Search Mailing List Archives
[liberationtech] Snakeoil and suspicious encryption services
vitteaymeric at gmail.com
Tue Jul 22 04:47:12 PDT 2014
Interesting thoughts, please see my comments below.
Le 22/07/2014 03:48, Seth David Schoen a écrit :
> Aymeric Vitte writes:
>> You obviously don't know what you are talking about or just did not
>> get what I explained or just do not understand http versus https or
>> the contrary, or just do not understand the web, what's on client
>> side (browser) or on server side, or don't get that your extension
>> can be mitmed too including its signature.
>> So unfortunately I have to stop this discussion right here with you,
>> not to waste the time of serious people on this list, if you want to
>> restart with another tone, then please go, but first checkout what
>> is writen on Peersm site, everything is explained, including your
>> focus on elementary mitm issue, your arguments and judgement are so
>> basic that I am wondering why I am answering it, you should do some
>> reading, and if you can trivially defeat Peersm, then just show us
> The Peersm homepage is loaded over HTTP and right at the bottom says
> Well, that nonce is probably different for different users.
It was designed with this intention but this mechanism will be removed.
> An attacker (like the barista) can make that get loaded as
> The version of the node-browser.js file there can be slightly changed to
> leak the user's crypto keys by synthesizing an HTTP GET to some other
> host with the user's private keys as part of the URL. The security of
> your crypto protocol is not relevant to this attack because substituting
> a modified client leaks key material _outside of your protocol_, much
> as redirecting http://www.mozilla.com/ via a captive portal and then
> giving users a backdoored download of Firefox would allow leaking TLS
> session keys (without breaking TLS).
Yes and no, as I answered previously the nonce does secure a little bit
the loading of something that the app needs to work, but as I wrote this
does not secure anything at the end against a mitm, so https if people
trust it or retrieve the code and inject it locally as I explained,
please see my previous answers about this, and if people want to weight
on why Mozilla and Google have decided this policy that forces us to do
insecure things, then please go ahead.
And for the current phase there are no specific crypto keys for the
users (it's doing the equivalent of the Onion Proxy inside browsers, no
need for keys), for the final phase the crypto keys will be ephemeral.
> It's true that the user could detect the change if they view source,
> but the change may be a very small percentage of the real code, so
> it's a pretty significant practical question how the user will detect
> the change. (And will the user be willing to check what is currently
> There have also been some tricks to make it hard for the user to view
> source (or to make the source that appears look wrong). Hopefully future
> browsers will reliably show authentic source code, but even if they
> do, we're left with the "how does the user know that this 456 kB of
> loaded from the right domain is not very satisfactory by itself, both
> loaded over a CDN for efficiency reasons, and maybe homoglyph attacks,
> while even if the user is sure that it was genuinely loaded over HTTPS
> from peersm.com, there is still a risk that you as the software developer
> could somehow be forced to give particular users a fake version (based on
> their client IP address), or that the peersm.com server could be hacked
> and could give some users a fake version without your even realizing it.
I am thinking about these issues since quite some time, unfortunately I
reached the conclusion that you can not secure the code loading.
The only reliable way I think is to get the code from the site or some
mirrors and check from different sources that it is the good one.
But you envision the fact that you could detect a change, I am not 100%
sure but I still think that even if you can not stop a mitm from
changing your code there are good chances, if you have foreseen it, that
you can indeed detect it and tell it to the user, like for example
including functions that checks what is in the code or objects once the
code has been executed, this still could be detected and removed by the
mitm, but not sure it can succeed each time if your checks are a kind of
random code, to study... unfortunately such features would break the
possibility to check the code as a whole based on its hash for example...
The IP addresses of the users: strangely among all remarks I got so far,
nobody raised the issue that we could correlate the code loading with
the anonymized circuits establishment if we can monitor the Tor/Peersm
bridges, that's why there is the OK button to start the app, you can
load it and start whenever you like making hard to correlate your
activity. But again, this issue disappears if you execute the code locally.
> I would be happy to accept that browser extensions only partially address
> these threats -- especially threats of attacks by the browser extension
> developer, or involving attacks against the extension developer's
> infrastructure. We have better assurances that the network operator can't
> installing the browser extension only over HTTPS, and not re-downloading
> it every time). But currently, we don't have a good assurance that
> the browser extension we got is the same one that everyone else got
> (and that may have been audited), nor that we get the same updates as
> all other users. I think it's quite important for browser developers
> and browser extension developers to address these limitations.
Indeed extensions can be mitmed as easily as js code, the big difference
is that it's easy for any skilled js people to check what is doing the
js code, while it can be difficult for extensions I believe.
The problem remains that normal users can not do this, so back to the
local code solution.
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
More information about the liberationtech