Hi Rishab
On 26 March 2015 at 14:37, Rishab Nithyanand <rishabn....@gmail.com> wrote: > > Please correct me if I'm misunderstanding you. I think you don't buy some > subset of the following implicit (I believe to be reasonable) assumptions > that we make: No, you're entirely correct about that :) > (1) There is no collusion between application developers and censors. That right there is a fundamental mistake. There are numerous ways for that collusion to happen, but I'll offer just three: - A developer can be legally compelled to comply with surveillance. The Lavabit saga, versus the many other vendors who _didn't_ say no, is instructive in this regard. - A developer can be infiltrated or hacked. See also: Gemalto. - A developer can be incompetent. Leak keys (hello, pastebin!), leave admin backdoors, incorrectly configure crypto, etc etc ad nauseam. > (2) There is a secure application distribution medium that the censors > cannot "hijack". ...if and only if it is implemented correctly. That, again, is a dangerous assumption. It builds on the first assumption, so now we have assumption^2. Also, remember that compromised client software trumps perfect crypto. And remember that it's not just your game client that could be attacked, it's the entire operating stack: hardware, firmware, OS, and userspace. It feels to me like anyone who's already under surveillance would probably gain nothing at all from this exercise beyond a false sense of security. Its benefit to anyone else, over and above using the alternative existing tools, is a question I'd be interested to explore. > (3) Crypto attacks against authenticated, encrypted, and integrity > protected channels are not possible. ...if and only if they are implemented correctly. Another assumption, so now we're at assumption^3. And vulnerable to the same attack vectors as your second assumption. Assume Tor is as resistant a comms channel as we can manufacture today - it didn't save Ross Ulbricht. Why? Because he made opsec mistakes _separate_ to the secure comms channel. I think the mistakes you're making here are broadly twofold: 1) You're assuming technology is implemented in a hypothetically perfect manner. That's great in an academic thought-experiment, but not in the real world. 2) You're underestimating both the vulnerable surface area of this sort of project, and the capabilities of the potential adversaries. And again, I don't think the paper is useless or uninteresting - I'm not completely down on it :) I just don't think it's as effective as you're pitching it to be. If nothing else. the obfuscation may raise the bar a bit for an attacker. At worst, though, it may lull a user into a false sense of security. We do, after all, know that the NSA is attacking game networks, presumably because they have a sense that their targets are using them to communicate. You're relying on security through obscurity, but the obscurity is already under attack. -J -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
