closes the security hole through which they came in, or because the second attacker's rootkit fails to work because it assumes an unmodified system and that assumption is wrong because of the presence of the first attacker's rootkit).
So if it becomes desirable or profitable for the new owners of those systems to pay specific attention to encrypted mailing list traffic, they will...and probably much quicker than anyone anticipates. They won't get it right the first or second time, just like they didn't get botnet C&C organization right the first or second time -- but it won't take them long to learn.
Thus the target end user population for encrypted mailing lists looks something like this:
Nobody using freemail providers -- these fall into two categories: those that are owned and those that are going to be owned.
Nobody using webmail -- webmail implementations have a long and sad history of serious security issues. And "browser security" is often an oxymoron.
Nobody using Windows, MacOS, Android, or iOS. There are already too many exploits on the table to keep track of, and there can be no doubt that these are only a fraction of the total: many more are held by security researchers, vulnerability brokers, intelligence agencies, etc. And Linux probably should be added to that list in the near future, as its increasing deployment has clearly made it an attractive target. (Nod to the past week's releases by the Shadow Brokers, which are surely the tip of the tip of the iceberg.)
Nobody with poor email habits, e.g., top-posters, full-quoters, people who use HTML markup. (Since these undercut encryption, sometimes rather badly.)
Nobody using the IOT to send or receive email, e.g., their car, which was very likely pre-compromised at the factory.
That doesn't leave a lot of people.
This analysis doesn't correspond at all to the real-life use case that I'm familiar with, of an encrypted mailing list that we're using quite successfully.
We're not using it with the intention of creating an illusion of the traffic of that mailing list thereby achieving a high degree of protection of confidentiality. We're quite aware that that is not the case. In fact, everyone is aware of how easy it is to get onto that mailing list, a process that does not involve any serious vetting besides (due to the encrypted nature of the list) the fact that prospective subscribers are required to provide an OpenPGP public key. It's almost an open list, with a correspondingly low expectation of confidentiality.
More confidential exchanges are always by off-list encrypted email.
The encrypted mailing list nevertheless plays a very significant role in allowing those off-list encrypted email conversations to happen, by ensuring that all participants in the overall group continually have the capability of sending and reading encrypted email, and by providing a well-defined way for obtaining the public keys of any participants of the overall group (we can obtain them from the mailing list server).
I'm not saying "don't do it". As an intellectual exercise and a development challenge, it's interesting. I'm saying "make sure -- if people are thinking about deploying this -- that they understand that they have almost no chance of making this work as intended in the real world."
As far as I am able to tell, the encrypted list that I mentioned is working as intended for us.
I do however agree with rsk's analysis in so far as I agree that his arguments show that if one's intention with an encrypted mailing list were to thereby make the communications of just about any large group of people in some sense very secure, that would be an unrealistic intention, for which there'd be almost no chance of making it work in the real world.
Greetings, Norbert