[matthewdgreen]

Some technical experts at GCHQ have publicly suggested using "ghost users" (a kind of server-forced MITM) as a way to wiretap encrypted messaging [0]. The proposal is slightly different from a traditional two-party MITM, since it involves adding additional users to group chats, but the basic idea is similar: legally compel messaging operators (e.g., WhatsApp) to participate in wiretapping. Presumably there are other clandestine agencies who might try to do something similar by illegally compromising service providers.

Key transparency makes standard MITM much more detectable, and so it will significantly dissuade agencies and private actors from investing in those capabilities. It obviously doesn't solve all problems (governments will still be able to hack, and hypothetically even to mandate client changes that break the disable transparency) it removes a piece of low-hanging fruit and signals to governments that it isn't worth trying to exploit protocol weaknesses.

[0] https://www.lawfareblog.com/principles-more-informed-excepti...

[eganist]

> Key transparency makes standard MITM much more detectable, and so it will significantly dissuade agencies and private actors from investing in those capabilities.

Just the private actors. Agencies would just spend more on it, or investigate side channels that achieve the same ends.

[palata]

> Agencies would just spend more on it

That's the whole point of security: you try to make it too costly for your opponent to do it. That's why you have a threat model: to decide how much is "too costly".

[eganist]

Sorry, I didn't communicate my point well.

Agencies, the ones you'd care about, don't spare expenses.

If your threat model includes agencies, making an operation expensive isn't your goal because money might as well be infinite. So you target a different resource:

Time.

It would've taken more time to convince Apple to let the FBI into the San Bernardino shooter's phone than it took for the FBI to use a vendor with a crack for that device and OS. Hence.

---

I'm not disagreeing with the value. I'm merely pointing out that if your goal is to tamper with attack economics, you need to target resources that are finite for the adversary. With many state actors, that resource is time.

[matthewdgreen]

Agencies have different interests that are much more complex. In particular, the United States government does not want to cause a global iCloud or WhatsApp outage because they were trying to spy on a few potential terrorists. They don’t want to spend a year in FISA court trying to make Meta alter their platform. They don’t want a whistleblower software engineer blowing their operation up. They don’t want half the world to ban US technology companies because they clumsily got caught adding backdoors. Even if none of that happens, they don’t want to risk their precious access getting broken because someone pushes a software update or a new security feature.

Updates like key transparency don’t perfectly prevent all those things, but they make it less useful to invest in capabilities that might now be incompatible with them, or might get detected because of this feature. They also signify that the organization is hostile to the sorts of exploit that might enable surveillance, and that it’s probably better not to engage with them.

Lastly, government agencies do not have infinite money.

[eganist]

Matt, we had this conversation in person at a bsimm conference years ago when we were talking about how best to focus energy during threat modeling exercises. And while your position has become more nuanced, it still reconciles with our original agreement that time is the finite resource.

Unless I'm missing something specific? I imagine the reason why an agency would avoid said hostile battles is specifically to preserve time or perhaps to also buy time. (Being noisy is a great way to lose time quickly)

Agree to disagree on the money component, though. Maybe my comment is best clarified as "infinite from the perspective of [defender]"

[palata]

Got it, thanks for the explanation :)