[Freedombox-discuss] FBX Server/Client Communication Model and Threat Modeling
Nick M. Daly
nick.m.daly at gmail.com
Sun Feb 17 02:57:56 UTC 2013
As before, please continue this discussion here or on the FBX wiki:
http://wiki.debian.org/FreedomBox/ClientServerCommunication
Melvin Carvalho <melvincarvalho at gmail.com> writes:
> Hi Nick, great topic. Which client/server interactions would you envisage
> as being high on the priority list? e.g. ssh to box, login to dashboard
> via a browser, using gpg based tools for email etc. ... a specific context
> may be slightly easier to visualize the possible attack surface ...
That's a really good point. I'm seeing a few different potential
client/server interactions here. How do we enforce, yet not compromise,
key and identity material for both end points in each case? How do we
deliver services or client-applications from the server to the client?
0. Everything connects to a fully free FreedomBox: DreamPlug or
equivalent that's fully verifiable (without binary blobs or non-free
software).
I care about two different aspects of each client:
1. Is the client fully end-user-controlled and verifiable?
- Binary blobs?
- Firmware?
- Bootloader?
- Non-free software?
2. Is the network trustworthy?
- End-user-controlled?
- Verifiable?
- End-to-End?
- Other Criteria?
Am I missing anything meaningful?
These attributes are non-exclusive and seem to line up like:
1. (Yes, Yes) A fully trusted client (a user-owned/rooted laptop)
connecting over wifi.
2. (Yes, No) A rooted phone connecting over most data-networks, or a
tethered laptop.
This case seems to simplify to (Yes, Yes) as, unless the network
censors encrypted connections, you could always set up a VPN. In
those cases, it seems to transform into (No, No), as the user has to
be complicit in the network's insecure requirements.
3. (No, Yes) A compromised client connecting over a "trusted" connection.
A rooted phone connecting over wifi: the client could be ratting out
the user, and the network would never know. Most Windows boxes fall
into this category.
4. (No, No) A compromised client connecting over a compromised
connection.
These are called iPhones.
What do we need to support useful communication between each without
disclosing secret-identity material to third parties?
My suspicions are:
1. This one's easy as pie, were pie easy. If we need client
applications, we use them. If we need browser plugins, we use them.
If we need a network, we use it. We can enforce any restrictions we
need for secure communications.
2. Initial delivery is difficult but, thereafter, execution is easy.
3. We can't trust the client, so it can't handle its own data. ...What?
Yeah... We have to start being creative here. Perhaps the client
could hold half its (secret-shared) key, which is delivered to the
server on connection. Anybody could extract the key and impersonate
the client. It's the same problem as
third-party-advertising-networks: only your adversaries and their
3,000 closest friends have the information you don't want them to
have. Without your phone and password nobody else could impersonate
you, though, so your secrets are safe from your siblings.
4. I have no idea how to handle the iPhone case. iPhones can't store
their own key identity material, as it's preemptively compromised.
This is where the client-key-splitting idea comes into play, but that
makes each FreedomBox a more worthwhile target, as knocking one of
those over then compromises all its clients.
I would be stunned if FBX applications were inoffensive enough to be
distributable through any app stores. Users can say *anything* they
want and *we can't censor them?!* It'd never fly.
How do we support all four modes at once? Anybody want to add another
variable and make it 8 or 16 states?
If anyone's aware of any recent research into these problems, I'd
appreciate the pointers.
Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130216/a23f2dc5/attachment.pgp>
More information about the Freedombox-discuss
mailing list