[cwyers]

I am not qualified to review how it implements forward security, for instance.

But this shares a lot of the problems that GPG has. It relies on existing mail standards, so it leaks metadata all over the place, and security can easily be defeated by "accidentally replying without encrypting." It's configurable -- every choice you have to make is a chance to make the wrong one. It implements RSA, which nobody should be using anymore.

[masklinn]

Indeed, from Latacora's recent "The PGP Problem":

> Encrypting Email

> Don’t.

> Email is insecure. Even with PGP, it’s default-plaintext, which means that even if you do everything right, some totally reasonable person you mail, doing totally reasonable things, will invariably CC the quoted plaintext of your encrypted message to someone else (we don’t know a PGP email user who hasn’t seen this happen). PGP email is forward-insecure. Email metadata, including the subject (which is literally message content), are always plaintext.

> If you needed another reason, read the Efail paper. The GnuPG community, which mishandled the Efail disclosure, talks this research down a lot, but it was accepted at Usenix Security (one of the top academic software security venues) and at Black Hat USA (the top industry software security venue), was one of the best cryptographic attacks of the last 5 years, and is a pretty devastating indictment of the PGP ecosystem. As you’ll see from the paper, S/MIME isn’t better.

> This isn’t going to get fixed. To make actually-secure email, you’d have to tunnel another protocol over email (you’d still be conceding traffic analysis attacks). At that point, why bother pretending?

> Encrypting email is asking for a calamity. Recommending email encryption to at-risk users is malpractice. Anyone who tells you it’s secure to communicate over PGP-encrypted email is putting their weird preferences ahead of your safety.

[DarkWiiPlayer]

If you know what you're doing, PGP can improve security. The real problem is that, the moment you're sending information to someone, you're giving that information away, out of your control.

If I understand it correctly, all the above points seem to address mostly the technical aspect, that someone who means well may too easily leak previously encrypted information out of ignorance.

A possible counter argument could be this: You already need to trust a recipient that they won't leak the data you send them willingly and with harmful intent, so it's not that much to ask that people also trust the competence of the recipient.

What Opmsg really seems to be about is cases where you don't trust the recipient to not betray you, intentionally or unintentionally.

[tptacek]

No. Secure Messengers are designed to be hard to use unsafely. Nobody accidentally sends plaintext to a counterpart with Signal, because there's no feature in Signal that does that.

[chacha2]

Strange example. Signal does support unencrypted sms which would make it easy for someone to forward a previously encrypted message as plain text.

[cwyers]

If you can't trust the recipient, there's nothing you can do. The point isn't to protect yourself from an untrustworthy recipient, it's to protect yourself from inadvertent disclosure.

[hiq]

You can still send text messages (including to Signal contacts by long-pressing the send button). Obviously it is harder than just sending an encrypted message.

[jcranmer]

Email is really difficult-to-impossible to secure correctly.

Take metadata. Because of how email works, it's effectively impossible to hide the To, From, and Date (or more accurately, the Received) headers. If you're worried about three-letter agencies, that's the only metadata they need, so you're screwed before you started. Theoretically, S/MIME allows you to encrypt additional headers (including the venerable Subject header), and has done so for 15 years, but I'm unaware of any email client that actually supports this feature, and the downgrade mode is pretty UX-hostile.

Another very challenging problem is that the flow of email pretty much destroys any chance of using a good secure cryptosystem. The email sender is not necessarily able to establish a direct, synchronous contact with the email recipient, even on a server basis. That makes protocol negotiation and perfect forward secrecy difficult. Not to mention that users generally expect to be able to open up email clients on unknown machines (especially webmail clients), which means practical key distribution tends to amount to "give your provider your keys," at which point the security advantage over the current state of all-connections-are-wrapped-in-TLS is negligible.

There's also the point that email's main advantage as a messaging system is its universality. But any new protocol is going to suffer from being supported in a small section of clients at first. If you can't get major email clients on board--and that includes webmail clients--then the universality of email is no longer an advantage in your proposed protocol. And if you're going to have to use a different client already, why bother with doing all the crap you have to deal with email syntax, MIME, SMTP, and IMAP?

About the only use case I can reasonably see for encrypting emails is in workflows like Bugzilla's "secure email" feature: the system is already relying on email for communication, there is a clear way to handle the recipient's key and protocol negotiation, and the metadata is irrelevant to secure.

[Mediterraneo10]

Doesn’t To and From metadata leak on encrypted-message apps, too? WhatsApp, Telegram and Signal use mobile phone numbers as identifiers. In many countries now, you cannot buy a SIM card unless you show the vendor proof of identity, a copy of which is then provided to the state for its records. Therefore, any state actor that can put pressure on those encrypted-messaging services can reveal which phone numbers are talking to who, and therefore who is talking to who. Sure, the message text might still be secure if the end-to-end encryption works, but the metadata is vulnerable.

[AnaniasAnanas]

> WhatsApp, Telegram and Signal use mobile phone numbers as identifiers

One notable exception (which as I understand is tptacek-approved) is Wire, which only needs an email.

[tptacek]

I concede that Wire has essentially lifted the core crypto bones from Signal. But metadata collection is a clear distinction between Signal and Wire, so if what 'jcranmer is saying about email metadata is persuasive to you, your choice between Wire and Signal should be clear: use Signal, not Wire.

[tinus_hn]

Well that settles it. Better do nothing then!

[claudius]

> It relies on existing mail standards

This is a feature, not a bug. Nobody actually wants to rely on a single entity (for or non-profit) for their communication. Nobody wants to be stuck in crappy Electron and mobile clients.

I had some hope that Matrix may be able to alleviate those concerns and provide a modern, federated chat solutions. Unfortunately their quality of implementation seems to be rather low with slow, laggy and resource-hungry clients and ridiculously resource-hungry servers and their current setup still apparently include a single "identity server".

[bscphil]

> This is a feature, not a bug. Nobody actually wants to rely on a single entity (for or non-profit) for their communication. Nobody wants to be stuck in crappy Electron and mobile clients.

And nobody facing a nation state adversary wants to give their chat client their phone number. I really couldn't agree with you more on the nature of the problem and the status of the available solutions. It's really unfortunate that Matrix is as unfinished as it is. At least cross signing [1] is nearly done, which should eliminate the major issue making it unusable for anyone who's not technically competent and very dedicated.

[1] https://github.com/vector-im/riot-web/issues/9631

[phicoh]

I think that one of the really bad problems with gpg and openssl is that for a long time there was effectively only one implementation.

So the key thing for matrix is to create a healthy ecosystem that has multiple implementations of the protocol and make sure that the protocol can actually evolve.

Note that the 'identity server' is an optional component. As long as you stick to matrix native user IDs, there is no need to use one.

[zucker42]

Have you used Riot on mobile recently? Sure it's not perfect, but it consistently outperforms FB Messenger on my very poor phone.

[claudius]

No, mostly because the Matrix homeserver still needs ridiculous amounts of memory. Apparently 1GB if you want to join one of the more crowded channels – what for could a chat server actually use 1GB of memory?! That's a billion characters you can store in there, even at hundreds of messages per second (which I suppose would make the channel unusable anyways?) you don't get to a billion characters very quickly.

[AnaniasAnanas]

> Nobody actually wants to rely on a single entity (for or non-profit) for their communication

You don't have to do that. Protocols like tox for example are distributed and use DHT in order to find peers.

[maxerickson]

Most people really don't care. They use Whatsapp because that's where their friends are and they will move to whatever their friends start using next.

[brokenkebab]

'People' is a poorly defined notion here, and cannot be really used for any sane conclusions. Users have different practical, and security needs, therefore different priorities which define their behavior. PGP (and its alternatives) is to Whatsapp (and its alternatives) as apples to oranges.

[maxerickson]

Okay, the vast majority of the general population, the billions of people using apps like Whatsapp.

Note that the comment I replied to started from the rather categorical "nobody".

[tdj]

This screenshot of an Ars Technica journalist with Phil Zimmerman, PGP author (yes, not the same as GPG), is very telling:

https://arstechnica.com/information-technology/2016/12/op-ed...

[dewyatt]

I'm not sure what you're implying, but without context, the screenshot is meaningless.

It could be that Phil has a policy of not storing private keys on his iPhone or something. Is that so unusual?

Anyways, maybe you're privy to context that I'm missing.

[Goronmon]

My interpretation is that even if the people who are technically savvy in that specific area, if they have times they won't deal with encrypted information, how often are non-technical people going to want to deal with it?

[sucrose]

According to the screenshot, it's not the he won't, it's that he can't.

[bscphil]

I would say the implication is that PGP is useless for general secure communications purposes. You can be secure with it when you have very specific needs and have knowledgeable contacts, but it doesn't solve the need for communications privacy that most people have.

[brokenkebab]

It's not a problem to be blamed on PGP though. A solution to shield an Average Joe's private life from his internet provider's snooping will always have its own deficiencies, exactly because of its generality.

[wongarsu]

>It implements RSA, which nobody should be using anymore

Can someone elaborate a bit? My impression was that RSA is fine with long keys, elliptic curves mainly provide shorter keys, and no decent quantum resistant algorithm emerged?

[zahllos]

There's nothing cryptographically broken about RSA as a cryptosystem per se, but implementing it correctly is difficult. There have been multiple revisions to the standards for RSA over the years in response to various attacks. The current standard is PKCS#1 v2.2 (https://tools.ietf.org/html/rfc8017) and we should use RSAES-OAEP / RSASSA-PSS as primitives.

However a PKCS#1 1.5 compatibility mode with fixes for Bleichenbacher's oracle is also present in this standard and also specified in TLS 1.2 for compatibility reasons. In order not to provide an oracle, padding and other properties must be verified and a random premaster secret returned on failure instead of an error message, see: https://tools.ietf.org/html/rfc5246#section-7.4.7.1 . Note that under the other techniques, there are a lot of caveats and remarks.

Keys must also be carefully generated, as demonstrated by ROCA. In this case a specific format of primes was used to make prime number generation faster, which unfortunately also happens to be vulnerable to attack by Coppersmith's method. Any such key is weak in the sense that the private key can be recovered.

This is a quick overview. There's a lot of literature on attacks on RSA, particular parameter choice etc. So one argument against its use is the many issues that exist and the fact that even for experts, implementing it correctly is not easy.

The other point is that, compared to Elliptic Curve cryptosystems, RSA is (usually) more expensive as an operation and key generation is certainly more expensive. As a result, elliptic curves work better in constrained environments like on smartcards. If you want to do forward secrecy by periodically generating and throwing away random keys, elliptic curves can do this more efficiently - RSA by contrast would be slow.

[zaarn]

RSA is hard to implement and requires a lot of key material to change hand.

On the flipside, a Ed25519 or Ed448 key can be reasonably dictated over phone (though you might need three minutes) and put into small low-res QR codes.

Additionally, Ed25519/448 are dead simple to implement; following the reference from the RFC documentation, you can implement a safe cryptographic method (encrypt/decrypt/sign/verify). You actually have to go out of your way and do things the standard doesn't include to make it unsafe.

Compare with RSA, where such a naive implementation will make you suffer through atleast 30 CVEs of the "padding oracle" or "leak private key" type.

While RSA is fine from a mathematical standpoint, Ed25519/448 are much simpler to implement with much less code and are designed to be reasonably safe. They provide the same security as a ~3500 bit (or about 4500 bit for 448) RSA key, so it's on the safe side of things.

There is no Post-QC algorithm yet, atleast none that made it through the NIST competition, some of them do involve using RSA with absurd key sizes and they'll likely fail the competition.

[AnaniasAnanas]

> some of them do involve using RSA with absurd key sizes and they'll likely fail the competition.

Only one (specifically DJBs joke Post-QC algorithm), and it did not pass to the second round.

[phicoh]

I don't understand the argument of dictating a key over the phone. If you care about that use case, you can just a well dictate the hash of an RSA public key.

Nobody knowns of the NIST curves have backdoors. Nobody know s if Dan Bernstein's curve has issues.

The advantage of RSA, is that we actually know how it works. I continue to be amazed that so many people advocate curves that we don't undertstand.

Of course, the big problem with RSA, is that is seems simple enough that people try to implement it themselves and get it wrong. With EC, you basically have to use one of the standard libraries.

[zaarn]

>Nobody knowns of the NIST curves have backdoors. Nobody know s if Dan Bernstein's curve has issues.

There are still some differences. NIST provides some curves and doesn't explain much about them. You can read up how DJB choose the curves. It's a very neat and tidy process that is easy to follow and very reasonable.

ECurve isn't terribly more complicated than RSA, they both rely on multiplication, though EC does it in 2D space and RSA in Modulo space. I have implemented EC myself, the underlying math isn't that much more complicated, really, than RSA.

>I don't understand the argument of dictating a key over the phone. If you care about that use case, you can just a well dictate the hash of an RSA public key.

Not only dictating over phone but for example typing a SSH key over a serial line while not being able to copy-paste directly. I've had to suffer than with my RSA4096 key once and it's NOT pleasant at all.

it also means you have much less overhead for the protocol (DH and KEX with Ed25519 only need 32 bytes of space per step instead of kilobytes)

[throw0101a]

> There are still some differences. NIST provides some curves and doesn't explain much about them. You can read up how DJB choose the curves. It's a very neat and tidy process that is easy to follow and very reasonable.

You're not wrong, but to paraphrase a famous quotation: No body every got fired for following Suite B.

AES, SHA-2, and the NIST curves are approved for government crypto, and are also probably in many industry regulations. If there's ever an incident and a post-mortem audit, then it's a lot easier to explain the choice of Suite B algorithms.

[AnaniasAnanas]

Nobody was ever fired for using DJB. Meanwhile I would gladly fire someone for using AES128 or the NSA-sponsored curves, despite being in Suite B.

[burgerdev]

Which aspect of elliptic curves would you like to understand better? The original paper for Curve25519 contains a dedicated subsection for attack models, for example, and leaves only marginal room for hidden backdoors with its detailed reasoning about curve parameter choice. The implementation of EdDH or EdDSA is specified in RFCs that are explicitly written to be "fool-proof", as others already commented.

[phicoh]

Compare the NIST curves to RSA. For RSA we know there cannot be any backdoors. If you generate good quality primes you are in business (assuming you don't make mistakes elsewhere).

For NIST we cannot say anything about backdoors. We don't use those curves because we don't trust NIST. Not because we have any prove they are bad.

So to avoid that, there is a parameter selection process that supposedly leaves no room for backdoors, though at some CCC congress DJB described how you could use a similar process to add backdoors.

So basically, EC is based on magic. We cannot prove it is bad, we just have to hope there is no hidden magic.

Note you say 'only marginal room'. Soon the whole world will use exactly one curve. With 'only marginal room for hidden backdoors'.

I feel way more comfortable to know that with RSA what you see is what you get.

[tptacek]

Even Bernstein doesn't really believe the NIST p-curves are backdoored, and the Koblitz/Menezes paper makes a pretty decent case that they couldn't be, but if you want to tinfoil hat it, just do what every modern system does and use Curve25519.

If any of this is new to you, though, you shouldn't be designing cryptosystems. Most people shouldn't! I sure shouldn't! It's an extremely specialized skill, and the world doesn't need that many new ones. Just use Nacl.

[ClumsyPilot]

99.999% vulnerabilities come from bad implementation, not "magic"!

[masklinn]

https://blog.trailofbits.com/2019/07/08/fuck-rsa/ covers that.

The executive summary is that while it's possible to implement and use RSA properly:

* it looks easy to implement so it's common for people to roll their own (and then it's insecure or broken), ECC look hard (though aren't necessarily) so devs are more likely to use properly vetted libraries

* because most of the parameters must be kept secret, good advice is hard to find (and good parameter selection is absolutely critical), not to mention e.g. good exponents has complexity and performance implications[0], ECC parameters are public and you can pick existing good ones.

[0] and security grows sub-linearly with parameter size: 2048-bit RSA has 112 bits of security, 4096-bit RSA has 140 bits of security

[cpach]

That article was discussed on HN about a week ago and there are some interesting comments on that thread: https://news.ycombinator.com/item?id=20381779

[kzrdude]

I'm just interested but it reminds me of https://facthacks.cr.yp.to/ which is a horizontal attack, finding the weakest keys in a big set of them, and batch factorization attacks. This seems more developed for RSA keys?

[petre]

It implements EC with _fallback_ to RSA if EC is not available. Blame OpenSSL, I guess, because this relies on it. Even its CLI seems to be inspired by the atrocious OpenSSL CLI.

[cwyers]

Fallback in crypto is wrong. Either succeed or fail. I don't need to sit there guessing how secure my secure messenger is.

[brokenkebab]

accidentally replying without encrypting

There are automated solutions for this in existence for many-many years.