
Is Google signing your chat messages? - xnyhps
https://blog.thijsalkema.de/blog/2013/11/19/is-google-signing-your-chat-messages/
======
casca
Why does Google use the term "Off the record" when there is a product called
Off the record[1] that has been used for end-to-end encryption of IM that pre-
dates Google Talk?

Google does many good things, but it would be unreasonable for anyone to
expect that they wouldn't store all your chat messages. "Chats that have been
taken off the record aren't stored in your Gmail chat history, or in the Gmail
chat history of the person you're chatting with. "[2]

[1] [https://otr.cypherpunks.ca/](https://otr.cypherpunks.ca/) [2]
[https://support.google.com/talk/answer/29291?hl=en](https://support.google.com/talk/answer/29291?hl=en)

~~~
icebraining
_Why does Google use the term "Off the record" when there is a product called
Off the record[1] that has been used for end-to-end encryption of IM that pre-
dates Google Talk?_

Because "Off the record" was a common term way before either was created?

~~~
sdfjkl
Yes, but in the IM context it is creating confusion, and Google's IM team must
surely be aware of this, so it stands to reason that this is intentional
confusion.

~~~
untog
Sorry, I don't agree. "Off the record" is a term that is obviously and simply
applicable to an IM context. It's the fault of the people who made an app
called Off The Record that someone else has used the same term.

~~~
anonymoushn
The simple and obvious meaning is encryption with PFS, right? It's not as
though you can prevent the person you're speaking to from logging, and given
that he or she could be using an XMPP client not written by Google, neither
can anyone else. The "Disable logging on my end" feature should probably just
be called "Disable logging on my end."

~~~
tedunangst
If I'm speaking to a journalist and I say "this is off the record", it doesn't
magically disable their tape recorder, either.

------
infinity0
I don't think this is a problem. In the email vs OTR debate, signed emails are
not forgeable because you are not supposed to give away your private signing
key - to claim that someone forged a signed email, you must convince that your
private signing key was compromised at that time.

However, in this case you don't hold the private signing key, so Google can
make whatever signatures it wants, even of things you didn't say, and there is
no _cryptography_ that links it back to you - because as a Google chat user,
you don't have a private signing key.

~~~
xnyhps
That makes sense if there is a dispute between you and Google. But if the
dispute is between you and one of your contacts instead, to claim that the
signature is forged would be to claim that your contact has Google's
cooperation. That bar might not be as high as claiming your private key was
compromised, but it is still quite high.

~~~
nknighthb
> _claim that your contact has Google 's cooperation_

Which is easy enough. Compromise the target's Google account, and you suddenly
have Google's cooperation.

~~~
tedunangst
But that's exactly where we started and no different than having their private
signing key compromised.

------
j_s
Thanks for the heads up regarding the undocumented XMPP extension!

I'm sure Google chat already maintains plenty of additional signatures,
checksums, etc. that stay entirely server-side; any of which would be more
than sufficient to ' _prove[...] cryptographically that your account sent that
message_ ' should law enforcement need to ' _verify the signature is correct_
'.

~~~
robryk
The point here is that those stay server-side and are thrown away together
with the messages when they get deleted. Whatever's sent to the client can be
stored by him/her indefinitely.

BTW. There is probably a time limit: if this is really a MAC, then the key
used to generate it is most likely rotated once in a while.

------
qwerta
Perhaps they want prevent competitors to implement their protocol? XMPP is too
much open to fit into walled garden.

~~~
icebraining
Doesn't seem to be working, since OP saw the attribute being sent by Adium, an
open source multi-protocol client.

------
spindritf
How does signing a message make it any less (or more) ephemeral? You either
store the copy or you don't (and Google does). I don't see how a signature
could influence that.

~~~
computer
It makes it possible to prove that someone didn't forge a chatlog, but that
you really said X at some point based on your friend's chat logs.

~~~
endianswap
How is it any more possible to prove a chatlog wasn't forged, given that
third-parties cannot verify these signatures (only Google can, if TFA is
correct) and Google already keeps unlimited retention of their chat logs and
thus could do the verification without any signature field? Plus, not all
clients cause a signature to be inserted, so even the lack of a signature
wouldn't imply forgery.

~~~
VLM
"(only Google can, if TFA is correct)"

The article and/or its interpretation is wrong about that because the algo is
unknown.

Even worse, human beings both currently and formerly employed by GOOG know the
secret-ish algo, and those humans are not necessarily still employed there,
nor are they incapable of communication. So its very unclear who knows how
that algo works other than GOOG as an absolute minimum.

A correct statement would be, at the minimum at least GOOG knows how to make
those hashes, and at this instant who knows how many other people or orgs who
may or may not be in support or opposition to you.

------
taway2012
I suspect this is a HMAC-SHA1 similar to what the blog author surmised. It's
possibly a response to the recent fiasco where they misrouted IMs.

I think they use this signature in their backend as a last defense when
routing a message to a recipient. Being meant for the backend explains why
messages with corrupt signatures are accepted (the backend notices that
incoming signature is bad, so it doesn't use the signature to check the
message when routing).

2) I'm curious about what people who say "crytpo in the browser/JS is bad"
think about this. This seems to be a pretty good application of crypto to
achieve a very narrow goal.

~~~
xnyhps
It is possible this is to stop misrouted messages, however, they didn't add it
in response to the recent problems. There are some Google hits from 2007-2008
where the field was present, for example
[https://developer.pidgin.im/ticket/3360#comment:15](https://developer.pidgin.im/ticket/3360#comment:15).
Before ~2009-2010 the field seems to have been 8 hex encoded bytes (half a MD5
hash?), after that they switched to the base64 format.

------
shortstuffsushi
Maybe I'm missing the point here, but why is giving each message a signature
worse than just hanging onto the message itself? Unless I'm missing something,
each of these messages is sent to Google's servers, and presumably stored
(forever).

In that sense, even without the signature, the record itself still exists. I'm
thinking maybe they're trying to say that in the case of an end-user having a
signature, _they_ could look the message up? In that case, if they have a copy
of that message in their inbox anyway, again, what is the difference?

Not trying to discredit the article, I think I must be overlooking something.

~~~
VLM
Authentication.

Here's a hash of your post plus some salty stuff that only I know about, or at
least thats what you think:

96ac1d2c0cdbc05e1ff1e40fe8a43f64e013e232

(its actually a SHA1 of GNU date output, but whatever)

Now lets say your post starts appearing on reddit except it begins "I am like
so totally getting the point here" and includes the hash
96ac1d2c0cdbc05e1ff1e40fe8a43f64e013e232

I can act as oracle and verify that someone messed with the post I signed.

Sometimes having a little notary follow you around notarizing everything you
type is no big deal. Sometimes of course it is.

The irony is that this whole debate relies on the theory that no one can
generate those salty hashes but the almighty GOOG. I only glanced at the code
in the post and I didn't see any charset translation games in his little
permutation gadget. It might be something totally innocent like he needs to
convert to UTF-8 or UCS-16 or UTF-32 or some bonkers thing like EBCDIC before
the hash and that's it. In which case its not much of a big deal, mostly.

Assuming honest and truthful actors on both sides, there's not much harm an
oracle can do other than verifying an out of context quote, I guess. Of course
honest and truthful actors are not universal, and the oracle itself might be a
crook or partially crook partially honest.

The worst case is a partially crooked or partially secret oracle. "I VLM
solemnly swear I shot JFK back in 1963" (and heres a correct hash using the
GOOG algorithm of the statement). Well, superficially that proves I shot JFK,
I mean a 3rd party properly notarized it and everything. The reality is all it
proves is someone in the universe knows the signing algorithm and this is a
properly signed message using that algorithm, which is not so impressive. The
legal outcome can be a lot different between the superficial interpretation
and reality. Even though JFK died more than a decade before I was born. If
someone, like, say, a court, is dumb enough to trust the sig, then anyone who
knows the algorithm is God over everyone else. Hope the smart guys aren't the
bad guys...

~~~
shortstuffsushi
Thanks for the explanation, that really did add the context that I was
missing.

------
Spooky23
The article is really interesting, but I start rolling my eyes when the author
jumps to the implication that this is some sort of plot to make government
intrusion easier. I doubt that -- the police and litigants already have a
myriad of ways to obtain and get chat transcripts admitted in court.

Perhaps this is a way to ensure message integrity when people are traversing
networks that inspect TLS sessions?

Many enterprise environments, for example, use proxy servers that terminate
SSL sessions at the network boundary, inspect the content, and then re-encrypt
using a self-signed key. Perhaps Google has observed some malicious or
obnoxious use of that technology in public or institutional wifi environments.
(ie. inserting ads, filtering "naughty" words, etc)

The article implies that this is some sort of plot to make government
intrusion easier. I doubt that -- the police and litigants already have a
myriad of ways to obtain and get chat transcripts admitted in court.

~~~
xnyhps
Where do I claim Google is doing it intentionally to help government
intrusion? The paragraph about law enforcement is only meant as an example of
how signing can be used against you. The point there is that it doesn't even
need to be Google's intention and requires no direct assistance from them.

I'm sure Google has a valid legitimate use of this data somewhere, but why it
ends up in end-user XMPP clients is a mystery to me. If Google's aim is to
avoid enterprise networks messing with the message, then Google should
document somewhere how to verify the signature.

~~~
Spooky23
"If the recipient stores that message and signature, they have
cryptographically verified blackmail material: they could later turn both
message and signature over to law enforcement."

~~~
xnyhps
That doesn't refer to any intent on Google's side.

