Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Problem With Using End-to-End Web Crypto as a Cure-All

Posted by Soulskill on from the nobody-reads-the-not-so-fine-print dept.

fsterman writes: Since the Snowden revelations, end-to-end web encryption has become trendy. There are browser add-ons that bolt a PGP client onto webmail and both Yahoo and Google are planning to support PGP directly. They attempt to prevent UI spoofing with icons similar to the site-authentication banks use to combat phishing.

The problem is that a decade of research shows that users habituate to these icons and come to ignore them. An attacker can pull off UI spoofing with a 90%+ success rate.

16 of 89 comments (clear)

  1. Technical solution to a people problem... by houstonbofh · · Score: 5, Insightful

    The funny thing is that the technical security of snail mail (a paper envelope) is amazingly poor, but it is generally quite secure due to law and custom. However, law and custom is absolutely no security or privacy on the Internet. There is the problem.

    1. Re:Technical solution to a people problem... by Anonymous Coward · · Score: 5, Insightful

      The problem is nobody gets an opportunity to snoop through hundreds of thousands of pieces of snail mail unobserved and without leaving evidence, and also it's impossible to make a perfect digital copy of snail mail for later perusal. You really can't even make a comparison like this. They're two entirely different things.

  2. The are working on it by Lennie · · Score: 2

    The technical people are actually working on this problem:

    1. make it super easy to encrypt all websites:
    https://letsencrypt.org/

    2. In the long run:
    "Marking HTTP As Non-Secure"
    https://www.chromium.org/Home/...

    And many, many more improvements.

    --
    New things are always on the horizon
  3. that's not what "end to end" means. by Anonymous Coward · · Score: 2, Informative

    End to end = I encrypt on my computer, message is sent over possibly snooping middlemen, recipient decrypts on his or her computer.

    End to end is NOT: some snooping middleman in the middle has the key and does the encryption "for" me.

    The only way for someone to "spoof the UI" is to have control over my computer, and if they have that, all bets are off anyway.

    There's nothing wrong with end to end encryption. There's something wrong with your definition.

  4. Any solution is better then none at all by jfmiller · · Score: 4, Insightful

    The problem with security researchers is that they declare any usable technology as "completely insecure." and in a sense they are correct. Good security is hard and inconvenient. What we have right now is even worse. There is no privacy what so ever.

    What e-mail needs for most people is an envelope. Enough encryption that the casual observer cannot read the message, and the malicious observer must make a targeted attack. I don't need to stop theNSA I just want to dissuade the PHB form reading over my virtual sholder. In the process the NSA will have to pic and choose who it targets. Yes, these e-mails will remain completely insecure, but there is a much higher cost to read the data, and there is a much higher risk of being discovered doing so.

    Lets not let the perfect become the enemy of the good when it comes to security.

    --
    Strive to make your client happy, not necessarly give them what they ask for
  5. Certificate pinning by Todd+Knarr · · Score: 2

    This is what certificate pinning was made for. If the browser knows what certificates the site ought to be using, it can simply refuse to connect to anything in the site's domain that isn't using one of those expected certificates. This doesn't even require CA-issued certificates, self-signed ones would be equally secure except for the fact that browsers complain about them. Note that this is just a slightly more permissive form of the server authentication built into the SSL protocol.

  6. Only when you're still supporting unencrypted by Anonymous Coward · · Score: 2, Interesting

    This is only a problem with mixed implementations of end-to-end encryption where you're still supporting unencrypted content. A system built from the ground-up to always require end-to-end encryption would not have this iconography problem, because it would not even need the icons -- it's all encrypted, all the time. I hate to see encryption itself dragged in with UI/UX problems.

  7. Signed http? by complete+loony · · Score: 4, Insightful

    Using https everywhere does have some downsides, things like Javascript that contains executable code is either cachable or secure from MITM tampering. Why don't we have a way to sign content without encrypting it?

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  8. Re:nope by theshowmecanuck · · Score: 4, Funny

    Fix your users... Heh heh...

    --
    -- I ignore anonymous replies to my comments and postings.
  9. Re:nope by TWX · · Score: 3, Insightful

    And pay to bring in a business-grade connection to a place where you have control over the environment, and operate a computer as a mail server in that environment, and work diligently to keep that mail server secure, plus work to ensure that your mail server is accepted to other mail servers somehow getting whitelisted.

    I used to run my own services at home in this fashion. It was a pain in the ass. Most people are not capable of doing this.

    --
    Do not look into laser with remaining eye.
  10. Don't make it "just an icon" by Aristos+Mazer · · Score: 3, Interesting

    Sounds like a user interface problem. Users won't get accustomed to it if unsecure sites are mauve text on navy blue background. Or something equally egregious and harder to use.

  11. Flip the data model and all these problems go away by Arthur+Fontaine · · Score: 4, Insightful

    Maybe the meta-problem is that all our different applications/services have different data repositories and thus need separate security solutions. What if we flipped it so that each of us had a private, individually encrypted cloud repository, with identity and communication APIs layered on top? Then simple apps could be written to conform to the new "cloudspace" certificate-based authentication and security model.

    In this way you would no longer need separate services for email, IM, social, file sharing, etc. We'd communicate directly and privately in every mode (with public still an option if appropriate), and cut out the middleman. Starting from that approach you'd basically rewire the Internet while leaving everything else the same. You'd obviate the need for Facebook, Gmail, Twitter, Dropbox, Snapchat, Instagram, Youtube, etc., etc., etc.... Basically, any service that collects user data and orchestrates sharing between people would be an evolutionary dead end. That would be cool right?

    Plus, the only way it could work is to base everything on open source software and devops, so nobody could ever seize control or extract a tariff. It would be what Bruce Schneier refers to when he laments the lack of "public commons" on today's commercially-controlled Internet. Going a step further, once everyone has his/her own private personal cloudspace, we'd each have a place to put all the data from our Fitbits and Nests and Internet of Things, and the other exploding sources of personal data. Wouldn't this be a better way altogether?

    --
    My other /. user ID is 5 digits.
  12. Re:Patriot act makes everything insecure by spauldo · · Score: 3, Insightful

    You know, I hate the patriot act with every fiber of my being, but that argument doesn't quite hold water.

    The NSA doesn't care about your money. They don't need to blackmail you. If they want you, they can come and get you. They don't affect the vast majority of Americans. I don't care for them spying on me, but in reality the vast majority of us (myself included) will never see anything become of it.

    Thieves and fraudsters, on the other hand, have a definite desire to have your money. They will get it by any means necessary. You need protection against them.

    You'll never have a foolproof defense against the NSA. You can make their job harder, but that's about it. They have the resources to get to you if they want to. Ukrainian script kiddies don't. So make technical countermeasures against the thieves, and political ones against the NSA.

    --
    Those who can't do, teach. Those who can't teach either, do tech support.
  13. Re:Provided your MUA supports S/MIME by iluvcapra · · Score: 4, Funny

    And StartCom has been handing out S/MIME certificates without charge.

    I probably wouldn't be interested in a CA that gave me my cert, I'd rather have one that signed one I generated :)

    --
    Don't blame me, I voted for Baltar.
  14. HTTPS is a pox, necessary or not by rickb928 · · Score: 2

    Forcing HTTPS on every website is the current scammage. For this, I get to go out and buy a cert, mess with the server, and all for a Joomla site that doesn't have any internal security issues fixed by HTTPS.

    What is this fixing, again? Wordpress add in vulnerabilities, or certificate authorities revenue?

    --
    deleting the extra space after periods so i can stay relevant, yeah.
  15. Re:Patriot act makes everything insecure by spauldo · · Score: 3, Insightful

    No, my argument requires you to realize the difference between the NSA and those who want to commit fraud.

    Thieves will be deterred by technical means. The NSA will not be. Securing yourself against thieves is still preferable to not securing yourself at all.

    I certainly don't expect you to trust the NSA, but from a practical standpoint it doesn't matter for most of us. They're not interested in us.

    If you want to fight the NSA, you have to do it politically. It's their only weak point.

    --
    Those who can't do, teach. Those who can't teach either, do tech support.