[Mailman-Developers] Encrypted lists predictable difficulties and implementation needs

Rich Kulawiec rsk at gsp.org
Wed Mar 15 21:47:46 EDT 2017 

All of these proposals overlook significant known, current threats --
none of which they're capable of addressing, but some of which badly
undercut the suggested approaches.

To list just one of those -- albeit a rather prominent one -- the
Internet's population of hijacked systems (aka bots or zombies)
continues to grow.  This has been a growing problem for the last
15 years, e.g.:

	Vint Cerf: one quarter of all computers part of a botnet
	http://arstechnica.com/news.ars/post/20070125-8707.html

I have studied this issue extensively since 2002 and while I initially
thought Cerf's estimate a bit high, further study and retropection suggests
that it was probably about right.  Extrapolating to the present day,
one-quarter is probably still about right -- but of course the system
population has grown massively in the interim.

The problem has recently been badly exacerbated by the rapid
deployment of IoT devices whose security ranges between "laughable"
and "non-existent".  These in turn are quickly being utilized to
compromise other systems.  The problem is also being badly
exacerbated by various governments and organized criminal operations
which are developing, acquiring, and deploying zero-days as fast
as they possibly can.  And it's being further exacerbated by the
increasingly sophisticated attacks conducted by less prominent
and well-resourced adversaries; to put it another way, the average
attacker now has access to means and methods far beyond what they
had a decade ago.  I rather suspect that "one quarter" will become
"one third" in the next few years.

What all of this means is that once a list passes N members, where
we can debate about N, the probability that at least one of those
members has already been compromised even before they've joined the
list starts rapidly increasing.  Of course other factors may mitigate
this: if all N members use exclusively open-source software, do not
use freemail providers, do not use smartphones or IoT devices, etc.,
then the probability that one of them is compromised diminishes.
(Worth noting that in a list constituted like this, encryption
offers little additional security value, since its members are already
doing the things most likely to avoid being compromised.)   If on
the other hand, some of the list members are using worst practices,
then the probability that at least one is compromised will increase.

As I said, we can debate N -- and we can debate the probability.
What is not open to debate is that this is real and significant.
Very long experience running mailing lists and observing partial
bot-generated activity from members strongly suggests, to give just
one data point, that once N reaches "a few hundred" the probability
approaches unity.  However, I must emphasize that the word "partial"
means that this is a significant UNDER-observation -- it's very clear
that there is bot-generated activity I'm missing.  Rather a lot of it,
actually.  So "a few hundred" is probably a highly optimistic estimate
for N and its true value is probably much lower.

So even if the encryption works perfectly (which it won't) and it's
deployed perfectly (which it won't be) and it's usable by everyone
(which it won't be) and it plays nice with policies like attachment
removal, signature removal, boilerplate addition, etc. (which it
won't) and the encryption algorithm is perfect (which it won't be)
and the encryption implementation is perfect (which it won't be)
and all of this rather complex machinery works perfectly...it will
all be rendered moot the moment one list member's system is compromised.

In other words, what you propose to build here is an extremely
brittle system that's subject to total failure if even just a
single endpoint fails.  And there are *hundreds of millions* of
endpoints that have already failed.

Thus, even assuming that the systems of encrypted-list members aren't
specifically targeted, there is an uncomfortably high probability
that the messages traversing it will be pre-compromised from the start.

And of course if those systems *are* specifically targeted, which of
course is likely for people with use cases that suggest encrypted
mailing lists, then the threat models changes and no longer consists
of the normal level of attacks that all systems are subject to,
but includes an elevated level of attacks that will target them
in particular.

I think that this is an instance where a huge amount of well-intended
design and development effort will result in a "solution" that cannot
provide what it intends to because underlying circumstances prevent it.
And -- having studied those underlying circumstances for a long time --
I can sadly report that the problem is getting worse and will continue
to get worse, because (a) all of the various factors contributing to it
are also getting worse and (b) there are no reasons for anyone to
significantly invest in making it better.

---rsk

More information about the Mailman-Developers mailing list