A postmortem on Efail

[Ben McGinnes]

On Tue, May 22, 2018 at 02:19:37AM +0100, Mark Rousell wrote:
> On 21/05/2018 13:34, Ben McGinnes wrote:
> 
>> I agree with most of the article and largely with the need to break
>> compatibility to an ancient flawed design.  Particularly since we
>> still have a means of accessing those ancient formats if we have to in
>> the form of the GPG 1.4 branch.  The ancient archives are as safe as
>> they've ever been (for whatever definition of "safe" is being implied
>> by the user/archivist).
> 
> Indeed, this satisfies my archive retrieval concerns.

Mine too, it's why I keep a copy of 1.4 installed at all.  It's been a
while since I've needed to access something encrypted to the first key I
ever made way back in 1995, but I know there are archives which might
require it and possibly even some which have not already been migrated
to a newer key and encryption method.

That's okay, though and it doesn't need current dev practices to
retain those functions since there is a means of still opening that
door, even if I'm no longer using DOS and thus PGP 2.3a for DOS is no
longer available.  No doubt the worst issue would be sanitizing such
an old file of carriage returns or something like that.

Depending on what it was, though there may even be WordPerfect 5.1
files buried in those archives and IIRC LibreOffice dropped support
for those files a while back.  I suspect that sort of issue is more
likely to be a cause of angst for people needing to access old data
than whether they need to run GPG 1.4.x manually to decrypt it first.

>> There is, however, one aspect of this issue that you touched on
>> lightly, but didn't really delve into and which is at the centre of
>> my, mostly unvoiced (until this email), criticism of the Efail team.
>> That being the *incredibly* unhelpful and likely actively harmful
>> recommendation to remove encryption and decryption functionality from
>> vulnerable MUAs.
>>
>> To say, “we have this edge case scenario that really needs an active
>> targeted attack on a case by case basis, so everyone should just stop
>> integrating encryption” is the kind of thing that can get people
>> killed.
> 
> This has been commented on by a few people on this list, myself
> included: [1]

It gets mentioned here periodically, usually in conjunction with
discussions of differing threat models.

The EFF even have a great big section on their SSD site about
conducting your own risk or threat assessment and that these things
will be different for people in different circumstances.  Then they
decided to ignore their own advice in its entirety.

> To my mind, it reeks of slanted propaganda for Signal, and there
> does seem to be a lot of it around at the moment.

Hmm, maybe, but I'm not entirely certain that's instigated by Signal
or Whisper Systems.  No doubt they're enjoying it, but I think there's
another reason for that.

> Signal has security benefits but it's not (yet?) a replacement for
> encrypted email,

It's completely incapable of replacing either email or OpenPGP.  Here
are two things I do regularly or constantly which Signal is
fundamentally incapable of:

 1. Running my own server which enables me to set certain types of
 controls or filters on my own server and not shared with any third
 party (including Moxie).

 2. Encrypt files which are not intended to be sent to anyone and
 never were intended to be so.  The same is true of certain files
 which are digitally signed and archived in a way which lets me prove
 when they were written later (it's a copyright thing and set to
 specifically circumvent a particular niche of morons that are
 unrelated to the issue at hand).  Mostly, however, I mean things like
 keeping a journal and making damn sure that it won't be used against
 me.

Signal can't do any of that.  At all.  It also can't provide a genuine
means of establishing a pseudonymous identity unless you live in a
country that lets you buy lots of cheap "burner" phones and/or SIMs.

Maybe that is easy in the USA, maybe even elsewhere too.  It's pretty
much impossible in Australia.

So if there were something I needed to raise somewhere pseudonymously,
say via Tor and some web forum, what does the EFF suggest I use?
Signal?  How?

> whereas a number of commentators seem to treat it as if all email,
> encrypted or not, should be deprecated in favour of Signal. This is
> not sensible or good advice without considering individual use cases
> (regardless of Efail).

Absolutely!

I'm guessing that none of these commentators have ever actually
personally faced a threat which threatened their lives, especially as
part of some kind of minority, where the threat is both targeted and
impersonal simultaneously.  There are still millions of people in the
world facing torture or even death just because of something they were
born with (even something which may not be apparent until they reach a
certain point after birth).

In fact one minority I'm aware of is still so greatly at risk that
there's only one country in the world which provides legislative
protection for them.  All the others permit and, in some cases even
encourage or promote, some rather nasty practices (and I've seen some
of the evidence presented to the UN's human rights reviews, including
photographic).  This group is *not* the same community I referred to
in my previous message (the one you replied to, not the second one to
Rob) There is almost certainly some overlap, though, since there will
be members of this minority in that other community just based on
statistical prevalence.

> Well said.

Thanks.

>> So in my opinion it's not the merits or lack thereof in the
>> demonstrated attacks they released that have the gravest
>> consequence here, it's that the number one recommended mitigation
>> technique is to remove cryptographic functions from MUAs.
> 
> Without wanting to sound like a conspiracy geek, removing encryption
> from email would, of course, benefit Signal and its takeup.

I don't think it's necessarily for Signal, but Signal was created by
someone who shares that view and, more often than not, for much the
same type of reason.

I think the majority of those people who adhere to that view are geeks
of a certain age, approx. 40s to 50s, who came to the crypto world
back during the first Crypto Wars.  As much as they loved the idea of
PGP, one of two things happened: either they couldn't understand it
will enough to get it to work properly or, the more common story, they
couldn't get others to use it due to the difficulties in doing so at
that time.

In their minds OpenPGP usage is "difficult to use" or "not worth the
effort" because in their minds it is still their recollection of the
experience back then.  They've given up on it and they've dug their
heels in so much they now react almost aggressively against anyone
still seeking to use the thing.

It's porojection and it says more about them than anything.  How can I
be sure, well obviously my reference to my first key indicates I was
getting my intro to things around the middle of that era.  The two
biggest problems back then by my recollection was the lack of
accessible documentation explaining the concepts without requiring a
mathematics degree and practical setup guides.

Over time the latter became more prevalent and eventually some good
examples of the former arrived.  Those coupled with the *vast*
improvements to software over the intervening years means that the
difficulties of the '90s are not as great as they were.  There is
still some effort required and people do need to think about what sort
of security they need, but that just leads into the other aspect of
this: it was never about the degree of difficulty, it was about the
motivation to use the thing.

If someone feels a genuine threat to themselves or their loved ones
and OpenPGP usage is the key to ensuring that threat is kept at bay,
you just watch how fast and dedicated they become.  I've seen some
rather surprising examples of precisely that over the years too and
it's really at the core of that old argument.

We can advocate about something we find fascinating until we're blue
in the face, but for someone else to use it, they have to be motivated
enough to want to.  Signal is so simple that it's almost impossible to
fuck it up (except when it resends an unencrypted SMS to someone not
on the network hundreds of times without the sender knowing that's
what happened and wondering why their friend or whoever is pissed off
at the walls of repetitive messages), but it achieves this by moving
all the options and decisions to the developers and the servers.

Anyway, I think the pro-Signal commentariat is pro-Signal not because
of some concerted effort to build Whisper Systems into the One True
Centre of Cryptography (complete with secret handshake and, maybe, a
"No Homers" policy), but because their personal experience of
difficulty 20+ years ago convinced them that the solution was that
everything must be so simple as to be unnoticable.  Then Moxie came
along, someone whose story includes a free admission that he feels the
same way and he wrote this thing that's simple to use.  This seems
like validation of their belief and so they latch onto it with a near
religious fervour.

None of this is really that new in IT-land, but in this particular
field it has the potential to have very bad consequences for people
who are more worried about things that could get them killed or
tortured or beaten or whatever than something that may have just been
a bit frustrating or even embarassing.

Those commentators still need to learn that it's not about them, nor
is it about us; it's about the people who need it, when they need it
to not get beaten, raped and/or tortured to death ... or whatever
other nastiness they're trying to avoid.

Besides, I'm pretty sure I can out-do the lot of them for embarrassing
fuck-ups with PGP during the '90s.  I once sent an encrypted email to
Phil Zimmermann which was supposed to just be a "thanks for the nifty
software, this so cool" message and I got a reply asking why I'd sent
an encrypted empty message.  Yeah, really, and of course I was
mortified!

I did, however, stick with it and (eventually) learned.  A long time
later I was able to contribute in more useful ways particularly from
about three years ago onward (and this year is definitely adding to
that opportunity).  I even still cringed at the thought of sending
Phil Zimmermann that empty message for quite a while.  Now I barely
think about it at all and, when I do, it's just a little amusing.  I
doubt Phil would even remember it at all.

So what made me stop cringing at the thought of it?  I couldn't give
you a precise moment or thing, but it was either learning far more
about the topic and being able to pass some of that along or it was
experiencing some things that were far worse than mere embarassment.
Maybe a little of both.

The commentariat to which you referred, however, apparently still
haven't learned to move beyond their own embarassment or their own
problems.  Which would be fine if it only affected themselves, but
they're making sure it doesn't and preaching it to others; including
some with concerns a bit more significant than whether they do
something stupid.  They seem to be more interested in the security of
their ego and pride, perhaps reputation, over the actual consequences
which others may pay if they follow the wrong advice for their
situation.

So again the real issue is not that they're pro-Signal, that's really
more symptomatic.  The real problem is that for whatever reason,
though I strongly suspect the majority will be as I described above,
they've developed a hatred for one particular piece of technology, in
this case OpenPGP.  Now they push any other option, currently Signal
in many cases (no doubt WhatsApp would've been a contender, but lost
points when bought by FarceBook) in all cases because they're more
interested in hating the thing they hate than in providing relevant
advice or recommendations that are geared towards helping people
analyse their own threat model and implement the best tools to meet
that threat.

There's a really easy way to prove this too.  I dare any of the Signal
addresses all crypto needs" people to go to Mexico and provide info to
that country or conduct citizen journalism and investigative reporting
specifically on the cartels and corruption.  Using Signal and a
Mexican phone number.

I mean if Signal is the answer, that should be enough to prevent
discovery and execution, right?

As for my advice on the Mexican scenario: do not do that unless you
want to be executed!

Last I checked Mexico had a nationalised telecommunications carrier,
so the cartels only need to bribe or threaten one engineer and that's
that.  So once a relevant Signal contact is established, well, that's
enough information to take to the national carrier with an Uzi and a
demand for cooperation.  You really think the telco tech or customer
service rep is going to take a bullet for a customer and would anyone
expect them to?  Of course not and they shouldn't have to either.

Whereas being able to maintain a pseudonymous identity online with the
ability to verify that pseudonymous person is the same individual, but
without revealing their real location can be done with other tools and
for the Mexican scenario could even be done with their own domain (but
with a light weight enough implementation to remain on the move).  No
doubt many people on this list will have already thought of a few
options to handle various aspects of that kind of problem, with a few
different configurations depending on specifics lacking in this
hypothetical.

No need to really delve into them, the point is that there are a few
ways to do it with differing degrees of using different technologies
depending on more detailed specifics of what needs to be done.  So the
solutions vary according to the needs of the person who will use it,
not simply pushing Signal as some kind of mythical cryptographic Soma
on everyone for every purpose.

The best security advice is, and always has been, the advice which
meets the needs of the person requesting it after having analysed that
person's situation and that of the community or communities they're
in.  It will never be a one-size-fits-all magic pill or glib answer,
not even Signal.  Not even OpenPGP either; as it doesn't actually
provide a transport method, just the structures for use with one and
thus does not provide a means of guaranteeing anonymity or
pseudonymity entirely on its own.  In conjunction with other things it
can be made to do so, of course, but that's the point.

All right, there you go, if there is one part of the problems here
which actually originates with Signal then there it is: conflating the
protection method with the transport protocol.  Signal as a solution
can only ever be used with Signal the network, it can't be adapted to
alternative transport protocols too readily, whereas OpenPGP can be
and has been to varying extents.

That, however, was a deliberate design choice made by Moxie as part of
his approach of dumbing everything down to try it make it impossible
for it to be too hard to use by most people and so Whisper Systems
view that as a feature.  Arguably it is indeed a feature, but it's the
feature which should have been recognised by its supporters as being
potentially dangerous for some types of threats and not the reason to
pronounce it the solution to everything.

So I think it's still fair to say the greatest problem is with the
commentators and the real reasons motivating the nature of their
commentary rather than what Signal is; and what it is is just fine if
you're in a relatively privileged class in the western world who
doesn't need to deal with anything requiring anonymity or
pseudonymity.  For everyone else, however, it may have some uses under
some circumstances, but the degree to which it will do so will vary
considerably and in quite a number of cases will either be very
limited or will be a direct threat (or contribute to direct threats).

As for the problem of the motivations of the commentators, regardless
of whether or not my theory regarding experiences during the Crypto
Wars is accurate or not, the real issue there is that they're letting
their personal gripes override the specific situations others have to
face and they don't seem to care if someone else dies as long as they
get to push their agenda.

I'm going to have to assume by this point two things:

 1. that if they're that far into their own little world there's
    nothing that will convince them that maybe that's not so cool; and

 2. that no one else here will be overly surprised if I (and perhaps
    others) disregard any degree of ethics or credibility of anyone
    who is so committed to a particular absolutist stance that they'll
    risk the lives of others (but never their own) on the
    righteousness of their cause.

No doubt they won't care about either of those things either; or, more
likely, they'll simply disregard everything postedto this list.  This
is something I will gladly accept if they will at the very least start
giving a damn about the concerns of others facing much more heinous
threats than the rest of us and needing real support from those of us
involved in any aspect of the information security world, not just
glib and unthinking answers which do more for a personal agenda than
the person under threat.


Regards,
Ben

P.S.  I considered not sending this due to length and, possibly,
      responses to my disparagement of those who may value their own
      personal agenda over the needs of the end users seeking
      guidance.  A subsequent conversation with someone linked to the
      originally referenced community had indeed disregarded OpenPGP
      due solely to the advice of old geeks saying it's too hard,
      don't even consider it (before the current thing).  So the
      attitude of the commentariat is definitely a problem simply
      because they persist in pushing their old experience on a new
      audience as gospel instead of leaving the selection to a proper
      risk assessment and the needs of those people.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180523/21a4316b/attachment.sig>