- From: Nico Williams <nico@cryptonector.com>
- Date: Mon, 15 Jul 2013 12:56:17 -0500
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Sat, Jul 13, 2013 at 5:08 AM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > We can do three things in light of this: > > 1) We can try to add more encryption to fight back. > > 2) We can recognize that there needs to be hooks for duly authorized access. We can't assume that this is either desired by any authorities (they'll demand we do this if they want it, and they'll delay asking for as long as possible as it'd be a big deal to ask for it) nor necessarily useful for #3. The fact is that for now we're at the mercy of a) those authorities who have deployed PRISMs, b) anybody who compromises them. (b) is the reason that PRISMs should not be built [0], but the same logic that led all major WWII powers to have nuclear weapons programs during the war must lead to all sufficiently rich governments to seek to build PRISMs. As with nuclear weapons, we may well end up with stalemate (see commentary on #3 below). The only escape would be strong end-points, which then would facilitate end-to-end security. But that's a pipe dream, for several reasons: i) some end-points with useful plaintext data will be physically vulnerable to PRISMs, so the end-points in question have to all be personal, rather than servers in data centers, ii) to get to where we have strong personal end-points would require powerful market forces (and time), but we see the market bent and made to serve its masters (albeit never perfectly, as politics cannot change natural law) the world over, which leads to the only, inescapable conclusion: this is a political problem. "#2 to get #3" is a political proposal. It is to build something expressly susceptible to attack by organizations who are themselves targets and victims, so that they (and their victimizers) can victimize those within their reach. Take it to your congresscritters/whatever. Lobby. Form a party. Fund speech. Do what you have to. But this is really the wrong forum. > 3) We can change or at least influence the political objectives Influence, *maybe*. There are lots of nations' politics to influence. It seems very unlikely to me that "#2 to get #3" will go far at all. > I think PRISM is ample evidence that #1 will have the 100% certain > result is that all encryption will be circumvented, with bogus CA > certs all the way up to PRISM and designed-in backdoors, and the > net result is less or even no privacy for anybody everywhere. It's way too soon too tell. Consider the situation in China re: HTTPS and MITM certs. China has a CA they *could* use to MITM but don't, at least not the big sites. This was a big deal recently when they tried to blackhole github, and they had to back down. There are reports that American companies are scared of losing business as a result of PRISM. Combine the fear of market share loss due to PRISM bad PR with the situation in China and we get stalemate: in the end then every nation would have to decide what traffic outside its borders (such as they might be online) to MITM (that can be MITMed), what to blackhole, ..., or whether to be an open society, but either end result is stalemate. Of course, if large enough groups of allied countries agree to provide each other with access to end-points in their jurisdictions, then we're roughly back to today's situation. To defeat PRISMs technologically requires: strong personal (mobile) end-points as the only end-points (i.e., to store or move data in the cloud it must be encrypted with keys not available to the cloud), strong crypto, and protocols that cannot be MITMed, not even with the user's acquiescence. The last roughly implies something like ZKPPs, which don't scale except when used as pre-authentication to protocols like Kerberos or BrowserID, which bring with them long trust paths (as that's their point: to act as introducers), making the whole thing vulnerable once more. In the absolute best case scenarios people end up being vulnerable only to traffic analysis, social engineering, and to rubber hose cryptanalysis, but you still have to trust so much stuff (hardware, firmware, software) that it's almost certainly infeasible for the forseeable future... ...and that's probably why we're not being asked for #2, along with the fact that #2 would be a *big* deal to ask for. We'll be asked for #2 if anti-PRISM tech begins to thrive, or realistically threatens to, and probably no sooner. [0] https://www.cs.columbia.edu/~smb/papers/CALEAVOIPreport.pdf
Received on Monday, 15 July 2013 17:56:42 UTC