Maybe I'm paranoid, but I'm suspicious of how, just as crypto is having a cultural moment, this expert consensus is appearing against the one cryptosystem that has demonstrated itself to be genuinely effective even against the most powerful of adversaries (Snowden used it and, perhaps more significantly, leaked internal NSA complaints that they're unable to break it when used correctly). And we're being pushed towards these centralized (and centralized in the US) systems instead.
Suppose the NSA have accepted that they can't hold back the tide: users want something that sounds like end-to-end crypto. At the same time they want to retain as much ability as they can to read users' messages. What would they do? If they had subverted some security experts, how would the world look different? How can we proceed robustly assuming that there are adversaries among us?
> An enormous installed base of clients that won't do encryption, meaning that at best you're attempting to tunnel encrypted messaging over an unencrypted transport.
IP is unencrypted, so that's always going to be the case on some level?
> A protocol that leaks metadata, including some message content, at the envelope layer.
True. Worrying. But certainly not fixable by switching to a centralised system. Doubly-certainly not fixable by switching to a system that uses phone number as ID.
> Hundreds of millions of users that primarily access messages through browser clients that can't meaningfully implement crypto.
> An archive-always UX that ensures that huge amounts of plaintext are scattered around the Internet by both senders and receivers.
> An unencrypted installed base that ensures encryption will be opt-in for the foreseeable future, meaning that users will routinely reveal plaintext accidentally by, for instance, quoting messages and forgetting to encrypt.
Client-specific, and avoidable. Better clients are to be encouraged.
> End user demands for things like search that can only be delivered efficiently at scale by databases of plaintext (most likely at centralized servers).
How do any alternatives avoid this?
> Better to move sensitive conversations to things like Signal, WhatsApp, or Wire --- the double ratchet construction is designed specifically to make IM-like protocols secure even when conversations are sporadic and last months.
There's a place for IM-like conversations, sure. I think there's a place for email-like conversations too. Certainly I want to keep what is by a long way the most battle-tested cryptosystem we have, OpenPGP (even if used over Jabber or the like rather than over email). And while I'm probably willing to use a double-ratched construction implemented by someone I trust (i.e. Matrix/Riot and possibly Conversations), I would certainly not switch to any centralized system or anything based on phone numbers. That would be a serious downgrade from what I have with OpenPGP.
What on earth could you possibly be talking about? No cryptosystem has proven itself less capable of standing up to state-level adversaries than email, and nothing demonstrates that more clearly than the progenitor of this "cultural moment", the saga of Edward Snowden.
If you are an active target of a tier 1 state, your endpoint will be compromised, your decrypted communication will be read, and no cryptosystem will prevent this.
Furthermore, if you're using PGP to evade a state-level adversary, the odds are overwhelming that you've own-goaled yourself many times over:
* You keep plaintext archives and drafts of your messages, because that's a fundamental feature of email clients going back 3 decades.
* You use a server-mediated PGP provider like Protonmail that has your security one surreptitious Javascript injection on an XHR call away from complete collapse.
* Your peer accidentally forgot to encrypt a response and quoted your own plaintext back to you.
These things aren't intrinsic problems of encrypted messaging systems, which is something I feel like HN is not doing a good job of grokking. They're intrinsic problems of email.
You keep plaintext archives and drafts of your messages, because that's a fundamental feature of email clients going back 3 decades.
To my knowledge, mutt doesn't store decrypted archives. Drafts are stored in /tmp which can be a filesystem stored in RAM. I think using Mutt also takes care of your second point.
Your third point is the biggest problem with any system where security is bolted on (e.g. SMTP, POTS, etc.) - your end may be secure but your interlocutor is liable to compromise you one way or another. Though, as you say, this isn't a fundamental property of all encrypted messaging systems.
"You keep plaintext archives and drafts of your messages, because that's a fundamental feature of email clients going back 3 decades."
No it's not, you don't have to keep it at all or in plaintext and it's irrelevant for new clients supporting encryption, their UX have to be redesigned anyway. So it's a UX issue at most.
"Your peer accidentally forgot to encrypt a response and quoted your own plaintext back to you."
Again, just a UX issue. Although all messaging apps actually have incentives to provide a UX that lets them spy on most people's communications or be open to add that possibility some time in the future.
"that has your security one surreptitious Javascript injection on an XHR call away from complete collapse"
This is a problem of centralization that you are trying to ignore and none of those messaging apps can solve it. Any centralized system is one tiny change away from a complete collapse. It can also be shut down by the state just to force people to use plaintext or backdoored alternatives. The problem is even bigger than it looks, even if you make a completely decentralized protocol there will still be incentives to centralize as much of it as possible to make money and still leave a strategic possibility to spy on everyone also for money. Makes sense?
> You keep plaintext archives and drafts of your messages, because that's a fundamental feature of email clients going back 3 decades.
Name one PGP-enabled MUA that actually does this? None of the popular ones (mutt, enigmail, claws) do it. They didn't do it in the 90s, because that would have been stupid, and they don't do it now.
You could have said indexing and search if you wanted to point out actual usability problems with PGP-enabled MUAs.
I disagree that these aren't intrinsict to any messaging system. Those are intrinsic problems of any electronic data storage and transfer system. Data tends to deleted or public, as Quinn Norton says.
I've been thinking this problem through for a while, and I'm starting to think we simply need to have a different mindset for thinking of electronic data as for hardcopy. I'm leaning toward "data physics", in the sense that there are different "rules of physics" which apply -- a metaphor, though close enough to the truth:
* Data have effectivley no inertia. They can move anywhere at the speed of light.
* Data violate the principle of location. Information can be in two (or more) places at the same time.
* Data can be exfiltrated without awareness of the subject. Most especially when held on third-party systems.
* Encryption isn't a safe. If you lose a safe key (or combination), you can drill it out. If you lose an encryption key, an entire corpus is no longer accessible. This has absolutely massive implications from a user-support standpoint, as such key loss will be an everyday (or, at global scale, every second) occurrance. Which means some sort of reliable, useful, but still sufficiently safe, and cheap key recovery system.
Essentially: you can be compromised at any time, by any number of actors, without notice. There may be some ways to address this, but throwing more crypto at the problem may not be it. "Canaries" or fictitious entries and sentries (URLs, emails or phone numbers which should never be contacted, but which if they are, you know you've been had), might be part of that.
Another realisation I had a while back was that as much as this hits the ordinary citizen, it's as much a concern for those in or near power (finance, politics, military, journalism, business, etc.) as well. See open speculation that the White House has been compromised, quite possibly by multiple intelligence operators from multiple nation-state, and possibly other, actors. Including those of the United States itself.
Which is to say: media change the societies in which they operate, and always have. Elizabeth Eisenstein made hay with this in her 1979 book The Printing Press as an Agent of Change, though I'm finding her 1968 paper prefacing that work a more concise and sufficient summary of the principles: "Some Conjectures about the Impact of Printing on Western Society and Thought: A Preliminary Report"
There are a large number of other things we need to fix to make individuals able to resist state attackers, sure. We need much better software security in general, more transparency around firmware.... Still, good crypto makes attacking more costly, even for states. My sense is that the cost of attacking someone using email and OpenPGP will be higher than for any existing alternative (including WhatsApp/Signal), at least for an adversary with the US security services onside.
And if you were aware that a state-level actor is targeting you, you'd be using a programmable, self-contained HSM for all sensitive computation. This is a topic I'm working on actually.
You have no idea what you're talking about mate. As a state-level actor, I could obtain/develop a nice Safari root exploit and get the target to visit a malicious site. Heck, if I were the NSA, I could probably get Facebook to insert the exploit payload once the target logs in. Game over.
I agree. Sure, PGP is somewhat outdated but it is still solid as long as keys aren't compromised.
There is a good argument for new form of communication that is encrypted by default, but email has such a huge headstart that I'm not sure that's practical.
WhatsApp on the other hand is a proprietary platform restrained by commercial interests, closed source, and lack of verifiability as well as opaque key management.
Suppose the NSA have accepted that they can't hold back the tide: users want something that sounds like end-to-end crypto. At the same time they want to retain as much ability as they can to read users' messages. What would they do? If they had subverted some security experts, how would the world look different? How can we proceed robustly assuming that there are adversaries among us?
> An enormous installed base of clients that won't do encryption, meaning that at best you're attempting to tunnel encrypted messaging over an unencrypted transport.
IP is unencrypted, so that's always going to be the case on some level?
> A protocol that leaks metadata, including some message content, at the envelope layer.
True. Worrying. But certainly not fixable by switching to a centralised system. Doubly-certainly not fixable by switching to a system that uses phone number as ID.
> Hundreds of millions of users that primarily access messages through browser clients that can't meaningfully implement crypto. > An archive-always UX that ensures that huge amounts of plaintext are scattered around the Internet by both senders and receivers. > An unencrypted installed base that ensures encryption will be opt-in for the foreseeable future, meaning that users will routinely reveal plaintext accidentally by, for instance, quoting messages and forgetting to encrypt.
Client-specific, and avoidable. Better clients are to be encouraged.
> End user demands for things like search that can only be delivered efficiently at scale by databases of plaintext (most likely at centralized servers).
How do any alternatives avoid this?
> Better to move sensitive conversations to things like Signal, WhatsApp, or Wire --- the double ratchet construction is designed specifically to make IM-like protocols secure even when conversations are sporadic and last months.
There's a place for IM-like conversations, sure. I think there's a place for email-like conversations too. Certainly I want to keep what is by a long way the most battle-tested cryptosystem we have, OpenPGP (even if used over Jabber or the like rather than over email). And while I'm probably willing to use a double-ratched construction implemented by someone I trust (i.e. Matrix/Riot and possibly Conversations), I would certainly not switch to any centralized system or anything based on phone numbers. That would be a serious downgrade from what I have with OpenPGP.