[liberationtech] Snakeoil and suspicious encryption services

Guido Witmond guido at witmond.nl
Sat Jul 19 07:18:55 PDT 2014 

On 07/19/14 11:13, carlo von lynX wrote:
> On Fri, Jul 18, 2014 at 7:59 AM, Lorenzo Franceschi-Bicchierai <lorenzofb8 at gmail.com> wrote:
>>> I was wondering if it's time to make a list of not-so-good snakeoil
>>> encryption services that have popped up after the Snowden revelations.

> Let's look at the long-term solutions. We keep a map of them on
> http://youbroketheinternet.org - anything that uses public-key routing
> instead of trying to put a band-aid over the existing Internet is in it.
> Everything that has a chance of protecting metadata is there.

Carlo's categorization in three categories: snake-oil, band-aid, and
solution is a good one.

Stretching that analogy: right now, internet security is mortally
wounded: 1) Almost all protocols leak both content and the social graph;
2) Our operating systems protect themselves against hostile users, they
don't protect users against a hostile internet - hence the rampant
malware problem; 3) Browsers have a long way to go.

While I really applaud the efforts of http://youbroketheinternet.org (I
was part in that), *we need the band-aid now and we need a lot of it!*
After the patient has been stabilized we can concentrate on the cure.

Due to the inertia, it will take 15 to 25 years for an innovation to
become mainstream. If it succeeds at all. Internet innovation go at that
same glacial speed. Just look at speed of uptake on ipv6.

> Everything that tries to insist on using insecure technologies such as
> X.509, DNS, DANE can at best be a band-aid. Everything that tries to
> put encryption on top of SMTP, XMPP, HTTP instead of underneath, is
> vulnerable. If it's not vulnerable technically, it is by usability.

DNSSEC and DANE have been in the making for 10 to 15 years. With these
technologies, I've shown[1] that it can be used to combat phishing,
increase confidentiality of private messages and eliminate most problems
with passwords over the internet. And it makes it easier to use. No
usability problems like PGP.

Therefore I propose to focus the effort of investigation how to tell
band-aids apart from snake-oil. Many of the criteria have been provided
by Carlo.

In fact, many people are still in the 'I don't have anything to
hide'-fallacy mode. It will be a long journey from the current
brokenness to the goals that Carlo envisions. Any step that each of
makes along that journey is an improvement. And I applaud anyone who
makes the first step. I pray that it is a band aid and not snake-oil.

With regards,

Guido Witmond.

1: http://eccentric-authentication.org/blog/2014/06/25/talk-for-icann.html

More information about the liberationtech mailing list