[liberationtech] Announcing Scramble.io

[Feross Aboukhadijeh]

This is great work, DC. Congrats on launching!

> This does not improve on the properties of PGP, fundamentally. Without a
> pre-existing secure channel, knowledge of this public hash is just as
> susceptible to MitM.

Scramble isn't trying to improve on PGP at the cryptographic level -- it
actually *uses* PGP (specifically, OpenPGP.js) to encrypt the emails.

The point of Scramble is to make PGP actually usable by humans. PGP's
problem is not that we lack a way to make pre-existing secure channels,
it's that literally no one uses it. Scramble makes PGP usable by the masses.
 It's webmail so it's convenient and doesn't require any software
configuration. And it uses a great little trick pioneered by tor hidden
services to eliminate the need for "key signing" parties, which
weren't<http://ripe60.ripe.net/images/photo-keysigning.jpg>
 much<http://ripe61.ripe.net/wp-content/uploads/2010/11/key-signing-prague.jpg>
 fun <http://mdcc.cx/~joostvb/plaatjes/20050910-tilburg-tosti/ksp.jpg>anyways.

All this usability gain from webmail, but what about attacks like what
would have happened to LavaBit? Some say that webmail can't be made secure.

We don't know much about what LavaBit was asked to do, but Scramble is
(theoretically)
secure against attacks from centralized adversaries like governments who
control root CAs and could take over and even operate the Scramble servers.
 The browser treats the server as a "dumb" blob store, decrypts all data
locally, and doesn't ever download new javascript (if you're use the chrome
extension version of Scramble, two click install). An actively malicious
server is not a problem. Mad cool.

Even if you're *not* using the chrome extension version (i.e. "paranoid
mode"), it's impossible for a central adversary who controls the Scramble
servers to do a targeted attack against you specifically, because the
browser downloads all the javascript upfront and only requests
user-specific mailbox data afterwards. It doesn't download any new code
after it's identified you to the server. Again, mad cool.

If the attacker served malicious JS to everyone, users would quickly notice
and word would get out. A distributed program could automate this check.

I recommend you all read the two links DC posted. Scramble is the real
deal. Good news for all of us!

Feross
feross.org - peercdn.com (make your site faster & reduce your bandwidth
costs!)


On Fri, Aug 23, 2013 at 2:12 AM, Ximin Luo <infinity0 at gmx.com> wrote:

> On 23/08/13 09:53, DC wrote:
> > Hi everyone,
> >
> > I'm DC, and I've been lurking here for a few weeks :)
> >
> > Since the NSA leaks, I've been inspired to work on an old dream:
> end-to-end
> > encrypted email.
> >
> > One difficult problem in public-key encryption is key exchange: how to
> get a
> > recipient's public key and know it's really theirs.
> > My plan is to make make your email the hash of your public key.
> > For example, my address is *nqkgpx6bqscslher at scramble.io
> > <mailto:nqkgpx6bqscslher at scramble.io>*
> > (I borrowed this idea from Tor Hidden Services.)
> >
>
> This does not improve on the properties of PGP, fundamentally. Without a
> pre-existing secure channel, knowledge of this public hash is just as
> susceptible to MitM.
>
> You can argue "well my email address is pasted on so many websites, it's
> infeasible for an attacker to MitM all of them", but you can say the same
> thing
> for PGP keys too.
>
> In some senses it's even worse because a human has to remember the hash
> *exactly*, instead of having PGP manage the email<->fingerprint mapping for
> you. You could write some address book software to improve on this,
> however.
>
> > This lets you build an email system with some nice properties:
> > * It's webmail. I want something easy to use and understand, unlike PGP,
> so
> > that nontechnical people can grok it.
> > * Webmail has an inherent weakness: if push comes to shove, the NSA can
> compel
> > a Scramble server to serve bad Javascript to their users. I want to give
> users
> > the option to install the app as a Chrome extension. Same HTML, CSS, and
> JS,
> > but served locally, so the server is untrusted.
> > * You can look up someone's public key from an untrusted server, and
> verify
> > that it's actually theirs.
> > * Anyone can run a Scramble server
> > * It's open source
> > * All email between Scramble addresses is encrypted. Both Subject and
> Body are
> > encrypted via PGP.
> > * With some precautions, it's possible to avoid associating your real
> identity
> > with your email address at all. This means that even From and To can be
> anonymous.
> >
> > Feel free to try it out! https://scramble.io/
> >
> > Here's a more thorough description of my design and my
> > motivations: https://scramble.io/doc/
> > Finally, here's a more thorough description of the technical
> > details: https://scramble.io/doc/how.html
> >
> > Thoughts?
> > Best
> > DC
> >
> >
>
>
> --
> GPG: 4096R/1318EFAC5FBBDBCE
> git://github.com/infinity0/pubkeys.git
>
>
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130823/d06d9283/attachment.html>