[Freedombox-discuss] FBX Server/Client Communication Model and Threat Modeling

Sat Feb 16 03:25:01 UTC 2013

Hi folks, here's an active question that I'd appreciate your input on.

    What is an appropriate threat-model for the FreedomBox's
    client-server communications?

Please discuss on list or feel free to add to the FBX wiki:

    http://wiki.debian.org/FreedomBox/ClientServerCommunication

This question has a number of obvious answers, but keep in mind the
project's end-goals: to bring communication freedom to as many folks in
as many situations as possible.  To that end, what are appropriate
compromises between server and client security, accessibility, and
availability?

It seems to me that client devices fall into one of two basic
categories:

1. Those on which the user has root privileges and fully trusts (like
   their own laptop, running a fully free operating system and BIOS, in
   which no mal/spy/inscrutable-ware exists).

2. Those on which the user doesn't have root privileges and therefore
   can't fully trust (an iPhone, a laptop with non-free software and/or
   binary kernel blobs, a desktop with a non-free BIOS).

I've illustrated the fact that there's a range of trustworthiness,
though I don't know how to meaningfully measure this quantitatively (I'd
like to survey and classify devices, but I don't know how to massively
and remotely detect un-trustworthy or malicious software, suggestions
are welcome).

At this point, I'm worried about secret key (identity) material.  This,
being the most important and secret of data, can teach lessons that can
be applied to nearly all other data.

I'll start by throwing out a few more directed questions to start off
the discussion:

1. Who can be trusted with which secret key material?

   1.A. Can servers be trusted with the client's key?

   1.B. Which clients can be trusted with parts of the server's key?

2. In what ways is it acceptable for devices to give up which secrets?

   For example, is it acceptable if the client's secret key be exposed
   when the box is rooted by attackers?  (Probably not, but that does
   let the host act as a trust proxy without relying on subkeys, or
   other weird yet conceptually interesting trust models).

3. What is the client application delivery model?  Is it:

   3.A. Browser-based interaction between client and server?

   3.B. Browser-plugin-based interaction?

   3.C. Appstore-based interaction?

Thanks for your time,
Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130215/1562e321/attachment.pgp>