
Crypto problems you actually need to solve - geal
http://unhandledexpression.com/2015/10/01/crypto-problems-you-actually-need-to-solve/
======
AdmiralAsshat
FWIW, UX plays a big part in controlling adoption. Apps like
OpenSignal/TextSecure for encrypted communications make the whole process
about as painless as possible. I downloaded TextSecure for Android and
registered my number. I made my girlfriend download OpenSignal for iOS and
register her number. I opened the app and saw her on my contacts (TextSecure
will tell you which of your phone contacts already appear to have the app
installed) and sent her a message. Boom. We're done. All of the tedious key-
exchanges and whatnot were completely behind the scenes and we never had to
deal with it directly. Those options are still there, and if I ever migrate to
a new phone we'll probably have to do some kind of new exchange, but otherwise
the "fun" of trying to manually exchange PGP keys was completely behind the
scenes.

~~~
devit
Ouch, isn't that totally insecure?

Whatever place TextSecure is getting the key from could have replaced your
girlfriend key with something else and be MITMing all the traffic.

The proper way to do this would be to have your girlfriend's phone display a
QR code with her public key and have you scan it with your phone camera, or
using NFC to transfer the public key if available.

~~~
lorenzhs
You can verify fingerprints (manually or via QR code, example screenshot:
[https://info.securityinabox.org/sbox/screen/textsecure-
en-1/...](https://info.securityinabox.org/sbox/screen/textsecure-en-1/045.png)
) if you're concerned about MITM. You will be warned and need to manually
accept the new key if a person's key changes.

Your "proper way" requires people to actually meet before they can begin a
conversation, which greatly limits usability (you couldn't even test the app
without a friend sitting next to you - who would keep an app they can't even
try out on their phone?).

~~~
devit
Yes, using a central server should be possible, but the application should ask
you whether your friend is with you and if you say yes, it should use the QR
code/NFC method instead (which also has the advantage of working with people
you just met and haven't otherwise added to your contacts yet).

If you say no, it should clearly delineate how an attack could take place and
advise you on how likely it is.

------
mrbiber
I'd be very excited to see more Free Software instant messaging applications
support OMEMO
([http://conversations.im/omemo/](http://conversations.im/omemo/)). It's
basically TextSecure's Axolotl protocol with a few slight modifications. As
such, it support multi-party OTR-like PFS and multiple devices. In contrast to
TextSecure, Conversations (the first client to implement it) allows you to use
it without having to install Google Play Services and makes it usable on a
decentralized infrastructure (XMPP). If it became standard for Open Source
messaging clients (whatever transport they use) to have Omemo built in and use
it opportunistically, we might actually have a chance to provide usable crypto
to the masses.

~~~
zokier
Does OMEMO support synchronizing conversations between multiple devices? Being
able to jump seamlessly between laptop/phone/desktop is musthave for me, last
time I checked that stuff was very much unfinished in XMPP (I think the
relevant XEPs were "carbons" and "MAM")

~~~
mrbiber
In principle, this should work - I haven't tried it, but in Conversations, the
fingerprints of my other connected devices show up and I can say that they
belong to me.

In any case, there are no desktop clients yet that support OMEMO.
Conversations and Jitsi support Message Carbons though (together with a
compatible XMPP service, such as yax.im) very well. On the console, there is
profanity that also supports it.

------
nailer
> "Making email and PGP easier to use is not only a UX issue."

Yes, but UX is still the biggest issue. By all means develop next gen crypto
tech: but first, make what we have now usable by people who aren't Unix
people.

I would pay money for binaries of an Open Source GnuPG for OS X which wasn't
awful to use.

Not in a tarball, not assuming I want to use the command line, on gnupg.org
(with the angry SHA1 certificate warning fixed), not linked to from there for
'people who want GUIs'.

~~~
hedgehog
The problem runs deeper than UX in plugins for mail clients. Offline key
exchange is inconvenient enough that it prevents GPG from being used as
encrypted-by-default mail. Identity and key management is really the
underlying issue, something in the spirit of CONIKS might be good enough to
build a working system though. As OP points out even then you have issues with
multi-device support.

~~~
nailer
> The problem runs deeper than UX in plugins for mail clients.

UX runs deeper than software interfaces.

> Identity and key management is really the underlying issue

Yes, that's a UX issue.

So:

\- Get GPG key from Facebook (which has them as part of the standard profile
today)

\- Say to person: you should contact this person by a means you trust and
confirm this is their key (since we don't trust anyone by default).

\- Once they click OK, they can now send messages to that person.

Nothing stopping other mainstream sites from adding GPG, it's jus that FB is
the only one I know of. Obviously GitHub doesn't count since most people
aren't software developers.

~~~
zbyte64
Which brings us back to trusting a 3rd party to not tamper with the key
exchange...

~~~
nailer
Well yeah, that's why I addressed it in the post you're replying to. Offline
key confirmation is still the best bet for most people, it's just that people
don't use it because they don't use crypto because crypto tools are awful.

------
JoachimSchipper
This is good, but getting "well-known" solutions actually used in practice is
a very hard, and worthwhile problem. (This is not _just_ "PGP needs a better
UI"; it's also "how do I get embedded/IoT developers to use half-decent
crypto", "bringing TLS into the 21st century", etc.)

~~~
exelius
This is exactly the infrastructure problem the author was referring to. And
the big problem here is that infrastructure is neither a high-margin business
model nor particularly interesting to build -- while being just as difficult
on the business side as starting a new social network in 2015.

------
Eridrus
Personally I'm hoping Google/Yahoo's End-To-End encryption tech goes
somewhere. I really liked the idea behind the use of a gossip protocol to let
everyone know what keys they had seen for a given user so that active attacks
are not necessarily completely prevented, but are noticed.

------
marcosdumay
I'd be glad if people stopped asking for PFS in email. Email can not have PFS.
If you actually implements PFS over email, it becomes instant messaging.

Yes, you can cargo cult the PFS algorithms over the email infrastructure, but
if you save the temporary key, it's not PFS anymore, and guess what, if you
want to save your message to reading later, you'll have to save the temporary
key too.

~~~
mtgx
Adam Langley's Pond protocol for anonymous email uses the Axolotl ratchet with
PFS.

[https://pond.imperialviolet.org/](https://pond.imperialviolet.org/)

~~~
marcosdumay
> Pond messages are asynchronous, but are not a record; they expire
> automatically a week after they are received.

That's not email.

Ok, that's less "instant" than most instant messaging system. But it has the
same trade-off. It has a bigger time window when messages can be decrypted,
and messages last for longer.

If you give-up on reading your email latter, yes, you can have some kind of
forward secrecy.

~~~
oceanofsolaris
But the idea of perfect forward secrecy is not that your locally stored mail
is securely encrypted in the future, but instead that mail that was
intercepted in transfer should not become readable, even if your key is later
recovered.

With your locally saved mail/messages it is up to you how to and whether to
securely store them. You can save them decrypted if you are not worried about
getting your device stolen. You can securely delete them if you think that you
can not keep their content safe. You can do anything in between, it's your
choice to make.

