you're a lot talkin about security and encryption. But before you start
a discussion about which tools should be used we should decide what's
the concept behind.
First the diaspora user have to trust the hoster of the seeds(this might
be the user himself or a webhoster of his choice). Cause the hoster have
physical access to the machine and can modify the opensource code
(example to fetch private keys or passwords).
Or we have to sign and encrypt every single message we send by the user
(this includes the complex key handling like PGP/GPG do). So that the
hoster sees only encrypted traffic.
So the questions are:
Do we want to have an encryption from seed to seed?
Or do we wanna have an end to end encryption between the users
(Browser2Browser)?
Wich kind of traffic should be encrypted?
Were are the private keys stored?
- Inside of the seed at the hoster?
- Or should every User handle ist own keys (and has
to type everytime (on read as well as write a message)
his passwords).
When we have a decision, then we can search for tools wich fit to the
requirements...
Do the initiators of this project have some docs? I exepct that they had
already some discussions about this in the past.
I have'nt found something similar. When it's already published, so
please give me a hint.
At least I would prefer a poll than a wild discussion about what is
wanted...
I just want to avoid to make some work twice(or more)...
kind regards
Micha
On 22.09.2010 05:50, PeterH wrote:
> On Sep 21, 1:46 pm, shadowfirebird<shadowfireb...@gmail.com> wrote:
> ...
>> 2) The encryption is happening on-the-fly. You've already said you
>> want to move to an encrypted data store. So it sounds like a rethink
....
>
>> 3) Not sure why we're using Webfinger? Are we saying that an email
>> address is a good way to identify a person? Because I'm not a
....
kind regards
Micha
> On Sep 21, 1:46 pm, shadowfirebird<shadowfireb...@gmail.com> wrote:
> ...
>> 2) The encryption is happening on-the-fly. You've already said you
>> want to move to an encrypted data store. So it sounds like a rethink
<snip>....
>> 3) Not sure why we're using Webfinger? Are we saying that an email
>> address is a good way to identify a person? Because I'm not a
<snip>....
If we want a web app, and I think it should be a web app, we have to
trust out provider, because this is where we get the application from
and an evil provider always would be able to spoof our password (if we
don't check the Java Script code everytime we open a page). Furthermore,
where to store the private key is a problem, otherwise the encryption
never will be strong. (Nobody will remember a 256 bit key or keep it
carefully on a flash drive.)
This why I'd rather prefer an email-like architecture like this:
User
|
Client (Webfronend, Thunbderbird, whatever, ...) which does encryption
and stores the private key
|
Server which provides storage space and does passing of encrypted and
signed message
That kind of solution needs some kind of add-in/plugin in the browsers
(require this a development for the most popular browser?).
That's not what diaspora actually is. Just for now it's a server based
solution.
I by myself don't like the idea to put that functionality into the
browser. Has pro's and con's...
???
Micha
>> User
>> |
>> Client (Webfronend, Thunbderbird, whatever, ...) which does encryption
>> and stores the private key
>> |
>> Server which provides storage space and does passing of encrypted and
>> signed message
>
> That kind of solution needs some kind of add-in/plugin in the browsers
> (require this a development for the most popular browser?).
> That's not what diaspora actually is. Just for now it's a server based
> solution.
>
> I by myself don't like the idea to put that functionality into the
> browser. Has pro's and con's...
I think you misunderstood me (or I misunderstood you). There's no need
for plugins (unless you want it). I also wouldn't like this idea.
User
|
Diaspora-Client
* as web-application (lightweight, in Rails, PHP, ...) to use with
normal browser
* iPhone-App, Android
* Firefox-Plugin (without web-app)
* (your idea)
|
Diaspora-Server (storage, message passing, search, p2p, key-server, ...)
He said email-like, not that we should actually use the email system.
I.e. you separate the message storage and passing part of the system
from the user interface. The kind of data that was passed, and the way
the network of servers was connected wouldn't have to be the same as
email because it would be designed to suit a different purpose (social
networking). If the messages were stored encrypted on the server, then
you would only need to trust the client, not the server.
Something I like about separating the different parts of the system in
this way is it allows the system to be used in a variety of different
ways that would suit different people. If security is very important to
you, you can run a local client and either run your own server or use a
larger server with better bandwidth. If you aren't so good with
computers, and are willing to trust a web client run by someone else,
then you can do that. Note that the web client could be run by different
people to the message passing server. E.g. if you are part of a small
organisation or other group of people you could set up a web client for
them to use, but still benefit from the better bandwidth of a larger
server in case one of their posts starts taking a lot of hits.
What do you mean by 'the usage is still vastly different to a web app'?
What I was trying to describe is a system where you have a server that
you communicate with with a given protocol, that handles all the message
storage and delivery, and a variety of possible user interfaces
(clients) to that server. One of these could exactly be a 'web app',
except that instead of having its own database it would pass messages
(which could contain any kind of data you like) to the server using the
protocol.
>
> I am all for a flexible system, but not at the expense of the general
> user. It is all well and good taking about the uber security you would
> like, but first we must define what we need for the general user. If
> we can accommodate both, great.
>
I think this is putting things the wrong way round. People have a right
to expect that their personal communications won't be spied on or
otherwise abused, and a system like diaspora should protect that right
as far as possible. If we need to compromise from that ideal because of
technical or other constraints, then so be it, but the point is to try
and make it as good as possible and work down from there if necessary.
> Also, if no significant amount of people use the uber security
> options, then what is the point of having them? Your data is only as
> secure as the systems of your friends you push it to. If you have data
> that you need extra security for, but have few or no friends with
> satisfactory security levels on their seeds, then there is little or
> no point in having that data in Diaspora, and thus little or no point
> in having the extra security and the hassle that looks like it will
> come with it on Diaspora.
The point for me would be that although the people using diaspora might
have a wide range of needs, expectations, and ways of using it, they
could still all be connected through the same system, the same as with
email today.
> "we could encrypt the message to multiple recipients using public key
> encryption"
>
> Hhhmmm... well you could encrypt your data for every Friend who has
> access to it (managed by Aspects). That could work, but it would
> require the client to re-encrypt all the data for a given Aspect every
> time you add a Friend to that Aspect, and then send it back to the
> seed for storage.
No, that's not true, we already discussed that. If you add a friend to an aspect you only have to encrypt the symmetric key with the public key of your friend.
The problem is more, when you remove a friend from an aspect, since the key symmetric is the same for everybody. In this case you would need to reencrypt everything.
Hi. I've been following this discussion for the last couple days, and I
have some ideas that could be useful. I haven't read everything that
everyone's written about it though (I have a full-time job after all) so
forgive me if this stuff has already been suggested.
First, I think it's imperative for diaspora to work from any computer
with a normal web browser without any special plugins, and without
needing to store a secret key on the client side. I don't think diaspora
will end up being popular (or even user-friendly) if you need to install
and manage extra stuff, and sync it up on all your computers/devices,
and deal with what happens if it accidentally gets deleted, etc. So yes,
I think seeds need to store secret keys. If you want better security for
specific discussions, you shouldn't be using a social network, but
instead normal gpg with email. All the crypto in diaspora (I think)
should be completely transparent to the user, so the most that they
notice it is possibly in a loading bar that says "encrypting to the
friends in your aspect, please wait".
Also, the secret keys that get stored on the server should be stored
encrypted, and only decrypted in memory with the user's password.
Now here's my idea. Each user has a keypair, but that's only used for
sending private messages to other users, not for status updates. Private
message would work like traditional gnupg email, except the secret keys
would be stored on the server.
Each aspect has it's own keypair as well. Each friend in each aspect
gets sent the _secret_ key of that aspect (encrypted to their personal
public key, as if it were a private message). So every diaspora user
would store a list of secret keys for every aspect they belong to.
When you post a status update, rather than encrypting that message to
all of the friends in your aspect, you just encrypt it to the aspect's
public key. All of your friends in the aspect can decrypt it with the
aspect's secret key.
Whenever anyone gets removed from an aspect, diaspora will generate a
new keypair for that aspect and tell all of the friends in the aspect
what the new secret key is, and it will also re-encrypt all the old
messages from that aspect with the new secret key, so that the friend
who was removed from the aspect can no longer read those updates.
It seems like this would have muuuuuch less overhead in terms of
encryption processing power and also disk space. If you have 1000
friends in an aspect, you would only need to encrypt the message to one
public key, not 1000. It would take a little more resources when
removing friends from aspects, but that's it.
When a user stores a bunch of aspect's secret keys, they are all
encrypted to that user's personal public key. So if another user on the
seed somehow gets access to the database, all they have is encrypted
secret keys, and they need the user's personal secret key and password
to decrypt them.
This idea of course breaks down if one of the friends in an aspect is on
a seed with malicious admins. It would be trivial enough to add an extra
field to the user model for the plaintext password, and store it on
successful logins, so that the admins would collect everyone's
passwords. If that happened, they could then decrypt everyone's secret
keys and use those secret keys to decrypt everyone's list of other
secret keys for aspects they belong to, and all the security breaks
down. Then those admins would be able to read all the messages sent to
all the aspects that their users belong to.
But I think I'm ok with that. If secret keys are stored on the server,
even if they're encrypted to users' passwords, they're still not safe
from malicious admins because they can easily steal your passwords. I
don't believe there's any way around that. It's just important to choose
a seed that you trust, and if you actually want to send sensitive stuff
to one of your aspects, you should trust the seeds your friends in that
aspect belong to as well.
Thoughts?
micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJMm9NiAAoJEEFYPvBlU7xNokIP/jq9P1CFAySY59O+cY/MBXZB
BabuDKYbzsvJ4TQf55hhnqQtDk3n+vkKf4tn5aWAwZ64doRWqMoi1hcyE76NQXFz
mX2SdkoAR1RkyR3Mc3WEIFOewLCMMg6GMiB30If3sooq3oKfv3n5+2U9KXwlZNzJ
FvaqqGFKlA0eIF3EXVj9nzHGY9K67U51hGGIt1f4MnLCC8vx8vLksUSsAuMikV7y
p3acb4UU51blKRT7ODLajjtTZtwPgKhW4wrt1vPJPsD/LvQxHEugnhUhN32TDqy1
TnamvlKXKkMQd6AOfmtzyJU2GZu+b0SDGm1+uE3xkQq3tTHIwYeQYfiW5YgPHhbj
29noIw7kC6EhxE4MaavUWecQ1PnhiHjWFAsXXWp6fJNUUDo0owXE0aF6EgW7JN7V
wkLRxHYRPDMxW8MGANN6R8Kt5RoBgdoxoUD6H0TDjo7HRHFhI3PMM+NmpAeUzWCw
TYme5ZnKSr7Wh24Jkwje8qkzg6dwF4/YF/HUKYKOHwj6gw5MKRTsVoG/jpkfdxc1
FhAlo7HyKhrPz5Qkfpx19Aq2pM2/6hVXeyS4XltvhhXcE78/gHBGDA/jacKc0X+A
vCGO6y2tc0ueJvCuJSadb4EclxkbArI7c2l6jp7WSnLFiiLxKAQpriOvn4Ai3Bo1
9u4p+++/ZJI/MRaej3pW
=CU2u
-----END PGP SIGNATURE-----
Each aspect has it's own keypair as well. Each friend in each aspect
gets sent the _secret_ key of that aspect
If you have 1000 friends in an aspect, you would only need to encrypt the message to one public key, not 1000.
This idea of course breaks down if one of the friends in an aspect is on
a seed with malicious admins.
The data/a file is encrypted just once with a random symmetric key. The
key is encrypted with the public key of each member. This way no
encryption overhead nor another keypair is necessary.
Or have I missed something?
On 09/23/2010 05:29 PM, Wavesonics wrote:
> So really, you only need to do key exchange between seeds, not users,
> so you can securely pass messages back and forth. Once you get a
> message on board at a given seed, its in clear text, and it relies on
> good security procedures in the code to only show it to the right
> users. If someone is going to hack around w\ the source and be able to
> snoop stuff, they would also be able to grab the stored private keys
> and decrypt everything anyway. So all these separate key pairs become
> useless.
>
> Do you guys agree with me? Or am I missing something?
I agree that this would be way simpler if the encryption could just be
between seeds, rather than end-to-end. And rather than re-inventing the
wheel with each seed having it's own keypair that we program into in
diaspora, we could just require seeds to communicate over SSL. The whole
self-signed vs CA signed SSL cert issue will still be the same, even if
we invent our own key sharing infrastructure.
But there is still a good reason to encrypt each user's status messages
and private messages separately. A malicious admin can do a lot of
damage if anyone is using his seed, or is sending messages to his seed.
But hopefully people will be using trusted seeds. The bigger threat is
the malicious user.
Unless the malicious user gets arbitrary code execution, they're still
limited to the security of the web app. So they can't actually change
the codebase around, they can just exploit existing bugs in the
codebase. If I find a bug that lets me dump the status_message table,
for example, I wouldn't be able to read any of those status updates if
they're encrypted. If I can dump both the status_message and the user
tables that contain the secret keys, I _still_ wouldn't be able to
decrypt the status messages because hopefully all the secret keys would
be encrypted with the user's password. I'd have to crack the password
hashes first, then use those to decrypt the secret keys, then use those
to decrypt the status messages. In the end, this would make it a lot
harder on attackers that do find unpatched bugs.
But if no bugs exist in the codebase that lets you dump the
status_message table, then it's a moot point.
Since this is a new project and the crypto stuff is complicated and easy
to mess up, it might make sense to just force SSL between seeds and to
make end-to-end encryption optional if you want to run a custom client
or something.
micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJMm/kZAAoJEEFYPvBlU7xNp+cP/0s83Ofz4TfUiocjRzWKxJkz
hTp8hDagb0NDpYgLZQT2Hp/8mrtrY/hbHyeFcQUxKtIL3/g6gPoG+QF+CBb2+UY4
Nh1XGWN4D85W8b5+KoWrgpMTZ2+5u7D2pwRu47QGIa5D9AMYtJkOMiVosX1Ee8+t
0iIWZNcRwFJ+TGQArz8Oi7hbIbts8TWSmhvRUsG//GkoOuc5yMlmNwUbRwWRMXu0
CSzRycXQfRsRhpTw+J6XkHnU38XHonIRNbS2KZXvfJzTsZjeKLKHCpku51ghDhsN
ycbJRHDMv/6HxhXmd7OqMix46wsBFgteEymgmF/jQppCPM0/m3b/oE2njQUO6wX8
VZA63UbGEfxY+6PPTLAKFP4qV21z2SqTaeosAaYHH2fbBXg6OqXIOnIxEO+xWc7y
wsxFJfqZQCUh58iVoc8bvDx+VRlMkePSqbvlqAsbSlpD9a1tSizOt/XI0EyRqj9B
lqqyc25SDiLTFWbk/6oVmyVhmikjc1Mw1DAMGqsGF/8re+LhbHP3FAZSkSXe3op+
zt4cPgkq3vbpX2ukTcjVzbL/zLPlFdeZom3d/FP/OMsz+KeCQXBe78dkKlYljzOJ
OlJ4X+t2t7BohJ+fyjCHiWicEYKw1zBTEQms0uIGB6UGlfnguHFEwTtj1URawG2q
d9sSQwnlroYYm7nWDlxi
=Pipa
-----END PGP SIGNATURE-----
Right. A network API should be developed that allows for a lot of
flexibility in how and where keys are stored.
On 26/09/10�ソス01:22�ソス+1200, Braedon Vickers wrote:
>First draft up, if you didn't see it
>http://github.com/diaspora/diaspora/wiki/Security-Architecture-Proposal
>
>Currently awaiting the storm :)
>It is clear from the discussions that some advanced users want end to
>end encryption, as they do not want to trust their seeds, nor the
>seeds of their friends. It is also clear, however, that baring some
>revolutionary design as yet unthought-of (within the Diaspora
>community at least) such a system would be prohibitively complex and
>cumbersome for the average user. In fact, the more secure a system,
>the less user friendly, and the more expensive (network and cpu load,
>data storage), it becomes.
I really believe we can and should define a network protocol that is
secure, and simple. How that protocol is implemented may be more or less
secure and more or less complex, leading to choices in which implementation
users choose. I think we must take the approach that users know what
they want, and we should find a way to give them as many choices as
possible, and arm them with the knowledge of how to use them. However, I
believe that with good design, a secure implementation can be created that
provides for a user friendly interface without sacrificing security.
With regards to the 'None' security level, there *must* be some form of
signing, or you're opening up the network to spam.
I think the rest is a fair portrayal of the state of the discussion.
Thanks for writing this up!
On 25/09/10�ソス15:26�ソス-0700, shadowfirebird wrote:
>
>On Sep 25, 12:16�ソスam, eveclatrel <kevin.p.h...@gmail.com> wrote:
>> Hmm, we both agree that end-to-end encryption is the best approach for
>> security, and we both agree that storing keys on the server can open
>> you up if a malicious pod gets introduced. I am also of the opinion
>> that running encryption from the browser client itself seems like it
>> would be difficult and possibly unwieldy. My stance thus far has been
>> that I don't think the average user is going to want to use an end-
>> client encryption system because of that, so I've tried to stick with
>> server-based solutions, however on the drive home I had a thought:
>>
>> Why are these mutually exclusive?
>
>Well, if we don't run encryption from the browser client it's not, by
>definition, end-to-end.
>
>However, see the post on the other thread by Raphael - the team seem
>to have dismissed the idea of end-to-end encryption for the time
>being.
That may be a practical decision made by the Diaspora team with regards to
their web server approach, and that's understandable at this stage of the
development. I have to believe that if Diaspora meets its goals, then we'll
also see 10s of other implementations that can, provide end to end security
(or other unique features), but as long as two pods talk the same network
language that's all the better.
On 25/09/10�ソス16:51�ソス-0700, eveclatrel wrote:
>Yes, I noticed their stance on e2ee and it furrows my brow. Our back
>and forth on encryption has me convinced that is the way to proceed
>for real security (which I thank you for). If we don't include it in
>*some* form I think we need to drop being privacy aware as something
>Diaspora accomplishes. Because it cannot be guaranteed without it and
>it seems that more people are coming to that conclusion.
If you drop security, then it's probably going to result in a huge mess of
spam. But I get your point.
However, I think the network API can be written in a way that a Pod can
perform end-to-pod encryption, or pod-to-end encryption and still allow for
sufficient security for the end-to-end crowd. It at least should prevent
the free-for-all-for-spammers environment that's infested SMTP.
--
Dan White
With regards to the 'None' security level, there *must* be some form of
signing, or you're opening up the network to spam
I think email is a questionable model to use, unless you include GPG
encryption into the mix. SMTP is terribly broken in my humble opinion.
On 26/09/10�00:16�-0700, shadowfirebird wrote:
>Many thanks for the thanks; I post far too often here for my own
>comfort and I'm starting to assume that the default internal response
>to one of my posts is 'oh god, him again'. Thing is, I'm passionate
>about having Diaspora, or something like it, working and viable. So I
>tend to get carried away.
>
>I think it's fair to say I had misunderstood your position. It
>certainly does not have to be a browser for me, either, and I agee
>that the api/protocol is more important than the software.
>
>The problem with all this hedging is that in order for e2ee to work,
>you need to secure *both ends*. There is little point in saying that
>I have the option of hosting my own seed for extra security, because
>unless everyone else I talk to does that too, no extra security
>actually happens.
I agree to a point. A site that does not participate in end-to-end security
opens itself up to problems when/if they encounter security problems, like
the kind Facebook and Twitter still experience today, with a 7+ figure
operational and development budget.
End to end security is the open source response to the
security-through-budget approach of much bigger services.
However, there's still something to be said for having a secure network
protocol that guarantees privacy and integrity (given all players meet a
minimum set of criteria for playing).
--
Dan White