Re: [Security] Aunt Tillie, Joe User, and appropriate levels of paranoia

[Ian Paterson]

Aunt Tillie is not going to check the SAS/Fingerprint, so she is not 
fully protected. However she is almost certainly protected against *mass 
covert surveillance*, since if Isaac (the ISP - see 
http://en.wikipedia.org/wiki/Alice_and_Bob) or Justin (the Justice 
System) or Trudy (the intruder) employed ubiquitous man-in-the-middle 
then they couldn't possibly prevent that fact from being discovered 
(since at least some of the thousands or millions of users will check 
the SAS/Fingerprint at least once). Once the covert surveillance becomes 
public knowledge then society can work out what (if anything) to do 
about it (something beyond the scope of crypto protocols).

Note that Restained Shared Secrets (RSS) are employed by SSH, ZRTP and 
ESessions. RSS ensure that Aunt Tillie is fully protected (even if she 
never checks the SAS/Fingerprint), as long as Mallory was not around for 
*every* session since she first communicated with someone (a significant 
hurdle).

William Whistleblower, Sebastian Spy and Derek Dissident (the names are 
my invention not "conventions") are typically going to check the 
SAS/Fingerprint, so they are fully protected.

IMHO the combination of SAS and RSS provides varying security benefits 
to everyone. The security depends on whether users are prepared to make 
a minimal effort or not. But even Aunt Tillie transparently enjoys 
significantly increased security.

IMHO, baring some unforeseen advance in crypto science, we cannot offer 
Aunt Tillie any better. The only alternatives are PKI and Web-of-Trust 
which have both proved impractical for Aunt Tillie... and neither of 
those solutions protects her identity anyway. Identity protection is a 
critical advantage for William, Sebastian and Derek. So, IMHO, we can't 
do any better for them either.

- Ian