[Freedombox-discuss] PageKite relay service; risks, community and collaboration?
Markus Sabadello
markus at projectdanube.org
Sun Nov 22 10:07:45 UTC 2015
Hello Bjarni,
Good to hear from you, remember a few years ago together with Michiel we
submitted an entry to the Access Innovation Prize for combining
FreedomBox+Unhosted+PageKite.
I'm running the freedombox.me domain and its associated PageKite service.
This service is open source and documented at:
https://github.com/peacekeeper/freedomkite
Since it's currently just used for testing, it's certainly not as
sophisticated as your service, and it doesn't have the same kind of
protections that you have put in place. Maybe at some point we can have
a conversation how to improve it.
We're currently also working on adding Let's Encrypt support to FreedomBox.
Here's my box with PageKite and Let's Encrypt: https://markus.freedombox.me/
I think your analysis is super helpful!
I think the FreedomBox perspective is that a PageKite service is an
optional feature, and that DNS/connectivity can come to your box in
different ways.
Currently, a "names" module is being developed for Plinth that will
allow you to manage the various names that point to your box.
But I agree with you that for most users, PageKite will be a key
infrastructural component to make the box useful.
I believe charging users a small fee for a domain name and connectivity
is acceptable.
Owning your own domain name is central to a lot of communities that have
emerged in the last few years, e.g. IndieWeb, or various self-hosted
identity protocols, so the idea of having your own domain name should be
promoted anyway.
So the way I imagine it is that if you want a FreedomBox, you can buy
one from various providers (or install one yourself), and then you can
buy a domain name + PageKite service, again from various providers (or
set it up yourself).
I completely agree that a single entity running a PageKite service for a
large FreedomBox community pretty much contradicts the idea of
decentralization.
Also agree with you that there's probably no reliable way to prevent
MITM, and that users definitely won't run browser plugins to monitor certs.
So, your idea of a community-run network of PageKite services sounds
very interesting, and I think we'd all like to learn more!
If you have any more concrete thoughts, I'd love to contribute and try
out ideas, etc.
There's a FreedomBox progress call today (Sunday), maybe you have time?
https://wiki.debian.org/FreedomBox/ProgressCalls
all the best,
Markus
On 11/21/2015 08:50 PM, Bjarni Runar Einarsson wrote:
> Hello Freedombox folks!
>
> tl;dr: There are security risks involved in running PageKite
> relays which I wanted to warn you about. I'm also wondering if
> folks here are interested in collaborating to build a
> community-run free-of-charge network of PageKite relays.
>
>
> Sorry, this got long...
>
> It's been a while since I posted anything here; for those of you
> who don't remember me, I'm the author of PageKite (owner/operator
> of https://pagekite.net/) and the lead developer on Mailpile.
> I've been lurking on this list for ages.
>
> For the rest of this e-mail I'm going to just assume that
> FreedomBox, Mailpile and similar personal-home-server solutions
> will never succeed in reaching the masses without PageKite (or
> something just like it). Folks who disagree may want to stop
> reading now. :-)
>
> Unfortunately, if we consider PageKite.net's current business
> model (my paycheck...), it's pretty clear that it will hinder
> adoption if every single user has to pay a small fee to connect
> to the network. Freedom is important, but folks are also very
> price-sensitive about network services. People are so used to
> free stuff online, that convincing them to pay a subscription for
> something like PageKite is a very hard sell.
>
> If we want efforts like the FreedomBox to succeed, eliminating
> friction like this is important. When I am wearing my Mailpile
> hat, I struggle with this same concern.
>
> (Makers of embedded server products currently solve this exact
> issue by purchasing PageKite accounts in bulk and including the
> expected costs in the price of the hardware that is sold. This is
> a viable model, but I suspect it's not one that appeals strongly
> to this particular community...)
>
> In any case, it would be *really cool* if PageKite service were
> available free of cost, provided and supported by a community,
> similar to the Tor relay network. I haven't tried to build such a
> thing yet and I'd like to tell you why... and why I might be
> about ready to change my mind and work on this.
>
> I'm bringing this conversation to the FreedomBox list, because of
> two things: it appears freedombox.me is trying to clone
> pagekite.net, with less friction and no money involved;
> community-run-relays might be a natural evolutionary direction
> for that project. I also saw in Plinth's github someone
> requesting the ability for one FreedomBox to be a PageKite relay
> for another. Both of these ideas must be approached with care, or
> users will be harmed.
>
>
> The main concerns:
>
> 0) Users of a pagekite.me-style service are completely at the
> mercy of the person who provides them with a sub-domain. Adding
> some volunteers and decentralization to the mix at the relay
> stage doesn't actually solve the main social/political problems -
> the domain owner still controls everything.
>
> 1) PageKite relays can be abused in much the same way as Tor exit
> nodes - if anyone can volunteer to run a relay, some will do so
> for antisocial reasons, in particular to spy on the traffic. Or
> worse; to manipulate the traffic, injecting ads, malware etc.
> Using your friends' relays is NOT a solution, few people are more
> interested in spying on you than your friends, relatives and
> coworkers.
>
> 2) Phishing campaigns regularly try to use PageKite relays to
> anonymize their operations. If they succeed, then PageKite relays
> get automatically blacklisted in various firewalls, preventing
> legitimate users from accessing their kites.
>
> 3) Fly-by-night makers of cheap home-server devices may try to
> freeload off the community network without contributing anything
> back.
>
> Points 1) and 2) are critical security issues, point 0) begs the
> question "what's the point?" I am not sure whether 3) is a bug or
> a feature!
>
> Neither of the security risks is theoretical; Tor exit node
> manipulation is common and I shut phishers down on pagekite.me on
> a regular basis. I have managed these risks at pagekite.net
> through careful monitoring and manual oversight - and by charging
> money so I know who my users are and they know who they're doing
> business with.
>
>
> Addressing these concerns in a community pagekite service:
>
> 0) Centralized control can be reduced somewhat by having multiple
> service domains and multiple providers of DNS and pagekite
> authentication, and by encouraging users to use their own
> domains. While domains cost money, users will be jeopardize their
> freedom/security in exchange for a free sub-domain.
>
> 1) End-to-end encryption may prevent tampering and spying on
> content; protecting metadata from the relay operators is largely
> impossible unless everyone uses Tor (in which case you might as
> well just use a Tor hidden service and skip PageKite).
>
> For e2e crypto, we have to deal with TLS certificates which has
> made this impractical until now. Letsencrypt.org may help, but
> it's unclear to me whether anything prevents the relay operator
> from simply using letsencrypt.org to set up their own MITM
> anyway. Hopefully letsencrypt.org monitor things well enough and
> warn certificate owners about re-issued certs...
>
> Another attack vector, if the TLD owner and the relay operator
> are one and the same (this is currently the case with both
> pagekite.me and freedombox.me), then the owner of the TLD can
> register a wild-card certificate and use that to MITM their
> usres. Most users will never notice a thing. Security improves if
> DNS management and relay operations are separated. This attack
> can also be thwarted by only ever using sub-sub-domains
> (foo.bar.freedombox.tld).
>
> All of these risks can be mitigated if the users know how to use
> browser plugins like Certificate Patrol, or know how to manage
> self-signed certificates and navigate scary browser warnings. For
> non-technical users, neither is appealing.
>
> Clear-text HTTP relaying in a volunteer-run PageKite network
> should be strictly forbidden; relay operators that offer
> clear-text HTTP relaying should be blacklisted. (Who watches the
> watchers?)
>
> 2) Phishing abuse has no solution except active policing of
> relayed domains, or a high-friction non-anonymous signup process
> (preferably involving money). It may be possible to automate
> policing to a certain extent, but this will always be an arms
> race.
>
>
> Conclusion:
>
> I think letsencrypt.org *may* be enough of a game-changer that it
> is worth revisiting how to create a volunteer-operated relay
> network and make the DNS side of the PageKite solution easily
> installable, so a more diverse ecosystem can emerge.
>
> On the other hand, it might still be premature - the demand isn't
> there yet, is it? It's certainly not urgent.
>
> Are there folks on this list that would be interested in
> participating and providing resources to such an effort? I've got
> my hand tentatively raised... :-) I've also had the domain
> pagekite.org registered for ages, for exactly this use-case.
>
> All the best,
> - Bjarni
>
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151122/0c0dd6ea/attachment-0001.html>
More information about the Freedombox-discuss
mailing list