It's especially funny to see a government sponsored telecom reaching out to Moxie Marlinspike. Also: this isn't like that time a random Microsoft recruiter accidentally hit ESR and he wrote the "Your Worst Nightmare" post about it. Like Moxie says, money buys technology, and they will eventually find someone to rig up a workable solution for what they're trying to do.
Moxie: one thing that would be hugely helpful is a quick list of the things you did that make you confident in Twitter's TLS code (which: thanks for doing).
More generally, a lot of common sense effort was put into the general TLS posture of the website. From certificate pinning baked into the browsers, to HSTS headers, to making sure the links in search results are https.
There was a bunch of generally nice TLS stuff in the pipe as well, but I'm not sure if it shipped yet.
I don't see Instagram, Facebook, etc. using that code to secure their apps, they won't license their Android clients as GPLv3 just to use the Android pinning library. While it is easy enough to re-create your code (though I have not looked at it), given that we're talking encryption libs, it's always nicest to have secure, vetted libs that just work.
(As a matter of fact, I'm sure you had to relicense it for Twitter to use it in their app.)
>Please contact me if this license doesn't work for you.
I see no reason why Moxie should give Facebook and Instagram this valuable feature for free. When did open-source hackers become the unpaid laborers for silicon valley?
If they want it, they can either release the source code for their applications and liberate their users, or they can pay (hopefully) through the nose for it. Maybe that'll buy a few more months of TextSecure development, or whatever other cool things Moxie is doing now.
The gp isn't asking for a change of license because he hate the GPL, he is (properly correctly) predicting what will happen if that license isn't changed: specifically, the thing that Moxie is trying to prevent won't be.
That something is GPL does not mean that could not be also licenced as proprietary for those that pay if they don't want the limitations of GPL.
I get the idea that people should be paid for their work, and it's his choice how he licenses it. On there other hand, if the point is to make sure this spreads as far as possible and gets used everywhere, then maybe a very permissive license is called for.
Then they wouldn't have to jump through silly hoops to prove whether they "really want the world to be a more secure place".
Or, how about this: if you really want the world to be a more secure place, why don't you take the time to learn how to implement certificate pinning for Android apps and publish your own MIT-licensed implementation? I'm sure Moxie would join the rest of us in cheering you on.
I fully acknowledge Moxie is better at security than I ever will even dream of being. I just hoped he might see the value in releasing it under a more-amicable license. I don't have the numbers, but more-liberal licenses are by a wide margin the choice for open-source crypto.
I'm not speaking from the armchair, I've released open-source code under BSD/MIT myself. I don't have Moxie's skill for security, is it so wrong to point out the obstacle the license represents? He did release it to help secure the web, did he not? Why don't you let him reply.
I find this to be a good balance: those who wish to take my work and openly contribute their own work are free to do so, and those that don't need to contact the copyright holder. I don't think it's a lot to ask in this case, and I definitely don't think that licensing issues are what's holding back internet security here or otherwise.
You should be asking yourself how you can change your project so that GPL3 licensed code will be acceptable, rather than asking others to relicense their code.
As Thomas said, people would be less bitchy, and less holier-than-thou (cough), had Moxie not written any code, or written it and charged an arm and a leg for it.
It's sort of what patio11 talks about. The cheaper the service, the worse the people treat you.
The internet doesn't work that way.
> You don't have to be such an ass. I asked nicely enough.
No, not really. Would you have asked the creator of a closed source crypto library to give it away?
I used to agree with you, that security software should be BSDLed to encourage use, but now I see it just encourages more low-end closed-source software.
If that software was open, users could know what they were using and could with work really be safe. But by trusting a closed source app, especially one that can't afford anything for security, they'll never be secure (see this article for proof) and thus are worse off than if they're knowingly only partially secure.
It sounds rough, but better the mob steal some money because you used an insecure app, causing you learn and audit your security requirements, than for you to feel secure until someone shows up and shoots you.
They might license the code under a non-exclusive license with different terms. I.e. the copyright holder is free to license the same source code under various licenses.
So, e.g. I could license some code to the community under GPL, but I could also license it closed-source to a corp for a fee.
I don't think it matters. He quickly noticed that the problem is cultural, that
>> I’d much rather think about the question of exploit sales in terms of who we welcome to our conferences, who we choose to associate with, and who we choose to exclude, than in terms of legal regulations. I think the contextual shift we’ve seen over the past few years requires that we think critically about what’s still cool and what’s not.
But the problem with/in Saudi Arabia is also cultural, or social, not technological. It doesn't really matter that they can buy exploits or intercept communications. What matters is that those in power can stay in power while doing all that.
Mao and Stalin built some of the most repressive regimes the world has seen with 1930s technology, and even then they were behind the times. Do you think those would have been rocked by secure Twitter? On the other hand, Greeks ran fairly decent democracies when the closest thing to mass communications was shouting in a place with good acoustics.
I'm not saying the west should just provide scum of the world with access to modern technology. Let's not kid ourselves though. Whether we do or not, it won't change much.
PS: Mobily is my carrier. Discomforting. Maybe resistance is futile after all. Sigh.
The story is perhaps clearer on exploit markets. The alternative to markets is publication, which burns the vulnerability by hastening its patch deployment. Dictatorships will inevitably acquire more exploits, but they are in a race against everyone in else discovering vulnerabilities.
I'd sure rather deal with the current Saudi Government than with Al Qaeda. Yes, there are fairly bad elements within the government, and it is at best one of the more restrictive regimes in the world, but there are some alternatives that are worse.
That's not what I mean. Even if you somehow stop them from acquiring exploits, they will remain in power because it's not derived from subtle technological advantages.
I think that this stuff matters, to the extent that I'd like to be in solidarity with those everywhere who are in a tension against authority. Not selling exploits is one small way that I can do that, and writing a blog post about it is one small contribution (I can hope) to creating a culture of doing that.
Is eating not obviously beneficial? Is there something wrong with large-scale engineering? Shouldn't we fight child pornography?
Drives, rules, and organisations outlive and outgrow their usefulness all the time. Why would surveillance be an exception?
This logic reeks of the law of averages: "I might as well swim over Niagara Falls because I could die any day, even from crossing the street. If I die today, it was just my day to die."
Of course, I have less of a reply to "Even if I don't sell it to them, someone will." The middle class finds it very easy to rationalize behavior that will keep the consumption flowing.
Governments are in a unique position here. They can always just move up the stack. Can't break the crypto? That's fine. They can just require the mobile phone companies to sell phones with spyware already included.
But the economics flip around in Europe, Japan, the US, &c: governments there do have something to lose by surreptitiously backdooring huge numbers of devices, and the odds are good that any efforts to do so will be detected (the state of the art for reverse engineering now includes decapsulation and imaging of electronics packages).
Well until something like the DIY Cellphone gets more traction to deal with backdooring/rootkitting: https://webcache.googleusercontent.com/search?q=cache:http:/... (MIT Media Lab)
...so many people, like those "patriotic hackers", support the Feds having the same power that Saudi Arabia is seeking
Who do you mean? Who is being called a terrorist?
The Methuen, Mass., high school student was arrested last week after posting online videos that show him rapping an original song that police say contained “disturbing verbiage” and reportedly mentioned the White House and the Boston Marathon bombing. He is charged with communicating terrorist threats, a state felony, and faces a potential 20 years in prison. Bail is set at $1 million.
And lots and lots of other ridiculous examples, if you search.
“If you’re not a terrorist, if you’re not a threat,
prove it," he says.
“This is the price you pay to live in free society
right now. It’s just the way it is,” Mullins adds.
Quoting the paragraph, in case my paraphrasing is inaccurate: "What’s depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter – I helped write that TLS code, and I think we did it well). They later told me they’d already gotten a WhatsApp interception prototype working, and were surprised by how easy it was. The bar for most of these apps is pretty low."
This is the problem with public key pinning. The site is still vulnerable to a compromise from its own CA, and many sites actually use a number of different CAs for unfortunate reasons. If you check out the list of pins for twitter.com, it's quite large. Still, at least it's not vulnerable to compromise from every CA that exists.
Trevor Perrin and I have been working on something called TACK (http://tack.io) to make all of this easier and more secure. Rather than embedding pin fingerprints into the binaries of web browsers and mobile apps, you can advertise them and update them via a TLS extension. What's pinned is also your site's certificate, not the CA's certificate, making the site additionally immune to compromise from its CA (or list of CAs, as it were).
I try and I try to get clients to consider just rolling their own root certificate and eschewing the TLS PKI, but people have an irrational fear of the process of making certificates.
It's like Firmware in VoIP, although VoIP implementations leave something to be desired. In essence they're doing something similar to a checksum on the certificate such that any change to the certificate causes the transaction to fail.
You would have to hard code the new dates in.
I seem to remember their authentication was a combination of your phone number and the IMEI of your handset, which is woeful security through obscurity at best.
This, this, a thousand times this. We cannot look the other way because the "good guys" are benefiting. Not any more.
The person that reads an article about the USA implementing some automated service to monitor foreign communication must realize that other governments are now doing the exact same thing. We no longer have the luxury of pretending that as long as the outcome is good the means do not matter.
Meet the United States:
In countries like Saudi Arabia they don't have the same level of power/control so they have to look at intercepting & blocking the traffic.
The problem with simply abandoning CAs is that it creates a situation in which it's even easier for government sponsored agencies to mass-intercept traffic, at least for a window of time (probably several years), and all that window buys us is the ability for sites that don't really care about security to save $10-$100 dollars on cert costs.
No. The problem is that pretty much everyone trusts them, at this point in time. That was Peter's point.
Sure, there are researchers and engineers who rightfully don't trust CAs. But we don't really matter. The users, the consumers, the parents, the grandparents, the activists do.
Sure, there's a lot of research being done to find the Next Great Thing (tm), but how about a short/mid-term emphasis on shoring up the glaring problems in the existing technologies first? Tighten the number of default CAs, shore up bad SSL and TLS code, tighten default settings in client software.
Things like Chrome popping up warnings about self-signed, expired, or invalid certs may have been a great start, but nobody's really tidying up much on the server end, so the end effect is that the users blindly click through the Chrome warnings.
TL;DR: The Next Big Thing (tm) is going to be great, I'm sure, but how about fixing/tightening existing configurations in the mean time?
You and I might also agree: browsers make it too easy to click through the bad-cert warnings. It used to be a trendy thing to argue on HN that these warnings were entirely pointless and should be done away with, which, of course, would have done grievous harm to security above the harm already done by the click- click-click- you're- done UX browsers have already established here.
In fact I think that so many people trust CAs that if someone provides a more secure alternative it should look like an evolution of CAs so it doesn't piss off people who have been trusting CAs all this time.
Generally almost everyone has experience with malware, bugs and broken software. No one who has used a computer for more than 10 minutes absolutely trusts computers in any capacity including security.
Ask some random people on the street if they trust a mainland Chinese entity with ensuring the security of their communication with their banks, however, and I think you'll get a different answer.
Hundreds of millions of consumers use devices that implicitly trust CAs today.
You're usually spot on, but in this case you're dead wrong. Most humans that use the internet use devices that trust CAs absolutely - which is exactly why they're being subverted for government interception.
The distinction between these two vantage points isn't particularly relevant to my point; at least, I don't think it is.
If we want real security we have to build it separate from the CA model, but as you point out CAs do provide some security against government inception, just as a locked door does provide some security against police wondering into your house, and we should not abandon it wholesale.
With TACK you depend on CAs to establish the initial connection, set up a "pin", and then no longer rely on the CA for future connections. That initial connection is fungible by a MITM, so it's not secure. We need a term for connections that are "probably" secure, but for which there is no complete assurance of security, which is what any connection based around a CA really is.
This is why the postcard method is superior. Unless someone spends the time to intercept every anonymous postcard with a secret code on it, rewrite the message with perfect imitation handwriting, and send it on to the unknown P.O. box, without more than a couple days delay, it's next to impossible to circumvent this initial key exchange. For those that need real privacy I would recommend this method; for those that just want to order Jolt Cola on an open wifi connection, CAs are good enough.
Meanwhile, the world in which most of the mainstream browsers support TACK is imperfect, but immediately better than what we have now. TACK also sets us up to continue decoupling ourselves from the CA system.
Pre-loaded public key pinning shipped by modern browsers is a better way forward IMHO. If you're trusting your browser enough to run their software, you might as well get your public keys from them, too. IMO, TACK works about as well as self-signed certs with the 'remember this certificate' option - just don't use a Starbucks connection the first time you browse the site.
This really gets to the crux of it. We might deem the CA's untrustworthy but we currently trust them anyway because there isn't really that much choice.
 http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html - Ross Anderson (Trusted Computing FAQ - Q24)
sadly those are only available for Android.
Without jailbreaking or a dev cert, you can't ensure that an app you install from the App Store on iOS isn't backdoored anyway.
I'm an iOS devotee but even I'm going to buy a second phone specifically to support sideloading of crypto software for secure communications. My phone's primary function is to communicate (despite all the smartphone value-adds) and secure and private communications are a pipe-dream on iOS.
iMessage is great (and end-to-end encrypted) but if I can't control the list of keys to which it encrypts, it's only as secure as Apple (and presumably the DoJ by extension) allows it to be.
Oh and if you want a dev user, it is a one time fee of 20 usd (or was, when I got mine).
Government interception/manipulation (or any other party) would become rather difficult.
And I don't think owning a satellite makes your communications secure simply by virtue of owning a satellite. I'd argue that you'd need to own the methods of communication to and from the satellite, which probably isn't realistic.
Moxie: Do not go to Saudi Arabia, you are probably persona non-grata by now.