[Mailman-Developers] Encrypted lists predictable difficulties and implementation needs

Tue Mar 21 11:04:20 EDT 2017

On 03/18/2017 09:04 PM, Rich Kulawiec wrote:
> On Fri, Mar 17, 2017 at 09:54:48AM +1100, Morgan Reed wrote:
>> I'd submit that this is tantamount to saying "it's impossible to make a
>> 100% secure system so why bother even trying".
> 
> Then you're not grasping my point.  Let me try again.
> 
> I suggest that you re-read what I've written *and* consider as well the
> disclosures of the past week vis-a-vis smartphones and their encrypted
> communications applications.
> 
> In particular, note that entities like Whisper and Signal have been, as
> I've said for years, peddling snake-oil.  They cannot possibly deliver
> on their promises *even if they do everything they say they can do*
> because all of it is immediately and completely undercut if the
> underlying system is compromised.

Open Whisper Systems and Signal provide what they state, End-to-End
encryption. Applications and technologies like these make mass
surveillance harder, as passively sniffing traffic is no longer viable.
Shifting the attacker to actively compromise devices is an overall
improvement.

> 
> Which is exactly what the disclosures of Vault 7 show everyone,
> although it's not really news to anyone who's been paying attention.
> Intelligence agencies, vulnerability brokers, organized cybercrime,
> and others have been knocking themselves out to hack everything
> for years -- and whaddaya know, they've succeeded.  This set of
> disclosures is merely the latest, and it and all the other ones
> to date are merely the tip of the iceberg.

Obviously protection against state actors is hard [1].  However thats
not the only threat source that there are reasons to protect against.
There are plenty of threat actors for which sniffing traffic to a
plaintext mailing list might be easy, however overcoming a well setup
encrypted mailing list system would be quite hard.

> 
> So what I am saying, and what I hope is obvious, is that you cannot
> build a secure system on top of an insecure one.
> 
> This isn't about not being able to build a 100% secure system:
> as a long-time security professional, I'm fully aware that's impossible
> and that the best we can do is to stack the deck in our favor.
> This is about building a system that is known 0% secure from the start.

The system security only increases in this case. It's security is
obviously debatable against state actors/equivalent threats, there it
might not improve much, but improves significantly against other threats.

> 
> I think, in the end, this will serve the community poorly -- because
> people who don't grasp the contemporary security landscape will deploy it,
> will rely on it, and will not understand that they lost the game
> before they even started to play it.  This will have consequences.

This assumes that those people are not currently relying on plaintext
mailing lists or any other insecure messaging technology. I think it is
quite obvious, from the nature of a mailing list, that every subscriber
can read all messages. With proper documentation about security of
endpoint devices and security of mailing lists, I think this feature has
viable use-cases.

-Jan

[1]: https://www.usenix.org/system/files/1401_08-12_mickens.pdf

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20170321/1aa2d0c5/attachment.sig>