[Mailman-Developers] Encrypted lists predictable difficulties and implementation needs

Stephen J. Turnbull turnbull.stephen.fw at u.tsukuba.ac.jp
Wed Apr 19 01:47:02 EDT 2017 

After I wrote most of this, I see Norbert covered some of the same
points, but from the point of view of his specific use case.  So I'm
just going to send despite a bit of redundancy.

Rich Kulawiec writes:

 > Granted, this will diminish as more communications become encrypted, but
 > for the forseeable future, anyone using encryption or similar privacy
 > measures will be targeted:
 > 
 > 	https://www.wired.com/2014/07/nsa-targets-users-of-privacy-services/

The people I know (and I don't know any so it's no use trying to
figure out who they are :-/ ) who develop encrypted communication
systems seem to disagree with you about the use cases for this: they
do use encrypted mail.

I think about it this way: as you will undoubtedly point out, they
know they're targeted, and they have the skills and motivation (see
"know they're targeted") to do something about endpoint security.  So
given that their perceived threats aren't in the endpoints, they
apparently see encrypted channels as useful.

In many of the use cases that have been discussed in the past, we are
looking at lists where the users have *specific* threats they're
worried about, such as (ex-)spouses and other stalkers, employers, and
public insecure wireless (since it's a mailing list, you need to worry
about whether your correspondents -- whose identities you may not know
-- are all using VPNs etc).  While I agree with your assessment of "a
billion pwned devices on the Internet of Threats[tm]", I don't
necessarily think that any given user's threat is going to be a
relevant pwner.  (And in fact we already know that they compete with
each other, and I see no reason for that to change.  Sure, the FSB and
NSA will be the biggest players, but they also have some incentive not
to advertise openly even on the "dark web".)

Yes, users need to be aware of the issue that their personal endpoint
is not that hard to hack, and that if that happens it's not the ML's
fault that their enemy is reading their "secure" mailing list posts.
They also need to be aware that *anybody* subscribing is a passive
threat (by "passive" I mean that if that person's endpoint is hacked,
who knows who might have access to cleartext).  For that reason I am
of the opinion that encrypted mailing lists should be anonymous by
default.

 > So if it becomes desirable or profitable for the new owners of
 > those systems to pay specific attention to encrypted mailing list
 > traffic, they will...and probably much quicker than anyone
 > anticipates.

I'm not going to anticipate how long it will take, I'm going to assume
that encrypted traffic will attract attention, including attempts to
crack it just for the lulz, from the get-go.

But I suspect that the really skilled and dangerous folks won't bother
targeting encrypted traffic.  They'll just read everything anyway,
maybe sift through it with text mining tools.  I suppose such tools
might be instructed to check for encrypted traffic just to save cycles
by not grepping the encrypted parts, and that could lead to lists of
encrypting endpoints and specific targeting as you suggest.

 > Thus the target end user population for encrypted mailing lists
 > looks something like this:

You're clearly assuming we all count APT28 among our enemies.  I don't
think so!  Yes, I assume that if a "private sector Echelon" indeed
comes into being there will be a market for its services and any
previously collected information it preserves.  I'm not sure
garden-variety snakes in the grass will be able to afford it, though,
and of course it will be a "dark web" thing, so hazardous to the
health of would-be users.

In other words, I agree to an extent with Norbert that this *will*
increase the cost of targeting list traffic and provide a certain
amount of "political" deterrent (in the sense of being on the dark
web).

 > I'm not saying "don't do it".  As an intellectual exercise and a
 > development challenge, it's interesting.

In other words, it should be a GSoC project.  It is, or at least we're
hoping it will be. :-)

 > I'm saying "make sure -- if people are thinking about deploying
 > this -- that they understand that they have almost no chance of
 > making this work as intended in the real world."

Yeah, well, good luck on that.  62 million Trump voters will believe
whatever the Breitbart review says. :-(

Steve

More information about the Mailman-Developers mailing list