[Mailman-Developers] Encrypted lists predictable difficulties and implementation needs

[Stephen J. Turnbull]

I hope it doesn't surprise anybody that despite being proponent of
this project I'm quite sympathetic to Rich.

Barry Warsaw writes:

 > That assumes an open membership policy.  Wouldn't much of this be
 > mitigated with a closed subscription policy?

Not if the target membership isn't already paranoid.  Remember,
20%-40% of devices are already compromised.  Even at the low end,
assuming uniform draws, with *three* members odds are *even* that one
is compromised.  Sure, your assumption is non-uniform, but it's not
clear it's more optimistic -- suppose feeling paranoid enough to
consider an encrypted list means the probability they're out to get
you is *higher* than uniform?

And do you really think the proportion of truly tight-lipped potential
subscribers is better than 80%?

I'm not saying there's nothing useful here, but there's no longer any
such thing as "paranoia" when it comes to IoT (where "thing" includes
anything connected, not just embedded devices).

 > I agree that the security of an encrypted remailer such as we're
 > discussing is only as secure as its recipients.  Yet there still
 > may be value in encrypting the communication channels into and out
 > of Mailman, even if that can be compromised at the end-points.

Unless you're talking about a resistence cell in a society that has
been authoritarian for a few decades, I think we should assume that
content is freely available to anybody who really wants it.  It's not
just John Podesta "who should know better", I've seen testimony
recently from a security professional saying they'd clicked on a
spearphish.  They were in an isolated environment and they're pretty
sure no harm was done, but they did click unintentionally.  Jus' plain
folks have no chance.

As I've said elsewhere, the only use case I'm seriously considering is
encrypted + anonymized, so that you need to compromise (or subpoena)
the server (or the exact sender) to identify senders of particular
content.  People smarter than me might be able to extend that area of
applicability.

 > (b) is not necessarily true.  There is lots of work going on to
 > provide secure base platforms on which to implement IoT devices.

There's also active avoidance of the whole concept of security by
major device (vs. platform) vendors.  C'mon, guys, open telnet port on
a router?  Plus the reality that many devices produced by Chinese
companies are almost certainly backdoored.  It will be many years,
maybe decades, before IoT means anything but "Internet of Threats".

I still think this is worth doing, both for the occasional use case,
and for many of the reasons you give, but the applications are far
more restricted than the GSoC applicants seem to think. :-/

Steve