Re: [liberationtech] Feds put heat on Web firms for master encryption keys

[Yan Zhu]

On Thu, Jul 25, 2013 at 12:41 PM, Ben Laurie  wrote:

> On 25 July 2013 11:22, Nick  wrote:
> > On Thu, Jul 25, 2013 at 11:19:22AM +0200, Eugen Leitl wrote:
> >> (See also https://en.wikipedia.org/wiki/Convergence_(SSL) )
> >
> > Would Convergence help here? I can't see how. If a government
> > secretly aquired the SSL private keys for a site, and the site
> > continued using them, then no convergence notary would know any
> > cause not to vouch for the key.
>
> What helps here is perfect forward secrecy.
>

It's worth remembering that SSL is primarily used as a means of protecting
data in transit, not data at rest; PFS doesn't help for the latter because
SSL-encrypted traffic is decrypted before it gets stored on a company's
servers (in order to be useful for queries and such).

I had difficulty finding information about company policies for protecting
data at rest, but anecdotally, they seem to mostly vary from "stored in
plaintext in a password-protected database" to "stored in plaintext in a
password-protected database behind a firewall." In other words, even with
PFS-supporting SSL, there is still a centralized and persistent attack
point for user data. My intuition is that if PFS becomes more popular,
federal agencies will simply shift resources to obtaining access to data at
rest.

(I wrote about this in more detail
here<http://zyan.scripts.mit.edu/blog/some-thoughts-on-facebook-implementing-forward-secrecy/>in
response to the announcement of Facebook implementing PFS.)

Dialogue and links suggesting otherwise would be much appreciated.

-Yan

PS: Does anyone actively use convergence? The original repository hasn't
been updated in a year. I installed a patched version of it in the latest
FF from Github and immediately had to open this
ticket<https://github.com/moxie0/Convergence/issues/176>.




>
> BTW, better alternative to Convergence: Certificate Transparency -
> http://tools.ietf.org/html/rfc6962.
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 
Yan Zhu
http://web.mit.edu/zyan/www/
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Convergence: does anyone use it?

[Yan Zhu]

It seems to be the browser extension  that everyone
talks about but nobody uses. For one, the original repository isn't
actively maintained, and I found at least one unpatched issue that keeps it
from working in recent Firefoxes (see
https://github.com/moxie0/Convergence/issues).

Is anyone running it? Thoughts on whether it's worth forking and patching?

Perspectives, on the other hand, is a similar project that is quite active
but seems to get less mentions: http://perspectives-project.org/

-Yan
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Convergence: does anyone use it?

[Yan Zhu]

On Mon, Jul 29, 2013 at 1:16 AM, Tim Dittler <
ditt...@informatik.hu-berlin.de> wrote:

>
> > Is anyone running it? Thoughts on whether it's worth forking and
> > patching?
> There is actually someone working on a fork of Convergence:
> https://github.com/mk-fg/convergence
>

This is more or less what I was looking for, thanks!

-Yan


>
> There is even another branch of Convergence which implements TACK. I
> think this might be an interesting direction to look at:
> https://github.com/moxie0/Convergence/tree/tack
> I hope there will be some progress in the adoption of TACK.
>
> Yours,
> Tim
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 
Yan Zhu
http://web.mit.edu/zyan/www/
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Aaron Swartz Memorial Hackathons, Nov. 8-10

[Yan Zhu]

Hi libtech,

There will be a worldwide series of hackathons in memory of activist Aaron
Swartz on the Nov. 8 weekend. We plan to have presenters talk about
projects in the spirit of Aaron's work at as many locations worldwide as
possible, and then have 36-40 hours of time for people to contribute to
them.

So far, we've had people volunteer to run events in San Francisco, Berlin,
Chicago, Boston, and Seattle. (We'd love to have more.)

If you'd like to give a presentation at one of these hackathons or organize
a new one, please email the coordination list at aaronswh...@numm.org. If
you're in SF, you can just reply to me.

There's more info about the hackathons at
http://aaronswartzhackathon.org/(summary/landing page) and
https://noisebridge.net/wiki/Worldwide_Aaron_Swartz_Memorial_Hackathon_Series(wiki
for planning/organizing projects).

Please feel free to forward this email.

-Yan
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.