25 November 2013
Email Is Unsecurable
Date: Mon, 25 Nov 2013 09:01:31 +0300
From: ianG <iang[at]iang.org>
To: Ralf Senderek <crypto[at]senderek.ie>, Cryptography
<cryptography[at]metzdowd.com>
Subject: [Cryptography] Email is unsecurable
On 23/11/13 15:30 PM, Ralf Senderek wrote:
On Sat, 23 Nov 2013, David Mercer wrote:
But of course you're right about actual current usage, encrypted email is
an epic fail on that measure regardless of format/protocol.
-David Mercer
Yes, but it's about time we do something about that. Do we *exactly know
why* it is such a failure?
It's an interesting question, and one worth studying for pedagogical motives.
From my experiences from both sides, it is clear that both sides failed.
But for different reasons.
S/MIME failed because it is an atrocious key management design. Everything
about it is designed to rely on certs, and nobody wanted to buy certs, and
when you bought them, they didn't work well enough. It's a CA's perfect protocol
because it places the cert at the apex of the mission, and a user's nightmare
because certs fail too frequently in the aggregate to avoid the curse of
K6 -- turn it off, dump it. In practical import (from actual experience),
if you had a group of say 12 people with one year certificates, every month
some person was failing to communicate because her cert had expired.... Do
the math.
PGP failed because it never succeeded in conquering the GUI clients. That
was in part because of what PHB [Philip Hallam-Baker] calls the Betamax-VHS
war. The providers of the major clients were already in the certificate camp,
so they locked out the PGP side. It was beyond the resources of the PGP group
to crack that barrier.
If you look at the other big comparison, SSL, it won its early battles against
the alternatives in part because one company held the reins, Netscape. They
were able to force through their decisions.
But, there are other reasons. If you look at the overall picture, there are
many other difficulties.
For example, consider traffic analysis or metadata or mass surveillance --
neither side did anything about that. In fact, they made it worse. Both sides
did not encrypt the entire important data, the Subject: being the obvious
thing that wasn't encrypted. S/MIME clients made it far worse by insisting
that the From: field had to match the certificate used; which made it a
*validated surveillance indicator* as opposed to just another input to the
spam filter.
Then, look at the design of email. Too many steps, too many processes, too
many disjoint systems under too many different RFCs. Difficult.
Then, webmail -- is it encrypted at the server (SSL?) or in the client (c.f.
Hushmail). How many other clients, how many gateways, etc.
Then, the assumptions of email. Everyone can send an email, and the cost
is zero. Result: spam.
Hence, I've concluded that email is unsecurable. Obviously Jon [Callas, Silent
Circle] and PHB and Ladar [Levison, Lavabit] think differently. I applaud
their efforts and hope they prove me wrong. But the lessons of Skype and
Facebook and Netscape are writ very large -- great security achievements
come from 3 party networks, not 4 party networks.
iang
_______________________________________________
The cryptography mailing
list
cryptography[at]metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
|