[Mailman-Developers] Encrypted lists predictable difficulties and implementation needs

Norbert Bollow nb at bollow.ch
Tue Apr 18 05:50:40 EDT 2017


On Mon, 17 Apr 2017 19:22:52 -0400
Rich Kulawiec <rsk at gsp.org> wrote:

> On Sun, Mar 19, 2017 at 06:14:22PM +0100, Norbert Bollow wrote:
> > That is true, if the attacker already knows whose communications
> > they want to snoop on. However one of the main benefit of using
> > encrypted communications is in the area of making it much more
> > expensive and politically risky for the attacker to determine which
> > targets have value.
> 
> The attacker (for many values of "attacker") is and will be
> particularly interested in communications that are encrypted --
> because they'll stand out. Granted, this will diminish as more
> communications become encrypted, but for the forseeable future,
> anyone using encryption or similar privacy measures will be targeted:
> 
> 	https://www.wired.com/2014/07/nsa-targets-users-of-privacy-services/

The NSA scans just about all unencrypted email communications anyway.

So not encrypting communications certainly is not a viable strategy for
ordinary (i.e. non-criminal) people who would like to not have their
emails scanned by the NSA. If the NSA were to make the greatest
possible efforts in attempts to also scan as many encrypted
communications as they can, that could, if they were to achieve 100%
success in that regard, in the worst case only bring the level of their
privacy violations of encrypted communications up to the level at which
they violate privacy for unencrypted communications.

Another important point is that not all attackers have capabilities of
attacking encrypted communications. An important class of attackers is
technically relatively unsophisticated criminals going after relatively
soft targets of opportunity.

Nota bene, I'm only talking about the communications of non-criminals
here. I'm not interested in discussing whether it might be a viable
strategy for terrorists or other criminals to intentionally not
technically encrypt their communications, in order to attempt to make
those communications not stand out among the mass of unencrypted
communications among innocents.

> I agree with you that encryption makes it more expensive, and that's
> an argument for deploying it, but I don't agree that it's politically
> risky: there are no appreciable consequences for anyone engaging in
> this.

I can assure you that "Digital Society Switzerland", a Swiss NGO where
I happen to be serving as president, would be most delighted to have
concrete evidence of even a single concrete example of a foreign
intelligence service having broken into an innocent person's computer or
other communication device in Switzerland for purposes of spying on
encrypted communications. There are multiple ways in which we would be
most eager to exploit this politically, with reputational side effects
on the guilty state actor that they would certainly prefer to avoid.

Now if the foreign intelligence services deploys their intrusion
capability only against terrorists and their close associates, we
(Digital Society Switzerland) are not likely to get any evidence of
that, and even if we got evidence of such activities, that would not
help us politically.

But if it should happen that they start mass surveillance of end-to-end
encrypted email communications, that would include our internal
communications, so the foreign intelligence service would need to
compromise a significant number of the devices that we use for
communicating, and chances are that one of us would notice that
something is wrong, and get the issue addressed in a professional that
involves forensic analysis.

Even in the case of a foreign state actor that does not care about any
diplomatic repercussions, or a foreign state actor that likes to be 
intentionally provocative, there would be a heavy cost to them if they
were to make widespread attacks and these attacks were made widely
known, because in such a case the security vulnerabilities that they
exploit would become well-publicized, and many of the more interesting
surveillance targets would secure their devices against those attacks.

> Even at the commercial level (e.g., Verizon's insertion of
> unblockable cookies in order to conduct surveillance) there are no
> appreciable consequences for any violation of user privacy or
> security -- merely inconsequential slap-on-the-wrist fines and then
> it's right back to business as usual.

Unblockable cookies are quite different technically as well as
emotionally/politically from the kinds of attacks that we're discussing
here.

> > In the absence of encryption, that can be achieved by means of mass
> > surveillance anywhere between the communications endpoints followed
> > by (possibly AI-based) pattern analysis, at near-zero incremental
> > cost and near-zero incremental risk per additional group that is
> > subjected to such surveillance for reasons of its communications
> > being possibly of interest to the attacker.
> 
> I almost entirely agree with you on this, but want to point out that
> if an attacker has compromised an endpoint, they can stop there:
> there's no need to worry about the rest.  And endpoints are already
> compromised by the hundreds of millions, with more every day.  (And
> as more endpoints become part of the IOT, the rate of compromise will
> increase drastically.) I think it's quite reasonable to extrapolate a
> billion compromised endpoints sometime in the next couple of years.
> (I also think that in a couple of years I'll shake my head at how
> much of an underestimate that turned out to be.)

All of that is true, although of course even when an endpoint is
compromised by one attacker, it may still be inaccessible to other
adversaries (e.g. because some of the other adversaries will be less
sophisticated, or because the first attacker's rootkit closes the
security hole through which they came in, or because the second
attacker's rootkit fails to work because it assumes an unmodified
system and that assumption is wrong because of the presence of the
first attacker's rootkit).

> So if it becomes desirable or profitable for the new owners of those
> systems to pay specific attention to encrypted mailing list traffic,
> they will...and probably much quicker than anyone anticipates.  They
> won't get it right the first or second time, just like they didn't
> get botnet C&C organization right the first or second time -- but it
> won't take them long to learn.
> 
> 
> Thus the target end user population for encrypted mailing lists
> looks something like this:
> 
> 	Nobody using freemail providers -- these fall into two
> categories: those that are owned and those that are going to be owned.
> 
> 	Nobody using webmail -- webmail implementations have a long
> 	and sad history of serious security issues.  And "browser
> 	security" is often an oxymoron.
> 
> 	Nobody using Windows, MacOS, Android, or iOS.  There are
> already too many exploits on the table to keep track of, and there
> can be no doubt that these are only a fraction of the total: many more
> 	are held by security researchers, vulnerability brokers,
> 	intelligence agencies, etc.   And Linux probably should be
> 	added to that list in the near future, as its increasing
> 	deployment has clearly made it an attractive target.  (Nod to
> 	the past week's releases by the Shadow Brokers, which are
> surely the tip of the tip of the iceberg.)
> 
> 	Nobody with poor email habits, e.g., top-posters,
> full-quoters, people who use HTML markup.  (Since these undercut
> encryption, sometimes rather badly.)
> 
> 	Nobody using the IOT to send or receive email, e.g., their
> car, which was very likely pre-compromised at the factory.
> 
> That doesn't leave a lot of people.

This analysis doesn't correspond at all to the real-life use case that
I'm familiar with, of an encrypted mailing list that we're using quite
successfully.

We're not using it with the intention of creating an illusion of the
traffic of that mailing list thereby achieving a high degree of
protection of confidentiality. We're quite aware that that is not the
case. In fact, everyone is aware of how easy it is to get onto that
mailing list, a process that does not involve any serious vetting
besides (due to the encrypted nature of the list) the fact that
prospective subscribers are required to provide an OpenPGP public key.
It's almost an open list, with a correspondingly low expectation of
confidentiality.

More confidential exchanges are always by off-list encrypted email.

The encrypted mailing list nevertheless plays a very significant role
in allowing those off-list encrypted email conversations to happen, by
ensuring that all participants in the overall group continually have the
capability of sending and reading encrypted email, and by providing a
well-defined way for obtaining the public keys of any participants of
the overall group (we can obtain them from the mailing list server).

> I'm not saying "don't do it".  As an intellectual exercise and a
> development challenge, it's interesting.  I'm saying "make sure --
> if people are thinking about deploying this -- that they understand
> that they have almost no chance of making this work as intended
> in the real world."

As far as I am able to tell, the encrypted list that I mentioned is
working as intended for us.

I do however agree with rsk's analysis in so far as I agree that his
arguments show that if one's intention with an encrypted mailing list
were to thereby make the communications of just about any large group
of people in some sense very secure, that would be an unrealistic
intention, for which there'd be almost no chance of making it work in
the real world.

Greetings,
Norbert


More information about the Mailman-Developers mailing list