Re: [liberationtech] Announcing Scramble.io
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/23/2013 06:22 PM, Tom Ritter wrote: $ dig ns chocolatine.org +short uz5qry75vfy162c239jgx7v2knkwb01g3d04qd4379s6mtcx2f0828.ns.chocolatine.org. uz5cjwzs6zndm3gtcgzt1j74d0jrjnkm15wv681w6np9t1wy8s91g3.ns.chocolatine.org. I feel compelled to point out the precedence here. This is a problem known as Zooko's Triangle: ... This was a problem (sort of) early in the days of instant messaging, when IM handles tended away from memorability as they grew in popularity. Letting users set local aliases for IM buddies helped with that. Automatic addition to a local address book + buddy aliasing seems like a potential solution. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ What the hell has happened here? --Peter Watts -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIczygACgkQO9j/K4B7F8GqKgCfRzcqZlknBGz6mmqepNfyZEf3 YlwAoNbl82GJbCUzltzwATlii9pF332R =aC+/ -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
Wonderful! It's similar to my concept posted earlierhttp://www.mail-archive.com/liberationtech@lists.stanford.edu/msg06342.html. Your hash as email address eliminates the problem in my design to trust the server the first time emailling someone. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
Hi DC, your problem has already benn solved, the AES end.to.end key can (and is often ) be transferred in a GnuPG like secured environment, e.g. like http://goldbug.sf.net - a full p2p decentral Email client - is using it. Does your service use a central approach? as only client side is secure, you need clients to be in use. 2013/8/23 DC dcpo...@cs.stanford.edu Hi everyone, I'm DC, and I've been lurking here for a few weeks :) Since the NSA leaks, I've been inspired to work on an old dream: end-to-end encrypted email. One difficult problem in public-key encryption is key exchange: how to get a recipient's public key and know it's really theirs. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi DC, Thanks for the reply. Responses to your responses inline. ;-) On 23/08/13 21:51, DC wrote: The hash format (first 80 bits of SHA-1, encoded base32) is the same as Onion URLs use. How do they avoid preimage attacks? (I thought generating 2^80 keypairs and checking each one to see if the public key matches was simply too much work, maybe I'm wrong though.) 80 bits may not be enough to defend against a well-funded adversary these days - that's one aspect of the Tor hidden services design that needs some love. https://blog.torproject.org/blog/hidden-services-need-some-love ...the current 80-bit security of onion addresses does not inspire confidence against impresonation attacks. How exactly is the symmetric key used to encrypt the private key? What block cipher mode do you use? Is there authentication as well as encryption? (Currently I'm using the first 128 bits of a SHA hash as the key, then AES-128 symmetric encryption.) What block cipher mode of operation do you use? If the mode of operation requires padding, what padding scheme do you use? Do you authenticate the ciphertext? If so, what MAC function do you use, and how do you derive the MAC key? These are nitpicky questions, but they could be important for security if the server's compromised. ... after implementing your suggestion, it will be PBKDF2 instead, and I'll generate a random salt for each user. (That way, an attacker can only try to brute-force one account at a time, instead of all of them.) Awesome! Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSGKGPAAoJEBEET9GfxSfMIkMH/ioS8guoBIfgNXowtEzNSrHh akUNxgBQuklMs8ayo+lsWL3VU3/nmjz+gO4jia1mXuRDYTRbz3vmQl1XxhH++eeT 2ci3jCXkc0uLMJ9Do1XFSweO+RGw4qXh0fYNlzkKmNZ9u5b8Y4LOWxDgL60+Ah33 FINtoMG3y/DHthKhyrQc+5pavY5oXAjtom11Hpy03MC0SjhQaW/4WqOgd0hl1Cqa hBkgd83YuqQ7Mqg4QBCdcL0xyPuQWKaGOPd1eDYUl2qyntpiUQJsMPVLTrNILPQW xHhr7o7QvNga4MBqExUY1uimaVXwXqIZOGFaagRBZgF0buBIVWYoMsmiaXyfou4= =bSd1 -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Announcing Scramble.io
Hi everyone, I'm DC, and I've been lurking here for a few weeks :) Since the NSA leaks, I've been inspired to work on an old dream: end-to-end encrypted email. One difficult problem in public-key encryption is key exchange: how to get a recipient's public key and know it's really theirs. My plan is to make make your email the hash of your public key. For example, my address is *nqkgpx6bqscsl...@scramble.io* (I borrowed this idea from Tor Hidden Services.) This lets you build an email system with some nice properties: * It's webmail. I want something easy to use and understand, unlike PGP, so that nontechnical people can grok it. * Webmail has an inherent weakness: if push comes to shove, the NSA can compel a Scramble server to serve bad Javascript to their users. I want to give users the option to install the app as a Chrome extension. Same HTML, CSS, and JS, but served locally, so the server is untrusted. * You can look up someone's public key from an untrusted server, and verify that it's actually theirs. * Anyone can run a Scramble server * It's open source * All email between Scramble addresses is encrypted. Both Subject and Body are encrypted via PGP. * With some precautions, it's possible to avoid associating your real identity with your email address at all. This means that even From and To can be anonymous. Feel free to try it out! https://scramble.io/ Here's a more thorough description of my design and my motivations: https://scramble.io/doc/ Finally, here's a more thorough description of the technical details: https://scramble.io/doc/how.html Thoughts? Best DC -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
On 23/08/13 09:53, DC wrote: Hi everyone, I'm DC, and I've been lurking here for a few weeks :) Since the NSA leaks, I've been inspired to work on an old dream: end-to-end encrypted email. One difficult problem in public-key encryption is key exchange: how to get a recipient's public key and know it's really theirs. My plan is to make make your email the hash of your public key. For example, my address is *nqkgpx6bqscsl...@scramble.io mailto:nqkgpx6bqscsl...@scramble.io* (I borrowed this idea from Tor Hidden Services.) This does not improve on the properties of PGP, fundamentally. Without a pre-existing secure channel, knowledge of this public hash is just as susceptible to MitM. You can argue well my email address is pasted on so many websites, it's infeasible for an attacker to MitM all of them, but you can say the same thing for PGP keys too. In some senses it's even worse because a human has to remember the hash *exactly*, instead of having PGP manage the email-fingerprint mapping for you. You could write some address book software to improve on this, however. This lets you build an email system with some nice properties: * It's webmail. I want something easy to use and understand, unlike PGP, so that nontechnical people can grok it. * Webmail has an inherent weakness: if push comes to shove, the NSA can compel a Scramble server to serve bad Javascript to their users. I want to give users the option to install the app as a Chrome extension. Same HTML, CSS, and JS, but served locally, so the server is untrusted. * You can look up someone's public key from an untrusted server, and verify that it's actually theirs. * Anyone can run a Scramble server * It's open source * All email between Scramble addresses is encrypted. Both Subject and Body are encrypted via PGP. * With some precautions, it's possible to avoid associating your real identity with your email address at all. This means that even From and To can be anonymous. Feel free to try it out! https://scramble.io/ Here's a more thorough description of my design and my motivations: https://scramble.io/doc/ Finally, here's a more thorough description of the technical details: https://scramble.io/doc/how.html Thoughts? Best DC -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
This is great work, DC. Congrats on launching! This does not improve on the properties of PGP, fundamentally. Without a pre-existing secure channel, knowledge of this public hash is just as susceptible to MitM. Scramble isn't trying to improve on PGP at the cryptographic level -- it actually *uses* PGP (specifically, OpenPGP.js) to encrypt the emails. The point of Scramble is to make PGP actually usable by humans. PGP's problem is not that we lack a way to make pre-existing secure channels, it's that literally no one uses it. Scramble makes PGP usable by the masses. It's webmail so it's convenient and doesn't require any software configuration. And it uses a great little trick pioneered by tor hidden services to eliminate the need for key signing parties, which weren'thttp://ripe60.ripe.net/images/photo-keysigning.jpg muchhttp://ripe61.ripe.net/wp-content/uploads/2010/11/key-signing-prague.jpg fun http://mdcc.cx/~joostvb/plaatjes/20050910-tilburg-tosti/ksp.jpganyways. All this usability gain from webmail, but what about attacks like what would have happened to LavaBit? Some say that webmail can't be made secure. We don't know much about what LavaBit was asked to do, but Scramble is (theoretically) secure against attacks from centralized adversaries like governments who control root CAs and could take over and even operate the Scramble servers. The browser treats the server as a dumb blob store, decrypts all data locally, and doesn't ever download new javascript (if you're use the chrome extension version of Scramble, two click install). An actively malicious server is not a problem. Mad cool. Even if you're *not* using the chrome extension version (i.e. paranoid mode), it's impossible for a central adversary who controls the Scramble servers to do a targeted attack against you specifically, because the browser downloads all the javascript upfront and only requests user-specific mailbox data afterwards. It doesn't download any new code after it's identified you to the server. Again, mad cool. If the attacker served malicious JS to everyone, users would quickly notice and word would get out. A distributed program could automate this check. I recommend you all read the two links DC posted. Scramble is the real deal. Good news for all of us! Feross feross.org - peercdn.com (make your site faster reduce your bandwidth costs!) On Fri, Aug 23, 2013 at 2:12 AM, Ximin Luo infini...@gmx.com wrote: On 23/08/13 09:53, DC wrote: Hi everyone, I'm DC, and I've been lurking here for a few weeks :) Since the NSA leaks, I've been inspired to work on an old dream: end-to-end encrypted email. One difficult problem in public-key encryption is key exchange: how to get a recipient's public key and know it's really theirs. My plan is to make make your email the hash of your public key. For example, my address is *nqkgpx6bqscsl...@scramble.io mailto:nqkgpx6bqscsl...@scramble.io* (I borrowed this idea from Tor Hidden Services.) This does not improve on the properties of PGP, fundamentally. Without a pre-existing secure channel, knowledge of this public hash is just as susceptible to MitM. You can argue well my email address is pasted on so many websites, it's infeasible for an attacker to MitM all of them, but you can say the same thing for PGP keys too. In some senses it's even worse because a human has to remember the hash *exactly*, instead of having PGP manage the email-fingerprint mapping for you. You could write some address book software to improve on this, however. This lets you build an email system with some nice properties: * It's webmail. I want something easy to use and understand, unlike PGP, so that nontechnical people can grok it. * Webmail has an inherent weakness: if push comes to shove, the NSA can compel a Scramble server to serve bad Javascript to their users. I want to give users the option to install the app as a Chrome extension. Same HTML, CSS, and JS, but served locally, so the server is untrusted. * You can look up someone's public key from an untrusted server, and verify that it's actually theirs. * Anyone can run a Scramble server * It's open source * All email between Scramble addresses is encrypted. Both Subject and Body are encrypted via PGP. * With some precautions, it's possible to avoid associating your real identity with your email address at all. This means that even From and To can be anonymous. Feel free to try it out! https://scramble.io/ Here's a more thorough description of my design and my motivations: https://scramble.io/doc/ Finally, here's a more thorough description of the technical details: https://scramble.io/doc/how.html Thoughts? Best DC -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated:
Re: [liberationtech] Announcing Scramble.io
Sounds very cool yes. But where is the OpenPGP.js stored? -- Jerzy Łogiewa -- jerz...@interia.eu On Aug 23, 2013, at 2:28 PM, Feross Aboukhadijeh wrote: Even if you're *not* using the chrome extension version (i.e. paranoid mode), it's impossible for a central adversary who controls the Scramble servers to do a targeted attack against you specifically, because the browser downloads all the javascript upfront and only requests user-specific mailbox data afterwards. It doesn't download any new code after it's identified you to the server. Again, mad cool. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
Hello! Also are there any plan for Scramble to be a POP3 o IMAP client, so I can use another email with it? -- Jerzy Łogiewa -- jerz...@interia.eu On Aug 23, 2013, at 2:28 PM, Feross Aboukhadijeh wrote: This is great work, DC. Congrats on launching! This does not improve on the properties of PGP, fundamentally. Without a pre-existing secure channel, knowledge of this public hash is just as susceptible to MitM. Scramble isn't trying to improve on PGP at the cryptographic level -- it actually *uses* PGP (specifically, OpenPGP.js) to encrypt the emails. The point of Scramble is to make PGP actually usable by humans. PGP's problem is not that we lack a way to make pre-existing secure channels, it's that literally no one uses it. Scramble makes PGP usable by the masses. It's webmail so it's convenient and doesn't require any software configuration. And it uses a great little trick pioneered by tor hidden services to eliminate the need for key signing parties, which weren't much fun anyways. All this usability gain from webmail, but what about attacks like what would have happened to LavaBit? Some say that webmail can't be made secure. We don't know much about what LavaBit was asked to do, but Scramble is (theoretically) secure against attacks from centralized adversaries like governments who control root CAs and could take over and even operate the Scramble servers. The browser treats the server as a dumb blob store, decrypts all data locally, and doesn't ever download new javascript (if you're use the chrome extension version of Scramble, two click install). An actively malicious server is not a problem. Mad cool. Even if you're *not* using the chrome extension version (i.e. paranoid mode), it's impossible for a central adversary who controls the Scramble servers to do a targeted attack against you specifically, because the browser downloads all the javascript upfront and only requests user-specific mailbox data afterwards. It doesn't download any new code after it's identified you to the server. Again, mad cool. If the attacker served malicious JS to everyone, users would quickly notice and word would get out. A distributed program could automate this check. I recommend you all read the two links DC posted. Scramble is the real deal. Good news for all of us! Feross feross.org - peercdn.com (make your site faster reduce your bandwidth costs!) On Fri, Aug 23, 2013 at 2:12 AM, Ximin Luo infini...@gmx.com wrote: On 23/08/13 09:53, DC wrote: Hi everyone, I'm DC, and I've been lurking here for a few weeks :) Since the NSA leaks, I've been inspired to work on an old dream: end-to-end encrypted email. One difficult problem in public-key encryption is key exchange: how to get a recipient's public key and know it's really theirs. My plan is to make make your email the hash of your public key. For example, my address is *nqkgpx6bqscsl...@scramble.io mailto:nqkgpx6bqscsl...@scramble.io* (I borrowed this idea from Tor Hidden Services.) This does not improve on the properties of PGP, fundamentally. Without a pre-existing secure channel, knowledge of this public hash is just as susceptible to MitM. You can argue well my email address is pasted on so many websites, it's infeasible for an attacker to MitM all of them, but you can say the same thing for PGP keys too. In some senses it's even worse because a human has to remember the hash *exactly*, instead of having PGP manage the email-fingerprint mapping for you. You could write some address book software to improve on this, however. This lets you build an email system with some nice properties: * It's webmail. I want something easy to use and understand, unlike PGP, so that nontechnical people can grok it. * Webmail has an inherent weakness: if push comes to shove, the NSA can compel a Scramble server to serve bad Javascript to their users. I want to give users the option to install the app as a Chrome extension. Same HTML, CSS, and JS, but served locally, so the server is untrusted. * You can look up someone's public key from an untrusted server, and verify that it's actually theirs. * Anyone can run a Scramble server * It's open source * All email between Scramble addresses is encrypted. Both Subject and Body are encrypted via PGP. * With some precautions, it's possible to avoid associating your real identity with your email address at all. This means that even From and To can be anonymous. Feel free to try it out! https://scramble.io/ Here's a more thorough description of my design and my motivations: https://scramble.io/doc/ Finally, here's a more thorough description of the technical details: https://scramble.io/doc/how.html Thoughts? Best DC -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git -- Liberationtech is a public list whose
Re: [liberationtech] Announcing Scramble.io
Sounds very cool yes. But where is the OpenPGP.js stored? scramble webmail: it's stored on the server and transmitted over https. scramble extension: stored locally, never/rarely updated, like tor browser bundle. See: https://scramble.io/doc/#explanation I'm sure DC can elaborate more. Feross feross.org - peercdn.com (make your site faster reduce your bandwidth costs!) On Fri, Aug 23, 2013 at 5:36 AM, Jerzy Łogiewa jerz...@interia.eu wrote: Sounds very cool yes. But where is the OpenPGP.js stored? -- Jerzy Łogiewa -- jerz...@interia.eu On Aug 23, 2013, at 2:28 PM, Feross Aboukhadijeh wrote: Even if you're *not* using the chrome extension version (i.e. paranoid mode), it's impossible for a central adversary who controls the Scramble servers to do a targeted attack against you specifically, because the browser downloads all the javascript upfront and only requests user-specific mailbox data afterwards. It doesn't download any new code after it's identified you to the server. Again, mad cool. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
One difficult problem in public-key encryption is key exchange: how to get a recipient's public key and know it's really theirs. My plan is to make make your email the hash of your public key. For example, my address is *nqkgpx6bqscsl...@scramble.io* (I borrowed this idea from Tor Hidden Services.) This is what we need everyone to adopt. Your ID = your public key hash and not an account on some server you don't control. Glad to see more people adopt this idea. Any chance of interoperability with other projects with similar aims and ideas like Cables? [1] [1] http://dee.su/cables -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 23/08/13 09:53, DC wrote: One difficult problem in public-key encryption is key exchange: how to get a recipient's public key and know it's really theirs. My plan is to make make your email the hash of your public key. For example, my address is *nqkgpx6bqscsl...@scramble.io (I borrowed this idea from Tor Hidden Services.) Hi DC, The simple, usable interface is really cool, I love it. Obligatory crypto bikeshedding: An 80-bit hash isn't long enough to prevent a second-preimage attack by a well-funded adversary, but it's too long for users to memorise or manually enter addresses. Perhaps a longer hash would be better? When storing the private key on the server, you encrypt the private key with a symmetric key derived from the user's passphrase. The server could use a dictionary attack with rainbow tables to decrypt the private key. You should use random salt and a key derivation function designed for deriving keys from passwords, such as PBKDF2 or scrypt, to derive the symmetric key. How exactly is the symmetric key used to encrypt the private key? What block cipher mode do you use? Is there authentication as well as encryption? Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSF2aRAAoJEBEET9GfxSfMgikIAJeU459ig7XNufyyIuO9BAUF /J0pd0g+pPspWoHvby8W6A1g0ZbTsGBVMbuEOx9BKuSA1FY1skLGZ+Ua6LZUX1ZQ uLNHFs5+kP5lNelYw2oZp/QI63HExAgjMzrFryRl9/pC3Q49N/jdlN+Ssh5YHZ47 LhPNOtgZP4jTq3//T11f7T3fQ09PALrpgREGagfybfP598sEmLuQ2iA2kZNYWO/9 vSnYnQBaWXtmissF0znaOPELYlGGW/TMZMGWxSJ748pjpWB6fZR3/IlRXTaMrp76 8MVhjQP6MCi5AJpsDserQWscTaQyDTP/g7ZVGshreOFelPGjB4QwhFlBfjBEzr0= =k3QU -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
On 08/23/2013 04:53 AM, DC wrote: * Anyone can run a Scramble server * It's open source Hi DC, Thanks for sharing this project. I'd like to install it on a server and play with it, but can't find an install doc. https://github.com/dcposch/scramble/blob/master/doc/how.md references a Quick Start, but I can't seem to find it. I'm sure I'm overlooking something, but thought I'd check first. Thanks. Host -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/23/2013 04:53 AM, DC wrote: Feel free to try it out! https://scramble.io/ scramble.io does not play nicely with the Tor Browser Bundle: Sorry, you'll need a modern browser to use Scramble. Use Chrome = 11, Safari = 3.1 or Firefox = 21 Problematic. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Time is the fire in which we burn. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIXjNoACgkQO9j/K4B7F8EVqACgmLg0fx6AUWOcmTQZvwFB7Qpu +KEAn3kbrAr5Kd71fS4vCI7RDElX02mF =QBHa -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/23/2013 12:43 PM, Griffin Boyce wrote: It should give an option to continue anyway, tbh. At this time, it does not. Blank canvas. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Time is the fire in which we burn. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIXkmIACgkQO9j/K4B7F8E3iwCfQXh8kYeirS3UmMP5s6UrU66q 2iAAoLe+CrBbvGUoAxuI8rujE4PY6kDt =UJWj -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
On Fri, Aug 23, 2013 at 01:53:59AM -0700, DC wrote: My plan is to make make your email the hash of your public key. For example, my address is *nqkgpx6bqscsl...@scramble.io* (I borrowed this idea from Tor Hidden Services.) Cool idea. This is also similar to CurveCP and DNSCurve. For example: $ dig ns chocolatine.org +short uz5qry75vfy162c239jgx7v2knkwb01g3d04qd4379s6mtcx2f0828.ns.chocolatine.org. uz5cjwzs6zndm3gtcgzt1j74d0jrjnkm15wv681w6np9t1wy8s91g3.ns.chocolatine.org. But I think you meant to say the Base32 encoding of one's public key, not the hash, right? Nicolai -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
Hi Michael, Thanks for the feedback! Responses inline. The simple, usable interface is really cool, I love it. Obligatory crypto bikeshedding: An 80-bit hash isn't long enough to prevent a second-preimage attack by a well-funded adversary, but it's too long for users to memorise or manually enter addresses. Perhaps a longer hash would be better? I originally had 160-bit hashes, but that made for very long email addresses. The hash format (first 80 bits of SHA-1, encoded base32) is the same as Onion URLs use. How do they avoid preimage attacks? (I thought generating 2^80 keypairs and checking each one to see if the public key matches was simply too much work, maybe I'm wrong though.) When storing the private key on the server, you encrypt the private key with a symmetric key derived from the user's passphrase. The server could use a dictionary attack with rainbow tables to decrypt the private key. You should use random salt and a key derivation function designed for deriving keys from passwords, such as PBKDF2 or scrypt, to derive the symmetric key. Yes, I'll try that now, thanks! How exactly is the symmetric key used to encrypt the private key? What block cipher mode do you use? Is there authentication as well as encryption? (Currently I'm using the first 128 bits of a SHA hash as the key, then AES-128 symmetric encryption.) I have authentication as well as encryption. (I don't rely on the authentication for message secrecy. It's just so that normal, non-NSA adversaries can't download your email and attempt to crack the encryption. Also so that normal adversaries can't get meta-info such as the number of unread emails you have.) SHA1( 1 || passphrase) - authentication token, server sees this SHA1( 2 || passphrase) - used to encrypt the private key, server never sees this ... after implementing your suggestion, it will be PBKDF2 instead, and I'll generate a random salt for each user. (That way, an attacker can only try to brute-force one account at a time, instead of all of them.) Thanks for the feedback, DC On Fri, Aug 23, 2013 at 6:41 AM, Michael Rogers mich...@briarproject.orgwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 23/08/13 09:53, DC wrote: One difficult problem in public-key encryption is key exchange: how to get a recipient's public key and know it's really theirs. My plan is to make make your email the hash of your public key. For example, my address is *nqkgpx6bqscsl...@scramble.io (I borrowed this idea from Tor Hidden Services.) Hi DC, The simple, usable interface is really cool, I love it. Obligatory crypto bikeshedding: An 80-bit hash isn't long enough to prevent a second-preimage attack by a well-funded adversary, but it's too long for users to memorise or manually enter addresses. Perhaps a longer hash would be better? When storing the private key on the server, you encrypt the private key with a symmetric key derived from the user's passphrase. The server could use a dictionary attack with rainbow tables to decrypt the private key. You should use random salt and a key derivation function designed for deriving keys from passwords, such as PBKDF2 or scrypt, to derive the symmetric key. How exactly is the symmetric key used to encrypt the private key? What block cipher mode do you use? Is there authentication as well as encryption? Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSF2aRAAoJEBEET9GfxSfMgikIAJeU459ig7XNufyyIuO9BAUF /J0pd0g+pPspWoHvby8W6A1g0ZbTsGBVMbuEOx9BKuSA1FY1skLGZ+Ua6LZUX1ZQ uLNHFs5+kP5lNelYw2oZp/QI63HExAgjMzrFryRl9/pC3Q49N/jdlN+Ssh5YHZ47 LhPNOtgZP4jTq3//T11f7T3fQ09PALrpgREGagfybfP598sEmLuQ2iA2kZNYWO/9 vSnYnQBaWXtmissF0znaOPELYlGGW/TMZMGWxSJ748pjpWB6fZR3/IlRXTaMrp76 8MVhjQP6MCi5AJpsDserQWscTaQyDTP/g7ZVGshreOFelPGjB4QwhFlBfjBEzr0= =k3QU -END PGP SIGNATURE- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
On 23 August 2013 16:29, Nicolai nicolai-liberationt...@chocolatine.org wrote: On Fri, Aug 23, 2013 at 01:53:59AM -0700, DC wrote: My plan is to make make your email the hash of your public key. For example, my address is *nqkgpx6bqscsl...@scramble.io* (I borrowed this idea from Tor Hidden Services.) Cool idea. This is also similar to CurveCP and DNSCurve. For example: $ dig ns chocolatine.org +short uz5qry75vfy162c239jgx7v2knkwb01g3d04qd4379s6mtcx2f0828.ns.chocolatine.org. uz5cjwzs6zndm3gtcgzt1j74d0jrjnkm15wv681w6np9t1wy8s91g3.ns.chocolatine.org. I feel compelled to point out the precedence here. This is a problem known as Zooko's Triangle: https://en.wikipedia.org/wiki/Zooko's_triangle Briefly it says, when giving names to members of a network: Secure, Decentralized, Memorable, pick 2. (Another good page on it seems to be http://shoestringfoundation.org/~bauerm/names/distnames.html ) SSL is Secure and Memorable, but highly centralized. (It is secure because you have to prove ownership of a name to get a certificate for it.) This technique is Secure and Decentralized - but not memorable. Off the top of my head, other techniques that make the same tradeoff are: - Tor Hidden Services, as you mentioned - SSH OpenPGP fingerprints (here's my fingerprint, no matter where you find it, that's my identifier) - YURLs http://www.waterken.com/dev/YURL/httpsy/ - From the above URL: Freenet's CHKs, Mnet's mnetids, Chord's keys, Freenet's SSKs, SPKI's certificates For very technical audiences, I've thought these things are all right, because we tend to be fine copy/pasting around opaque strings of gibberish; but for 'normal' people it just felt too weird. I kind of wonder with the advent and integration of QR scanners, these scheme might gain more traction. It'd be worth trialing one of these and seeing how it goes. -tom -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
*Also are there any plan for Scramble to be a POP3 o IMAP client, so I can use another email with it?* POP3/IMAP Client To support an external POP3/IMAP server, someone would have to make a Scramble client that's not web-based. It's not possible, I think, from a web app. It might be possible if the user installs it as a browser extension. More importantly: if you want to use existing, normal email addresses (eg b...@gmail.com, with a Scramble client pointing to Gmail's IMAP server, instead of hash@scramble.io) then the key exchange problem returns. If I want to send an email to j...@gmail.com, how do I find his public key? POP/IMAP Server By design, a Scramble server never sees your email in plaintext, and has no way to decrypt it. So a Scramble server also can't be a POP or IMAP server that a normal client could use. (Even if you install PGP, you'd still need a client with the following additional modifications: * Decrypt the subject (since Scramble encrypts both subject and body) * Look up recipient public keys from a Scramble server when you want to send email) So no, you can't use Outlook a Scramble server, and you can't use a Scramble client with a normal email address + IMAP server. I've thought a lot about secure key look up for existing, human-readable email addresses. It's a hard problem! But I agree, it would be v useful Best DC On Fri, Aug 23, 2013 at 1:53 AM, DC dcpo...@cs.stanford.edu wrote: Hi everyone, I'm DC, and I've been lurking here for a few weeks :) Since the NSA leaks, I've been inspired to work on an old dream: end-to-end encrypted email. One difficult problem in public-key encryption is key exchange: how to get a recipient's public key and know it's really theirs. My plan is to make make your email the hash of your public key. For example, my address is *nqkgpx6bqscsl...@scramble.io* (I borrowed this idea from Tor Hidden Services.) This lets you build an email system with some nice properties: * It's webmail. I want something easy to use and understand, unlike PGP, so that nontechnical people can grok it. * Webmail has an inherent weakness: if push comes to shove, the NSA can compel a Scramble server to serve bad Javascript to their users. I want to give users the option to install the app as a Chrome extension. Same HTML, CSS, and JS, but served locally, so the server is untrusted. * You can look up someone's public key from an untrusted server, and verify that it's actually theirs. * Anyone can run a Scramble server * It's open source * All email between Scramble addresses is encrypted. Both Subject and Body are encrypted via PGP. * With some precautions, it's possible to avoid associating your real identity with your email address at all. This means that even From and To can be anonymous. Feel free to try it out! https://scramble.io/ Here's a more thorough description of my design and my motivations: https://scramble.io/doc/ Finally, here's a more thorough description of the technical details: https://scramble.io/doc/how.html Thoughts? Best DC -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
I'm conceptually really curious about various aspects but before I forget - this time - I'd like to ask two broader questions first: - Is this in any way an officially backed project in any way? Part of a thesis or what-not lets say? - (To everyone) Why is there almost never a discussion on RFCs and talking something down the pathway of what would it take to make a standard out of this? Not endorsing or panning anything, just trying to think about different aspects first this time. I will say one thing - I think it's ~perfectly OK~ to break certain aspects of email legacy support (say the POP/IMAP question) because, any way we cut it, we're going to end up transitioning from a good chunk of the email paradigm we know if we're ever going to get broad adoption. So I do like the idea of trying to solve the new problems introduced in different ways and chart out risk measurements in terms of users not us.. Cheers, -Ali On Fri, Aug 23, 2013 at 4:53 AM, DC dcpo...@cs.stanford.edu wrote: Hi everyone, I'm DC, and I've been lurking here for a few weeks :) Since the NSA leaks, I've been inspired to work on an old dream: end-to-end encrypted email. One difficult problem in public-key encryption is key exchange: how to get a recipient's public key and know it's really theirs. My plan is to make make your email the hash of your public key. For example, my address is nqkgpx6bqscsl...@scramble.io (I borrowed this idea from Tor Hidden Services.) This lets you build an email system with some nice properties: * It's webmail. I want something easy to use and understand, unlike PGP, so that nontechnical people can grok it. * Webmail has an inherent weakness: if push comes to shove, the NSA can compel a Scramble server to serve bad Javascript to their users. I want to give users the option to install the app as a Chrome extension. Same HTML, CSS, and JS, but served locally, so the server is untrusted. * You can look up someone's public key from an untrusted server, and verify that it's actually theirs. * Anyone can run a Scramble server * It's open source * All email between Scramble addresses is encrypted. Both Subject and Body are encrypted via PGP. * With some precautions, it's possible to avoid associating your real identity with your email address at all. This means that even From and To can be anonymous. Feel free to try it out! https://scramble.io/ Here's a more thorough description of my design and my motivations: https://scramble.io/doc/ Finally, here's a more thorough description of the technical details: https://scramble.io/doc/how.html Thoughts? Best DC -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
On Aug 23, 2013, at 7:12 PM, Ali-Reza Anghaie a...@packetknife.com wrote: - (To everyone) Why is there almost never a discussion on RFCs and talking something down the pathway of what would it take to make a standard out of this? Because, at this point, very few useful standards make it through the IETF. There are things for which the IETF is completely appropriate. VoIP and jabber and so forth work pretty well in the IETF, for a variety of reasons. But something like this, which is much more about the application layer, needs to be implemented first, get a base of users and testers and contributors, and then if there's something innovative about it down at the protocol layer, that can be run through the IETF after-the-fact. -Bill -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Announcing Scramble.io
One difficult problem in public-key encryption is key exchange: how to get a recipient's public key and know it's really theirs. My plan is to make make your email the hash of your public key. For example, my address is *nqkgpx6bqscsl...@scramble.io* (I borrowed this idea from Tor Hidden Services.) This is what we need everyone to adopt. Your ID = your public key hash and not an account on some server you don't control. Glad to see more people adopt this idea. Any chance of interoperability with other projects with similar aims and ideas like Cables? [1] [1] http://dee.su/cables Cables looks very cool. One big difference between Scramble and Cables is the synchronous aspect. With Scramble, I've tried to preserve the semantics of normal email, where the host and recipient never need to be online at the same time. Scramble: * You send from any computer. The server stores an encrypted copy. The client stores nothing. * The recipient reads the message from any computer, some point later. Cables (correct me if I misunderstood!): * You send from your own computer. The client stores it until the recipient is online. * The recipient reads from their own computer. When you and they are both online, the message is exchange P2P, no servers involved. I think both ways are cool. Scramble is easy to use and similar to normal email. Cables takes advantage of the synchronous, P2P message transfer to negotiate a key (Diffie Hellman, I'm guessing?) that's only used once, so that you get forward secrecy. Two questions! * Can I try Cables without installing the full Liberte Linux distro? * Could you point me to the source? Mine's here: * https://github.com/dcposch/scramble* DC On Fri, Aug 23, 2013 at 1:53 AM, DC dcpo...@cs.stanford.edu wrote: Hi everyone, I'm DC, and I've been lurking here for a few weeks :) Since the NSA leaks, I've been inspired to work on an old dream: end-to-end encrypted email. One difficult problem in public-key encryption is key exchange: how to get a recipient's public key and know it's really theirs. My plan is to make make your email the hash of your public key. For example, my address is *nqkgpx6bqscsl...@scramble.io* (I borrowed this idea from Tor Hidden Services.) This lets you build an email system with some nice properties: * It's webmail. I want something easy to use and understand, unlike PGP, so that nontechnical people can grok it. * Webmail has an inherent weakness: if push comes to shove, the NSA can compel a Scramble server to serve bad Javascript to their users. I want to give users the option to install the app as a Chrome extension. Same HTML, CSS, and JS, but served locally, so the server is untrusted. * You can look up someone's public key from an untrusted server, and verify that it's actually theirs. * Anyone can run a Scramble server * It's open source * All email between Scramble addresses is encrypted. Both Subject and Body are encrypted via PGP. * With some precautions, it's possible to avoid associating your real identity with your email address at all. This means that even From and To can be anonymous. Feel free to try it out! https://scramble.io/ Here's a more thorough description of my design and my motivations: https://scramble.io/doc/ Finally, here's a more thorough description of the technical details: https://scramble.io/doc/how.html Thoughts? Best DC -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.