Thursday, February 28, 2013
Truth in Advertising (Or why we need Crypto Licenses)
Imagine someone came to you, and sold you a car they promised would drive you wherever you wanted. They told you that it could talk to other cars so that driving would be automatically reported to SquareFace and MyPints. (Not as dangerous as it sounds: after all a car that can drive itself is perfect for suburban pub crawls). However, you ask if there is a way to turn off this feature.
"Of course" says the salesman. "Just flip this switch and no one can track you".
So you buy the car, drive off, with the switch flipped in the position where no one can track you. But it turns out that the people in charge of implementing this feature were barely trained in the relevant details of how to make it work out, and flipping the switch does nothing. Of course, this is is because you asked for snow tires and the car has a rather strange design.
I imagine you would be rather pissed, and then probably file a nasty letter asking for them to provide the funds to ensure that their stupidity be fixed.
Yet, when a software company loudly proclaims that it cannot read your files, and then in the small print and documentation for a feature they also widely advertised, it turns out this is not true if you use the relevant feature. I imagine you would be rather pissed.
This is exactly what SpiderOak is doing. Their new mobile client does all decryption of your files server-side. Their loud proclamations of protecting your privacy are so much hogwash: they decided to make their development a priority over your privacy. What's more, some basic failures in security exist in their user authentication protocol. Crypton is not fairing much better: they promise to fix the issues in the next release, while carrying out some rather incompetent development in public.
Contrast with the behavior of Colin Percival and his Tarsnap service. Tarsnap clients are open source, and he explains the entire process by which you send encrypted data and store it. Dr. Percival has a design that is conservative, easy to analyse, and can be audited by anyone. We should demand that critical vendors follow suit in cryptographic products.
Given the consequences of bad cryptography, I propose that anyone writing a product that uses cryptography be required to hire a licensed cryptographer who will sign a sworn proclamation that the design and implementation is in accordance with good practice, and that it has been designed with a reasonable threat model in mind. This may be the only way to prevent bad cryptographers from killing more people then they already have.
This licensing would have prevented TLS 1.0. It would have spared the world the horror that is WEP. It would also shut down endless numbers of fly-by-night snake oil salesmen.
Subscribe to:
Post Comments (Atom)
The car scenario is perhaps a bit far-fetched; but a similar "feature" is already in color printers. The problem is not that the switch is broken, but that there's not a switch to flip in the first place.
ReplyDeleteYour complaint about Spideroak is misplaced; they just don't have the code in place to do a full mobile client, and of course a server-side solution will be less secure than a client-side solution. Note that they do promise to delete anything and everything that's done server-side after your session expires. Tarsnap uses basically the exact same security model, although he has a bigger password/key size and slightly different encryption primitives; he doesn't have a mobile client either. (He doesn't even support Windows! Shows you what his priorities are...)
Crypton is a WIP, if you went to their Github the "WARNING: PROOF OF CONCEPT" should be pretty obvious. I'm not certain JS is the best language to write a library in, but what's done is done.
As for licensing, I will simply say that I haven't seen a successful government-run licensing program that didn't end up turning into a monopoly. A private licensing program would be most welcome; you could start one, "Watson's Security Ratings". I'm certain loads of people would pay you to hear your opinions.
As for TLS and WEP, why didn't you tell them they were wrong in 1997, when they were drafting the standards? Recall that cryptography was barely legal at the time, having been restricted by the U.S. for military reasons.
As for "fly-by-night snake oil salesmen", I think that describes the vast majority of products available these days; the question is what is actually good, not what the snake oil is. And people's definitions of what exactly constitutes "snake oil" differ quite a bit. I think it is better to err on the side of having too much choice than too little.
TLS was revised in 1999 breaking backwards compatibility. However, they didn't fix a bunch of issues relating to protocol negotiation, and MAC-then-encrypt was two years later realized to be a bad idea. Had they noticed they needed to analyse this primitive, they would have avoided that mistake.
ReplyDeleteTarsnap, unlike SpiderOak, does all encryption on the client. That they don't want to write this code doesn't excuse them from violating their loudly stated claims that they never get your keys.
Crypton is a problem, not because they advertise it as secure, but because I have significant doubts that anyone who makes this as a POC will ever be able to secure it. They had some real howlers in the first release. There are two ways I know to make software; make it so simple there are obviously no bugs, or so complex there are no obvious bugs. They seem to have fully adopted the second.
As for licensing, yes, that is a good argument. However, private licensing authorities are subject to a lemon problem. We need more research into economic incentives to prevent it.