Spying is Easier on the Non-Stupid Network

Many writers have attributed the early success of the Internet to its being a "stupid" network. You could build all the smarts you wanted on a single computer, a "smart" node, and then you'd have a new application. If you had to re-program all the Internet routers for each new protocol, not much would get done, but on the Internet this didn't need to happen.

Recently, the major IM providers stopped doing point-to-point communications. Instead, they started logging all your traffic to a server, apparently to allow you to use multiple devices. So if you get up from your desktop PC in the middle of a conversation and pick up your cell phone a half hour later, you can continue where you left off, because the conversation, and the stuff your friend typed while you weren't looking at a screen, now lives on a server somewhere. Similarly, Dropbox is so useful because your data is on a server somewhere, too.

Ten years ago, many of the IM clients allowed you to make a connection directly to another person and chat, without that traffic going to a server at all. For the most part this doesn't happen anymore.

Perfect Forward Secrecy

What's interesting about this change is that there are really quite good ways to encrypt point-to-point communications ("Perfect Forward Secrecy" including Diffie-Hellman and the Elliptic-Curve equivalents), ensuring nobody is snooping in the middle. It's sort of implicit with these methods that you throw away the actual key you used after the communication is done, and that's really important.

Even if you capture all the encrypted traffic from one of these conversations, it's impossible to recover a key later that lets you see what was communicated. You have to actually go get the computer out of someone's bedroom to see what was said! Not so much when there's a server in the middle, even if the data on that server is encrypted. Of course everyone tells you they encrypt your cloud storage, but it's not the same as a secure communication channel between two smart nodes. These are totally different grades of encryption.

As soon as you decide you must persist a key to get at your data, you also have a key that can be subpoena'd or recovered, so a packet capture of the transmission can be later decoded. If two smart clients agree on a key that is discarded after the information is transferred, no such recovery is possible.

And this fundamentally is the risk the cloud poses to secure communications. If someone's logging encrypted communications and has a legal framework to recover persisted keys, the only way around this is to make point-to-point communications a lot more prevalent.

You could make a Snapchat that was entirely and profoundly secure from snooping. You can't very easily make a Facebook that is.

1 comment:

  1. Let's try another comment and see if it sticks.

    This is sort of why I figured Diaspora was going to fail: there are some features it provides -- and some of those are pretty useful and desirable -- that *cannot be provided without a 'trusted' third-party intermediary.

    At the moment I cann't remember the one specific item that I could not model any way to reimplement using cryptography, but there was one.

    ReplyDelete