[Mailman-Developers] Encrypted lists predictable difficulties and implementation needs
Richard Damon
Richard at Damon-Family.org
Sun Mar 19 07:33:24 EDT 2017
On 3/18/17 4:37 PM, Rich Kulawiec wrote:
> On Thu, Mar 16, 2017 at 05:30:36PM -0400, Barry Warsaw wrote:
> ...
> It *might* be.
>
> The problem is that the list owner and other list members have no way to
> know. From their point of view, there is no way to know that whether the
> latest list member -- whether that's list member #8 or #7,221 -- is using
> a reasonably secure mail client on a reasonably secure operating system in
> a reasonably secure environment -- or whether they're reading list traffic
> on an iPhone that was fully compromised eight months ago. Morever, even if
> that newest list member is doing the former today, nothing from prevents
> them from doing the latter tomorrow.
>
> (Yes, one could ask them not to, even make not doing so a condition of
> membership. That won't work. Somebody is going read email on their
> fridge or their car or their Android phone because they can, because
> they're lazy, because it's convenient, because they feel like it.)
>
> It's thus impossible to (a) estimate the risk or (b) control the risk or
> (c) know when a full compromise has taken place, absent outside indicators.
>
> That's a really bad combination to have in anything that's trying to be secure.
>
Barry,
I would say that the problem that is being attempted to solve is
fundamentally impossible to do perfectly. It is impossible to distribute
messages in a secure manner to a number of recipients that you don't
have total control over their enviroment and KNOW that security is being
maintained. Communication always has that sort of issue, if you tell
someone something private, you need to be able to trust that they will
keep it private, and their is always a risk that they will reveal the
information intentionally or accidentally.
The question comes, is it better to provide a method that gets you part
way to the goal, and risk a false sense of security, or to not provide
any method at all.
The is comparable to the fact that we lock our homes and cars to keep
them 'secure', even though we know that security isn't perfect. Doing so
reduces that attack surface, but it is sometimes hard to estimate by how
much.
Yes, if such a feature was added, adding a notice to remind people that
the security provided is only as good as the weakest link among all the
members of the list would make sense.
--
Richard Damo
More information about the Mailman-Developers
mailing list