Nelson Bolyard wrote:
Ian,
Previously in this thread, you wrote:
For me, the purpose of this debate is finding out what users can expect from
Mozilla by way of security.
Thank you for taking the time to lay out your views!
The answers to that quest probably include these properties:
- open, openly specified, not secret,
- inner workings subjected to public scrutiny.
- security claims independently verifiable
- interoperability with products from other sources is desired, not avoided
- interoperability with products from other sources is based on standards
compliance - not proprietary specifications controlled solely by Mozilla
Yes, a laudable goal. (Leaving aside Mozilla for now.)
Now, in contrast to that, I have been led to believe that Skype's:
- protocols, security designs and parameters are proprietary, secret, have
not been openly published, and thus not subjected to public scrutiny
- components are all proprietary. Their clients only interoperate with their
servers and their other clients. It's a closed system, as far as I know.
I think these two claims are completely correct!
- security claims are not independently verifiable by those who have no
economic interest in keeping unfavorable findings secret
In essence, your claim is approximately sustainable, notwithstanding a
single audit, and I suggest some additional stuff below.
I suspect that part of the reason you look so favorably on Skype is
precisely that its security claims have NOT been subjected to public
scrutiny.
Not at all, that is not my mind speaking :)
Actually I find it really irritating, but I have different motives from
you. I would like the chance to criticise the design, especially as it
is a new design (relatively speaking) and has incorporated a lot of the
new learning in it. In the crypto world, we often talk about how we
should break others' designs before we design our own, and I follow that
principle.
That's why I have that silly SSL page: to criticise is to hone. But,
you have no idea how boring it is to criticise the older designs; when
one comes across the same mistakes over and over again, one has to keep
reminding oneself how "we know sooooo much more these days..."
I think you tend to give them the benefit of a (very large) doubt.
Well, that is relative. Consider: those who have taken the above
laudable goal and decided this is the beginning and end of everything
... have obviously found that Skype doesn't meet this goal. Therefore,
not having met your primary, first, up-front goal, everything else is
nonsense.
It's not open, therefore it cannot be secure. Right?
In contrast, I tend to look at the user interest. And specifically, I
tend to look at the security delivered to the user. Although I approve
the open source goal, I have over time come to view it as
not-unchallengeable.
So, you -- and most here -- look at Skype and decide because it is
closed, it cannot be secure. I look at Skype and say, well, how much
security does it deliver? Objectively? Does it confirm or deny the
open source hypothesis?
As it turns out, Skype delivers more security than practically every
other example out there. Yes, I can and will argue that, even though
you will doubt it. :)
Which leads us to a conundrum: if this is true, then open source may
not be the best (or only) way to deliver security.
Which, if you are religious about open source, will be very troubling.
And, even if you are more like me, a fan about open source, it is still
rather irritating.
In the absence of published faults in their technology, in your debates
it seems you tend to treat that technology as flawless, which gives them an
advantage that no openly specified system can ever have.
Well, nobody here has asked me about their flaws, so that's another
assumption which I'm happy to address.
Here are their *security* flaws, as far as my view goes: obviously, not
open source. So we don't know who is listening. So we have to conduct
some wider research. Here's what I have found: it is possible to fork
off a subnet and intercept using a borked client, this was demonstrated
by the EADS guys over a year ago. If you pay them lots of money,
they'll sell you an intercept kit (probably, at least, that's their
business). China has a borked client. There is another minor published
weakness, which I forget now. The super-servers are a cause for
concern. The company is now owned by a US company so we can assume that
the NSA has achieved quiet satisfaction, if not anyone else. There is a
view that the intel agencies of other countries in UKUSA can now breach
Skype, and there is a view that this breach is now either leaking to
non-UKUSA-G20 countries, and from there to police, in countries where
police have an ability or desire to listen in, as para-intel agencies.
However, this is all secret, and being interpolated from claims and
counter-claims. The evidence is not sufficient to get a prosecution,
yet. In contrast, the open analysis world has failed to breach the
protocols. I recall 2 substantial attempts to analyse it, and the
results were not promising. Plus I mentioned that audit. Plus, at
times, many powerful people have complained, so this would suggest there
are no screamers in the protocol, no easy-to-find weaknesses.
Now, in any serious threat & security modelling, we can use those
results and work out whether the tool -- any tool -- is good enough for
any particular task or group. I'm not going to do that, be because it
is not interesting to this community to *use* that tool, it is only
interesting to *learn* from the tool. Others who are, have done so.
I believe you will not get Mozilla or its community members interested in
developing a solution that requires that
- all clients and all servers come from Mozilla,
- protocol specifications, source code, and other technologies be kept secret
- security claims must be taken on faith.
Agreed. (I'm somewhat aghast that anyone would suggest that Mozilla
should ever do such a thing. How on earth ... have you read Mozilla's
mission?)
But that's not what it is about. I'm only interested in whether Mozilla
is seriously focussed in delivering security to its users. Right now,
that's an open question.
It is entirely clear that Mozilla is delivering open source and is
passionate about that. Unquestionable. This is a good thing, mostly.
But it is not clear that Mozilla has a focus on security.
Just one example: in this email, you assume that open source &
associated principles is equivalent to security, and the two are
inseparable:
Consequently, I think there's little to be gained by continuing to hold
Skype up as a shining example in this list/group. So, please don't keep
flogging us with praise for Skype or other systems that are antithetical
to the values of the open-source community.
The challenge, or question here, is whether you (speaking broadly) will
ever recognise the two apart.
Or to put it another way, is Mozilla religious about open source? To
the extent that Mozilla will crowd out any learning from the non-open
source world?
(Nobody is asking Mozilla to write proprietary code or protocols. I am
simply talking here about the ability and desire to learn ...)
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto