[liberationtech] was Secure hosted mail, now: VaultletSoft

Sat Feb 25 15:37:05 PST 2012

I'd just like to point out that NDAs are not dissimilar from me telling my
three year old daughter that of she doesn't eat her dinner the mukhabarat
are going to come and get her. Which is why I don't tell her that and why
generally NDAs are a pleasant fiction that allow us all to play nice when
really they are only slightly more tangible then cash.
On Feb 25, 2012 2:19 PM, "Jacob Appelbaum" <jacob at appelbaum.net> wrote:

> On 02/25/2012 10:06 AM, Robert Guerra wrote:
> > John,
> >
> > Autonomy Central (formerly called Vaultletsoft) is a secure hosted
> > email solution that has not yet been mentioned on the list. It has
> > several features not present in many of the other email solutions.
> >
> > A couple of good things about Autonomy Central:  Several leading
> > human Rights NGOs and donors have worked with and supported the tool
> > over the last couple of years, and Source code - is - available for
> > review.
> >
> > https://www.vaultletsoft.com/
> > https://www.vaultletsoft.com/about/source.html
> >
> > Would be great to get people's comments on this..
>
> I've met the author and he's a nice guy. However, I wouldn't suggest
> that people use Vaultletsoft or Autonomy Central or whatever it is
> called these days.
>
> Some comments on why I'm not a fan:
>
> It's not Free Software, it's not even Open Source software.
>
> You have to use (!) their software to receive a copy of the source for
> the software. That's a turtles all the way down security approach if
> I've ever seen one!
>
> To make matters worse anyone reading the source has to agree to some
> license about peer review that includes this gem of a gag attempt:
>
> "You agree that you will not post any information about any bug,
> problem, deficiency, or weakness in the VaultletSuite Client software on
> any web site or electronic bulletin board, or otherwise disclose or
> provide any such information to anyone else, unless you have first
> reported it to VaultletSoft Inc. and until at least 30 days after
> VaultletSoft Inc. sends its email acknowledgement to you."
>
> Getting into the actual tech - I find it rather concerning that many of
> the VaultletSoft web services load a java applet to do the heavy lifting:
> https://www.vaultletsoft.com/start/specialdelivery-popup-applet.html
>
> https://production.vaultletsoft.com/vaultletsuite/vaultletmail/transomPopup.view
>
> In a sense, I see two major problems. The first is a lack of open
> standards in the crypto beyond the buzzwords of RSA and AES. The second
> is that the security of the entire thing boils down to the security of
> the SSL/TLS trust model. If every time you use the web forms you load
> the java applets over TLS, a successful MITM wins the entire game. This
> is not unlike the problems with Hushmail or in their case, I believe one
> story was that they delivered a special java applet for a targeted user.
> It's technically possible that the same thing could happen here, what
> steps do they take to ensure that this doesn't happen?
>
> As far as the client side software goes, I think that they solve
> problems that need to be solved - I'm not sure that they solve them in a
> way that makes sense. As an example I looked at the Vaultlet filer page
> and noticed something quite strange:
> https://www.vaultletsoft.com/products/vaultletfiler.html
>
> Does it really disclose file names, contents, file sizes, and other
> things *before* you provide an encryption key? That seems... uh, less
> than ideal, if so.
>
> As I absolutely refuse to audit something with a gag, I did not request
> the source. I did however look at the portable linux installer and found
> that it ships with a huge javakeystore. It appears that if each of these
> CA certs is trusted that basically the TLS layer is vulnerable to attack
> from each listed CA (Comodo is included in the list; DigiNotar isn't).
> Though I won't make this claim, I've decided to CC the author and let
> him reply here with a yes or no - if it's possible, I guess we'll call
> that a pretty serious issue.
>
> I've done a disassembly on the software as well but I don't have time to
> look through it right now. I'll put it on the TODO list as it looks like
> it might be an interesting target. The NDA/gag doesn't lend to the right
> incentives thought and that really encourages me to audit some Free
> Software projects when I do find the spare time.
>
> All the best,
> Jacob
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120225/8e51a8fe/attachment.html>