* Store it on the server? Better not.
* Encrypt it with a short phrase and store on the server? Then the
encryption is as strong as your phrase. Normally not too much.
* Carry it on an USB flash drive? Nobody will do that.
Last question:
How do you know that your Java Script-Web-Application is trustworthy
and that is not corrupted? In the end you have to trust your sever or
use a Not-Web-Based-Application.
2010/9/21 Michiel de Jong <dejong....@gmail.com>:
What protects the private key ordinarily is a symmetric cryptosystem
that uses your passphrase to temporarily decrypt the key for the
purposes of decrypting data or making digital signatures. For
Diaspora to make use of one's PGP private key, the keyfile would
either have to be stored unencrypted on disk (which you can do but
this is very dangerous), or it would have to periodically prompt the
user for their passphrase so it could cache a decrypted copy of the
private key in memory.
The latter would likely be too cumbersome for most people to deal
with, plus it would mean that certain content would be unavailable to
anyone after the cached key was expired and removed from RAM.
However, an attacker who manages to compromise the server or VM (or
who exploits a privileged subsystem of Diaspora, potentially) could
then dig that private key out of RAM by hunting through /dev/mem (for
example) or by searching the system's swap partition for signs of the
unencrypted private key (though there are ways to mitigate these
risks, such as not running parts of Diaspora as root).
Incidentally, this is something that concerns me about Diaspora that I
was hoping to work on when things calm down a bit at my day job -
Diaspora running as root because it needs port 80/TCP. I think a few
people have either fixed or gotten around that (I haven't updated my
Git tree in a day or so) because they are reporting instances on
high-numbered ports (though this could be due to port redirection at
their local firewalls).
--
The Doctor [412/724/301/703]
http://drwho.virtadpt.net/
"I am everywhere."
> I see your point, but if an intrusion has got to the point where it
> can dig stuff out of RAM, you have more problems than a Diaspora
> vulnerability, surely? I'm assuming that the eventual system will
Mostly correct. In a shared hosting situation (which Diaspora pods
likely will be: one host (virtual or not) containing the Diaspora
instances of multiple people) the stored information of multiple
people would be at risk. Local root compromise of web hosting
machines is not unknown.
I wish I knew more about Rails so that my next statement would be more
correct, but I do not. So, if I'm wrong or simply misrepresenting
things I apologize in advance, and ask to be corrected: Given that
Rails needs to run as root to be able to open port 80/TCP and doesn't
normally drop its privileges (please correct me if I'm wrong here) a
misconfiguration might give an intruder just that sort of access.
> cache a private key in memory -- but almost certainly not your
> regular, email one. Regular Diaspora use shouldn't effect your GPG
> use.
I sincerely hope that people will not use the private key they use for
their e-mail and personal files with Diaspora.
Not that i'd want to loose my GPG/PGP key and have an attacker have that info, but there would also have to be some way to "easily" (hahaha) generate a new key and inform interested nodes that your key has been compromised etc etc.
Anyway, i think, while this is important to an individual user (which is what Diaspora is targeted at), the risk probably isn't as great as all your medical records or any other monolithic entity which has tonnes of your personal info...
my two cents.
j
It seems reasonable to state that, once Diaspora is stable, Diaspora
hosts will start appearing (in fact, they already have for the
purposes of testing) so that people will not have to wrangle their own
instances of the software. For what it is worth, your example is what
I was referring to, i.e., small clusters of people being compromised
rather than large numbers at a time. The aftershocks of a single
Diaspora seed being cracked are much more immediate - larger groups,
more information to sort through; smaller groups, much less
information to sort through, leading to more immediate consequences.
> Not that i'd want to loose my GPG/PGP key and have an attacker have that info, but there would also have to be some way to
> "easily" (hahaha) generate a new key and inform interested nodes that your key has been compromised etc etc.
To say nothing of re-encrypting everything on the back end. Still,
generating a PGP key is a fairly simple operation.
> Anyway, i think, while this is important to an individual user (which is what Diaspora is targeted at), the risk probably isn't as
> great as all your medical records or any other monolithic entity which has tonnes of your personal info...
I agree. My concern lies in people wishing to communicate with others
of a like mind in such a manner that their interests and content are
compartmentalized, which is one of Diaspora's design goals.
Compromise of that compartmentalization can wreak havoc with one's
personal life. For example, a small group of people discussing
corruption at the workplace or suffering from a chronic affliction
might find other prospects in their lives adversely affected if word
got out because their Diaspora hosts were compromised. I think that
one should be able to "find the others" without having to go back to
meeting in the back rooms of restaurants just to be able to say "Wow,
it's good to meet someone else like me" (assuming no one getting hurt,
no rights being violated, and the like).
While I appreciate what you say, why did you bring the subjects of
medical records and presumably things of similar importance into the
discussion of software which is not intended for the management of
such things? I may have missed a post or two, but I do not remember
their being mentioned elsewhere.
Your presentation, however, contains the flaw that is going to kill
any solution. Its apparent precision lends a air of certainty to a
technology that can't solve the social problem.
"There are then 4 situations at the moment that a message is sent
between two pods: ..." Once you've limited your world view to "a
message is sent between two pods", you've given the naive an
opportunity to believe that a message between two seeds is adequately
covered.
Here's the cases you should include so the naive understand they, the
naive, are the solution to these situations, not the technology:
dodgyseed on any pod
badseed on any pod
By dodgyseed, I refer to a person who is not sufficiently cognizant of
what types of people exist in this world. An example is someone who
is so eager to prove his/her popularity s/he allows anyone to become
his/her friend.
The badseed is the person who takes advantage of this mentality to
become a friend and begin social engineering to obtain information
that is valuable to the badseed for whatever gain the badseed can
achieve with the information.
Remember all members of an aspect get to see the data provided in
clear text; no matter how it has been encoded along its path from
sender to receiver (and by that I mean from person A to person B, not
just from pod A to pod B).
All discussions of the challenges of the implementations of a privacy
benign social network should include discussions of these cases so
everyone can be pointed to the ample warnings about this nefarious use
of best practices.
> Anyone interested in OpenPGP in pure ruby may be interested in the
> work I've started at <http://github.com/singpolyma/openpgp>
Definitely. *hits the link..*
I have some ideas about how content could be encrypted in a Diaspora
seed (and the other seeds it is pushed to) that I would like to post
here, if no one would mind. I e-mailed the core developers last week
but have not heard back.
Not knowing how the core developers had originally envisioned how the
functionality would work, I do not know if this would be a waste of
bandwidth or not.
Hi Michiel,
We definitely preferred PGP, for a variety of reasons, but the implementation issues were bad enough that we were driven to switch. It's great to see that people want to help, let's talk about what we can do to switch back. I think the GPG method of storing keys, disk level config folders, will be basically impossible to scale, making it necessary to write bindings for libgcrypt, but I could be wrong.
Best,
Raphael
Our view on this is that end-to-end encryption, while it would be cool, isn't practical, and isn't possible as a result.
In order for such a system to work, every user would have to have a private key that they kept with them at all times. If they keep it on a computer of their own, it is susceptible to loss and only usable from home. The tools that might make it practical for non-technical users just don't exist yet, and nobody knows how to build them.
That said, every Diaspora user created right now has his own encryption key. We'd like for it to be possible for that rare technical user to hold his private key himself, and render his data unreadable by his server, without creating inconvenience for those he communicates with.
Open to suggestions as always,
Raphael Sofaer
>> Our view on this is that end-to-end encryption, while it would be cool,
>> isn't practical, and isn't possible as a result.
From what I can tell, setting up SSL for Ruby on Rails would not be
terribly difficult. This jumped out at me:
http://www.sslshopper.com/article-ruby-on-rails-ssl-configuration.html
Someone setting up Diaspora and setting up the basic configuration
could set the option "Use SSL". On the back end, Diaspora generates a
SSL certificate on the back end that uniquely identifies that seed
("Joe Blogg's Diaspora Seed, diaspora.joebloggs.com") that is used to
encrypt and decrypt client traffic to and from the seed (i.e., with a
web browser) as well as update traffic (pushes to other Diaspora seeds
that also support SSL). When Joe logs into his Diaspora seed to post
updates and check out what everyone else is doing, he connects to
https://diaspora.joebloggs.com/ with his browser. It might also be
possible to use the web of everyone the user has friended as a weak
web of trust (Joe has sixteen friends who make use of his seed's SSL
support). Functionality to strengthen the web of trust might be
possible (friends of Joe who have verified his identity, grew up with
him, what have you set a trust option in their profile that ranks how
much they trust him, like GnuPG's web of trust ("I trust this
user..."))
I can see how providers who offer shared Rails hosting might not
support SSL, and thus would torpedo such a function. I can also see
how people who don't know what that function does and thus do not want
to mess with it for fear of breaking things would also not want to
turn it on.
>> In order for such a system to work, every user would have to have a
>> private key that they kept with them at all times. If they keep it on a
I find that interesting in light of how HTTPS operates. Do they mean
setting up a certificate in the browser on one machine to help
authenticate the user logging into their seed, or do they mean just
using HTTPS to log in but not authenticating with more than
credentials (the way one can with Gmail, say). It seems to imply the
former.
>> The tools that might make it practical for non-technical users just don't
>> exist yet, and nobody knows how to build them.
Hmmm...
>> That said, every Diaspora user created right now has his own encryption
>> key. We'd like for it to be possible for that rare technical user to hold
>> his private key himself, and render his data unreadable by his server,
>> without creating inconvenience for those he communicates with.
I am definitely going to write something up and post it for review.
Maybe I have a naive concept of how things work on the back end
(entirely possible) but they make it sound as if you need to carry
crypto keys around with you on a fob and this is not necessarily the
case.
Granted, the project would also need to sit down and define a threat
model: how sensitive should users' content be considered on the
baseline, what kinds of data would be encrypted (only posts, only
updates, everything, only images, some user-defined combination). How
big a threat should the machine hosting the seed be considered (would
it be unlikely that an admin would go poking around inside the
instance of MongoDB? What about a cracker on the outside?)
For how long would an encrypted chunk of data be accessible on the
user's seed? On someone elses?
Should setting up crypto support in one's seed require friends to
toggle their crypto support to have access to a particular aspect?
> PGP. After digging into the subject, i came to the conclusion (from reading
> what people smarter than me were writing on these same lists) that if you
Time to go on a subscription spree, I think...
> Therefore I am now mainly thinking and studying why these tools don't exist
> yet (there must be a reason for that that I don't understand yet), and then
Would you mind taking that discussion off list for a bit? I have a
few questions that I would like to ask you which would be outside of
the scope of this particular mailing list.
>> In order for such a system to work, every user would have to have a
>> private key that they kept with them at all times. If they keep it on aI find that interesting in light of how HTTPS operates. Do they mean
setting up a certificate in the browser on one machine to help
authenticate the user logging into their seed, or do they mean just
using HTTPS to log in but not authenticating with more than
credentials (the way one can with Gmail, say). It seems to imply the
former.
Would you mind taking that discussion off list for a bit? I have a few questions that I would like to ask you which would be outside of the scope of this particular mailing list.
> it's about doing something *more* than that. Diaspora already uses ssl in
> pod-to-pod communication, and hosting the web-interface on https instead of
...okay. That is clear.
> the only thing that's missing is making the third-party hoster of the pod
> unable to see what you are talking about with your friends. one of the
This is what I was pondering.
As I understand it, every piece of content (post, update, picture, et
cetera) is stored as a separate document in a MongoDB database. Also,
every piece of content ('post' for simplicity, even though the word
has slightly incorrect implications given the number of different
things that can be posted to a Diaspora seed) associated with a
particular aspect of Alice's Diaspora seed gets pushed to the seeds of
Bob, Carol, and Dave, who are friends of a particular aspect of Alice.
What I had in mind was this: whenever Alice makes a post to a
not-public aspect of her seed, that post is encrypted with her seed's
private key and the public keys of Bob, Carol, and Dave (who are
friends of that aspect) before it's stored in MongoDB. Alice's seed
then pushes that post to the seeds of Bob, Carol, and Dave. Alice's
private key is unlocked when she logs into her seed, which allows this
to happen, and when her session ends (ideally whenever she closes her
browser but more like a day, give or take) her cached private key is
flush from the server's RAM. The Diaspora seeds of Bob, Carol, and
Dave receive the encrypted updates, store them in their MongoDB
databases, and send back "Message received" to Alice's seed to confirm
the update.
When Bob logs into his Diaspora seed, his passphrase also unlocks his
private key. Bob's Diaspora seed sees the new posts from Alice's
aspect in his instance of MongoDB and decrypts them into memory using
his cached private key. Those new posts are then displayed on Bob's
frontpage. If Bob wants to post a reply to one of Alice's not-public
posts, his seed encrypts the update with a) his private key, and b)
Alice's public key before being stored in the database. Bob's seed
then transmits the update to Alice's seed, which receives it into a
queue. Maybe Alice is still logged in so it gets decrypted, added to
the post, and re-encrypted with Alice's private key and the public
keys of Bob, Carol, and Dave. All of the other seeds friended by that
aspect then receive those encrypted updates, and are added to the
MongoDB entries corresponding to that update.
Something else I was pondering was the case of Alice unfriending Dave
from her semi-private aspect. Alice unfriends Dave, removing him from
all aspects of her Diaspora seed. Alice's seed removes Dave's seed
from the list of seeds to push updates to. Alice's seed then
generates a message to Dave's seed saying "Dave is no longer my
friend. Delete all stored posts from your database from Alice,"
encrypts it with Dave's public key, and sends the encrypted message to
Dave's seed, which (if it has not been modified by dave) decrypts it
the next time he logs in, looks at the message, and deletes those
encrypted posts from Alice's seed from the database. Dave's seed
generates an "All clear" message to Alice's seed, encrypts it to her
seed's private key, and sends it. This would provide the same
functionality as, say, unfriending someone on Livejournal, which then
prevents that someone from seeing all of the friends-locked content
for that account.
> into http://github.com/diaspora/diaspora/wiki/Security-Architecture-Proposal.
> Anyway, most of this was discussed on diaspora-dev and not diaspora-discuss,
> so have a look there.
I will most certainly do so. Thank you very much.
this is just an idea that might work for most people.
https://www.organicdesign.co.nz/Face_base_authentication_proxy
The essential problem with mass adoption of GPG is that there is no way to securely store the private key and that storing it on a USB thumb drive is also undesirable, as it can be lost and compromised. Furthermore, once a person has lost or forgotten his private key, there is no way to recover it, rendering data encrypted with it forevermore inaccessible.