Search Mailing List Archives
[liberationtech] [Freedombox-discuss] FBX Server/Client Communication Model and Threat Modeling
melvincarvalho at gmail.com
Sat Feb 16 03:21:06 PST 2013
On 16 February 2013 04:25, Nick M. Daly <nick.m.daly at gmail.com> wrote:
> Hi folks, here's an active question that I'd appreciate your input on.
> What is an appropriate threat-model for the FreedomBox's
> client-server communications?
> Please discuss on list or feel free to add to the FBX wiki:
> This question has a number of obvious answers, but keep in mind the
> project's end-goals: to bring communication freedom to as many folks in
> as many situations as possible. To that end, what are appropriate
> compromises between server and client security, accessibility, and
> It seems to me that client devices fall into one of two basic
> 1. Those on which the user has root privileges and fully trusts (like
> their own laptop, running a fully free operating system and BIOS, in
> which no mal/spy/inscrutable-ware exists).
> 2. Those on which the user doesn't have root privileges and therefore
> can't fully trust (an iPhone, a laptop with non-free software and/or
> binary kernel blobs, a desktop with a non-free BIOS).
> I've illustrated the fact that there's a range of trustworthiness,
> though I don't know how to meaningfully measure this quantitatively (I'd
> like to survey and classify devices, but I don't know how to massively
> and remotely detect un-trustworthy or malicious software, suggestions
> are welcome).
> At this point, I'm worried about secret key (identity) material. This,
> being the most important and secret of data, can teach lessons that can
> be applied to nearly all other data.
> I'll start by throwing out a few more directed questions to start off
> the discussion:
> 1. Who can be trusted with which secret key material?
> 1.A. Can servers be trusted with the client's key?
> 1.B. Which clients can be trusted with parts of the server's key?
> 2. In what ways is it acceptable for devices to give up which secrets?
> For example, is it acceptable if the client's secret key be exposed
> when the box is rooted by attackers? (Probably not, but that does
> let the host act as a trust proxy without relying on subkeys, or
> other weird yet conceptually interesting trust models).
> 3. What is the client application delivery model? Is it:
> 3.A. Browser-based interaction between client and server?
> 3.B. Browser-plugin-based interaction?
> 3.C. Appstore-based interaction?
Hi Nick, great topic. Which client/server interactions would you envisage
as being high on the priority list? e.g. ssh to box, login to dashboard
via a browser, using gpg based tools for email etc. ... a specific context
may be slightly easier to visualize the possible attack surface ...
> Thanks for your time,
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech