Hello Freedombox folks! tl;dr: There are security risks involved in running PageKite relays which I wanted to warn you about. I'm also wondering if folks here are interested in collaborating to build a community-run free-of-charge network of PageKite relays.
Sorry, this got long... It's been a while since I posted anything here; for those of you who don't remember me, I'm the author of PageKite (owner/operator of https://pagekite.net/) and the lead developer on Mailpile. I've been lurking on this list for ages. For the rest of this e-mail I'm going to just assume that FreedomBox, Mailpile and similar personal-home-server solutions will never succeed in reaching the masses without PageKite (or something just like it). Folks who disagree may want to stop reading now. :-) Unfortunately, if we consider PageKite.net's current business model (my paycheck...), it's pretty clear that it will hinder adoption if every single user has to pay a small fee to connect to the network. Freedom is important, but folks are also very price-sensitive about network services. People are so used to free stuff online, that convincing them to pay a subscription for something like PageKite is a very hard sell. If we want efforts like the FreedomBox to succeed, eliminating friction like this is important. When I am wearing my Mailpile hat, I struggle with this same concern. (Makers of embedded server products currently solve this exact issue by purchasing PageKite accounts in bulk and including the expected costs in the price of the hardware that is sold. This is a viable model, but I suspect it's not one that appeals strongly to this particular community...) In any case, it would be *really cool* if PageKite service were available free of cost, provided and supported by a community, similar to the Tor relay network. I haven't tried to build such a thing yet and I'd like to tell you why... and why I might be about ready to change my mind and work on this. I'm bringing this conversation to the FreedomBox list, because of two things: it appears freedombox.me is trying to clone pagekite.net, with less friction and no money involved; community-run-relays might be a natural evolutionary direction for that project. I also saw in Plinth's github someone requesting the ability for one FreedomBox to be a PageKite relay for another. Both of these ideas must be approached with care, or users will be harmed. The main concerns: 0) Users of a pagekite.me-style service are completely at the mercy of the person who provides them with a sub-domain. Adding some volunteers and decentralization to the mix at the relay stage doesn't actually solve the main social/political problems - the domain owner still controls everything. 1) PageKite relays can be abused in much the same way as Tor exit nodes - if anyone can volunteer to run a relay, some will do so for antisocial reasons, in particular to spy on the traffic. Or worse; to manipulate the traffic, injecting ads, malware etc. Using your friends' relays is NOT a solution, few people are more interested in spying on you than your friends, relatives and coworkers. 2) Phishing campaigns regularly try to use PageKite relays to anonymize their operations. If they succeed, then PageKite relays get automatically blacklisted in various firewalls, preventing legitimate users from accessing their kites. 3) Fly-by-night makers of cheap home-server devices may try to freeload off the community network without contributing anything back. Points 1) and 2) are critical security issues, point 0) begs the question "what's the point?" I am not sure whether 3) is a bug or a feature! Neither of the security risks is theoretical; Tor exit node manipulation is common and I shut phishers down on pagekite.me on a regular basis. I have managed these risks at pagekite.net through careful monitoring and manual oversight - and by charging money so I know who my users are and they know who they're doing business with. Addressing these concerns in a community pagekite service: 0) Centralized control can be reduced somewhat by having multiple service domains and multiple providers of DNS and pagekite authentication, and by encouraging users to use their own domains. While domains cost money, users will be jeopardize their freedom/security in exchange for a free sub-domain. 1) End-to-end encryption may prevent tampering and spying on content; protecting metadata from the relay operators is largely impossible unless everyone uses Tor (in which case you might as well just use a Tor hidden service and skip PageKite). For e2e crypto, we have to deal with TLS certificates which has made this impractical until now. Letsencrypt.org may help, but it's unclear to me whether anything prevents the relay operator from simply using letsencrypt.org to set up their own MITM anyway. Hopefully letsencrypt.org monitor things well enough and warn certificate owners about re-issued certs... Another attack vector, if the TLD owner and the relay operator are one and the same (this is currently the case with both pagekite.me and freedombox.me), then the owner of the TLD can register a wild-card certificate and use that to MITM their usres. Most users will never notice a thing. Security improves if DNS management and relay operations are separated. This attack can also be thwarted by only ever using sub-sub-domains (foo.bar.freedombox.tld). All of these risks can be mitigated if the users know how to use browser plugins like Certificate Patrol, or know how to manage self-signed certificates and navigate scary browser warnings. For non-technical users, neither is appealing. Clear-text HTTP relaying in a volunteer-run PageKite network should be strictly forbidden; relay operators that offer clear-text HTTP relaying should be blacklisted. (Who watches the watchers?) 2) Phishing abuse has no solution except active policing of relayed domains, or a high-friction non-anonymous signup process (preferably involving money). It may be possible to automate policing to a certain extent, but this will always be an arms race. Conclusion: I think letsencrypt.org *may* be enough of a game-changer that it is worth revisiting how to create a volunteer-operated relay network and make the DNS side of the PageKite solution easily installable, so a more diverse ecosystem can emerge. On the other hand, it might still be premature - the demand isn't there yet, is it? It's certainly not urgent. Are there folks on this list that would be interested in participating and providing resources to such an effort? I've got my hand tentatively raised... :-) I've also had the domain pagekite.org registered for ages, for exactly this use-case. All the best, - Bjarni
Encryption key for Bjarni Runar Einarsson.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP Digital Signature
_______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss