Hacker News new | past | comments | ask | show | jobs | submit login
Adam Langley's Pond: Secure Async Messaging (imperialviolet.org)
100 points by tptacek on July 13, 2013 | hide | past | web | favorite | 36 comments

> "Pond seeks to prevent leaking traffic information against everyone except a global passive attacker."

My favorite line in the article. It's a nice nod to the fact that this Achilles heel is an issue that he is aware of / takes seriously.

Adam Langley is the real deal. He's also a large part of the reason Google managed to deploy forward secrecy, and the author of the Golang TLS stack.

Contrasted with the "forward":

   |Note: recent events have lead to these topics being in the news quite often in recent weeks. However, Pond is not a reaction to those events - it was started nearly a year ago.
Traffic information, of course, isn't the whole conversation, so his wit is appreciated to make light air of the situation, but at the same time he's quite serious about this little project. I'm impressed that it compiles at all on my Arch machine, after his warning to Arch users.

On topic to your comment, unfortunately there's no way to avoid leaking traffic information, or at least the fact that there is traffic at all, to a "global passive attacker" :) gone are the days of radio silence

There's a paper from the 1990s (https://gnunet.org/sites/default/files/ I think, Pfitzmann 1991) on building an ISDN MIX for anonymous real-time voice traffic. ISDN gives you two 56kbps or 64kbps channels in each direction for voice, which you can connect to whoever you want. So you just keep these channels open to somebody all the time and keep them full of data, even if it's nonsense. Using fully isochronous streams in this way, assuming a fully connected directed graph, which is overwhelmingly probable, it's impossible for a global passive attacker to determine anything at all about who is actually talking to whom, or how much; the traffic pattern simply is not affected by the communication graph.

A thing I don't know is whether Pfitzmann et al.'s scheme held up to subsequent analysis. I haven't even read the whole paper, actually.

Can you give a step-by-step advice for installing on Arch Linux? TIA!

(Or, how to better organise a discreet relationship with the Director of the CIA.) from https://github.com/agl/pond (the source) is a good elevator pitch, for people (like me) who are taking their time getting what this is.

also, is code like this https://github.com/agl/pond/blob/master/server/server.go#L15... just extreme defensive programming? or is there some other reason for the check (eg is not everything locked)?

also, does 2. A GPA can learn when messages are sent to a non-home server and which server that is. get weaker if there are many users?

and why is it so quiet here? am i asking dumb questions? i've been deleting the ones i work out answers to!

> also, is code like this https://github.com/agl/pond/blob/master/server/server.go#L15... just extreme defensive programming? or is there some other reason for the check (eg is not everything locked)?

That's checking for integer overflow - an often-overlooked source of many security vulnerabilities.

That's a signed integer though, and I don't know if signed integer overflow has defined behavior in Go. In C that would be undefined behavior, allowing the compiler to do potentially nutty things, so you would want to do the overflow check before the increment. (Edit: considering who the author of this code is, I would assume that Go has sane defined behavior on signed integer overflow ;-)

From the Go language spec:

"For signed integers, the operations +, -, *, and << may legally overflow and the resulting value exists and is deterministically defined by the signed integer representation, the operation, and its operands. No exception is raised as a result of overflow. A compiler may not optimize code under the assumption that overflow does not occur. For instance, it may not assume that x < x + 1 is always true."

  func main() {
    var foo int8 = 127
    fmt.Println(foo + 1)
prints -128

Cool, thanks for the info!

Looking at the spec, I see that signed integers are elsewhere defined to be represented using 2's complement, so this is completely kosher.

I think it's just that nobody knows the answers, mostly. HN is not great for questions that require thought.

Also, btw, I still have your AMOP,a nd it would be awesome to see you again.

we've not visited argentina for years so we must be due a trip. if/when we do i'll ping you and you can give me that back during a meal at some nice restaurant...

awesome! :)

> For secure, synchronous communication we have OTR and, when run over Tor, this is pretty good. But while we have secure asynchronous messaging in the form of PGP email, it's not forward secure and it gratuitously leaks traffic information.

This is probably a stupid question, but what exactly is the distinction here? Why can't we just think of the "asynchronous messaging" email-equivalent as long, drawn-out synchronous OTR communication?

Can you send a message to someone who's currently offline using OTR? It seems to use diffie helman, so I'd expect not.

That's an implementation detail. You could pack the handshake into automated email messages handled by a proper client. Obviously this would not work with any old client since you're effectively layering another protocol on top of email.

I don't know about you people but I can't access this site in latest firefox:

  Secure Connection Failed

          An error occurred during a connection to pond.imperialviolet.org.

  Peer attempted old style (potentially vulnerable) handshake.

  (Error code: ssl_error_unsafe_negotiation)

  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

This is kind of ironic considering it's Adam Langley's website, but it appears his server is not indicating that it supports secure renegotiation, and apparently in the latest Firefox that's grounds to refuse a connection[1]. See:




If you set security.ssl.require_safe_negotiation to false in about:config you should be able to establish a connection.

[1] Edit: actually it's not; the parent poster had tweaked settings in about:config ;-)

Good to know. I knew that I needed to do it, but I'll be sure to add support for this prior to Go 1.2.

(The TLS stack doesn't support renegotiation at all, so it's not vulnerable, but a client can't know that unless it echos the extension in question.)

Ah, you're using the Go TLS package? That makes sense ;-).

As it turns out the latest version of Firefox still connects to servers which don't indicate secure renegotiation; the parent poster caused the problem by mucking around with the TLS settings in about:config.

Well, it looks like he wrote the Go TLS package.

It seems to be that. I had initializaed a new profile in firefox and played with some options in about:config and somehow the option security.ssl.require_safe_negotiation was set to true.

All this week this was the first website to fail because of that.

It works with it set to false.

iirc renegotiation in openssl is mad broken, in which case, mad props to adam :)

If anyone wants to test this with me, you'll find my contact details in my HN profile and on https://grepular.com/

Both of which contain my PGP details. So by sending my your handshake message encrypted with my key, I'll reply with my handshake message encrypted with your key, then we can test.

Why the "better relationship" quip? Get some e-mails from the CIA after publishing this?

It's probably in reference to David Petraeus's resignation after his affair came to light.

I can not forgive Adam he removed the DANE support from Chrome in spite of fact that he was the author of the draft standard http://datatracker.ietf.org/wg/dane/

Why does Langley need your forgiveness for not supporting DANE? DANE is arguably worse than X.509 CAs.

Why? Because DNSSEC can be attacked by the DNS root?

It seemed to be our best attempt to get SSL for every website. CA-based certificates just won't cut it.

Because replacing a PKI run by companies that the NSA can coerce with a PKI run by the US Government doesn't seem like a good plan? That, along with the litany of reasons why DNSSEC is a terrible design; that it doesn't secure queries from stub resolvers where the need is greatest; that it publishes internal zone names; that it breaks the resolver API and will inevitably create outages; I can go on.

(I doubt this is what's held up DANE; rather, the unreliability of DNS compared to hyper-optimized HTTPS/TLS connections is the issue there; browser vendors care about milliseconds.)

How is it worse than X.509?

Here we go again :-)

can anyone point to a link that explains X.509 s shortcomings? I'd really like to read up on that but can't find any sane info.

Haha consider the possibility that some of the insane ranting you hear about x.509 is actually balanced and accurate criticism :-)

hehe, so true.

I wonder how badly the security of Pond would break if one were to build a pond-email gateway of some sort so that you could use regular imap/smtp clients (and maybe tor).

Woah, this is seriously cool stuff. I wonder how far off it is from general readiness?

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact