S/MIME with OpenSSL?

S/MIME with OpenSSL?

[Jens Lechtenboerger]

Hi there,

I plan to refactor the code used for GnuPG in the Message mode of
Emacs (Gnus) and started a discussion on the Gnus devel mailing list
ding.  An open issue is the use of OpenSSL for S/MIME in Emacs,
which might be removed in the future.  So if you use S/MIME via
OpenSSL, please let me know why.

I recommend that you use gpgsm instead of openssl for S/MIME as:
** Gpgsm manages certificates (storage, expiry, revocation).
   Users need to perform those tasks manually with openssl.
** Openssl has bugs as documented in the BUGS section of man smime(1).
   In particular: SMIMECapabilities are ignored, no revocation checking
   is done on the signer's certificate.
** Advertised SMIMECapabilities include broken encryption algorithms.
   With the precompiled openssl 1.0.1f on my system RC2 is advertised,
   which should have been dropped since S/MIME 3.x, see:
   https://tools.ietf.org/html/rfc5751#appendix-B

Currently, openssl is preferred over epg (gpgsm), via
(defcustom mml-smime-use (if (featurep 'epg) 'epg 'openssl))
in mml-smime.el.  However, epg does not get loaded on its own even if it
is present.  Thus, users need to set mml-smime-use or require epg in
their ~/.emacs, but the manual does not mention gpgsm at all.

I plan to change this to prefer epg by default (and to document and
recommend gpgsm).

What’s your opinion?

Best wishes
Jens

P.S. I’d like to clarify that I recommend OpenPGP, not S/MIME.
Still, S/MIME is better than plaintext.

Re: S/MIME with OpenSSL?

[Uwe Brauer]

>>> "Jens" == Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes:

   > Hi there,
   > Currently, openssl is preferred over epg (gpgsm), via
   > (defcustom mml-smime-use (if (featurep 'epg) 'epg 'openssl))
   > in mml-smime.el.  However, epg does not get loaded on its own even if it
   > is present.  Thus, users need to set mml-smime-use or require epg in
   > their ~/.emacs, but the manual does not mention gpgsm at all.

   > I plan to change this to prefer epg by default (and to document and
   > recommend gpgsm).

   > What’s your opinion?

I agree completely.
   > Best wishes
   > Jens

   > P.S. I’d like to clarify that I recommend OpenPGP, not S/MIME.
   > Still, S/MIME is better than plaintext.

The problem is that openpgp, in my experience, much more difficult to
install and to use than S/MIME. I can provide a list why this is so.
This list of people with whom I communicate in S/MIME contains 8
individuals, for opengpg there is just 1.

Re: S/MIME with OpenSSL?

[Adam Sjøgren]

Uwe writes:

> This list of people with whom I communicate in S/MIME contains 8
> individuals, for opengpg there is just 1.

The list of people I have communicated using PGP contains 3 individuals,
for S/MIME the number is 0.

This is not useful information.


  Best regards,

    Adam

-- 
 "It was called Tinderbox so we could make the joke,          Adam Sjøgren
  'the tree is on fire'. Puns are very important in      asjo@koldfront.dk
  naming tools."


_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: S/MIME with OpenSSL?

[Uwe Brauer]

[-- Attachment #1.1: Type: text/plain, Size: 984 bytes --]

>>> "Adam" == Adam Sjøgren <asjo@koldfront.dk> writes:

> Uwe writes:
>> This list of people with whom I communicate in S/MIME contains 8
>> individuals, for opengpg there is just 1.

> The list of people I have communicated using PGP contains 3 individuals,
> for S/MIME the number is 0.

I presume these persons have some software knowledge.

Did you try once to convince computer how shall I say illiterate to use
encryption?

Here is short table to show why it is much *easier* to use S/MIME for
such people.


| operations                 | S/MIME                     | PGP             |
|----------------------------+----------------------------+-----------------|
| Inst of software           | no; included               | yes             |
| Installation of plugin     | no; included               | yes             |
| generation of keypair      | no; ask for a certificate  | yes             |
| interchange of public keys | simply send a sign message | yes interchange |

[-- Attachment #1.2.1: Type: text/html, Size: 1619 bytes --]

Re: S/MIME with OpenSSL?

[Adam Sjøgren]

Uwe writes:

> Did you try once to convince computer how shall I say illiterate to
> use encryption?

I learned a long time ago not to try and impose my preferences on other
computer users.

>   operations                S/MIME                 PGP                
>   Inst of software          no; included           yes                

I think you have some hidden assumptions about what software is used
here? Don't both S/MIME and PGP use external tools in Gnus?

>   Installation of plugin    no; included           yes                

Again, you must be assuming something about the software being used -
Gnus has built in support for both, right?

>   generation of keypair     no; ask for a          yes                
>                             certificate                               

This seems to be a negative for S/MIME: it is easy to generate a PGP
key. How do you generate an S/MIME certificate?

>   interchange of public     simply send a sign     yes interchange    
>   keys                      message                                   

I have never received or sent an S/MIME message, so it's hard to judge
this one. Does it mean that every S/MIME message includes the public key
of the sender? What prevents you from doing that with PGP-signed messages?

I've set up Gnus/GnuPG to automatically fetch keys for every person I
see a signature from, so there is nothing manual for me to do here.


  Best regards,

    Adam

-- 
 "Probabilistic algorithms don't appeal to me. (This          Adam Sjøgren
  is a question of aesthetics, not practicality.) So     asjo@koldfront.dk
  later, I figured out how to remove the probability
  and turn it into a deterministic algorithm."


_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: S/MIME with OpenSSL?

[Uwe Brauer]

>>> "Adam" == Adam Sjøgren <asjo@koldfront.dk> writes:

   > Uwe writes:
   >> Did you try once to convince computer how shall I say illiterate to
   >> use encryption?

   > I learned a long time ago not to try and impose my preferences on other
   > computer users.

This is not about impose, this is about practical matter. Suppose you
want to interchange confidential information with someone outside the
GNU/emacs world and that person has very little computer knowledge. For
him/her pgp is a nightmare to install. Smime not.

   >> operations                S/MIME                 PGP                
   >> Inst of software          no; included           yes                

   > I think you have some hidden assumptions about what software is used
   > here? Don't both S/MIME and PGP use external tools in Gnus?


I am speaking here about software in general, almost all mail programs,
thunderbird, evolution, kmail, outlook, whatever have smime support


   >> Installation of plugin    no; included           yes                

   > Again, you must be assuming something about the software being used -
   > Gnus has built in support for both, right?

Same comment.

   >> generation of keypair     no; ask for a          yes                
   >> certificate                               

   > This seems to be a negative for S/MIME: it is easy to generate a PGP
   > key. How do you generate an S/MIME certificate?

It is not easy to generate a pgp for an illiterate, trust me. You can
generate a S/MIME certificate, but it will be self signed and therefore
useless, most clients would refuse a message from someone with a self
signed certificate. So you apply for certifcate which is signed by a
root authority, in one of the dozen services like commodo, they provide
with a class 1[1] certificate for one year.[2]


   >> interchange of public     simply send a sign     yes interchange    
   >> keys                      message                                   

   > I have never received or sent an S/MIME message, so it's hard to judge
   > this one. Does it mean that every S/MIME message includes the public key
   > of the sender?

yes

   > What prevents you from doing that with PGP-signed messages?

Again for most illiterate this is not obvious. For s/mime it is by design.


   > I've set up Gnus/GnuPG to automatically fetch keys for every person I
   > see a signature from, so there is nothing manual for me to do here.

Again this is not as trivial as you think. An my fetch you mean from a
keyserver where that person has uploaded his key I presume.

   >   Best regards,

   >     Adam

Footnotes: 
[1]  class 1 means only the email is verified not your identity. If you
     want that you have to pay.

[2]  this is of course the weak point of the whole model. If those
     services are breached, the security breaks down or can break down.



_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: S/MIME with OpenSSL?

[Adam Sjøgren]

Uwe writes:

> This is not about impose, this is about practical matter.

Sure. My point is that I don't want to tell people how to handle their
email.

> Suppose you want to interchange confidential information with someone
> outside the GNU/emacs world and that person has very little computer
> knowledge. For him/her pgp is a nightmare to install. Smime not.

I understand that this is how you feel. You haven't convinced me this is
the case. You just keep stating that it is.

>    >> operations                S/MIME                 PGP                
>    >> Inst of software          no; included           yes                
>
>    > I think you have some hidden assumptions about what software is used
>    > here? Don't both S/MIME and PGP use external tools in Gnus?

> I am speaking here about software in general, almost all mail programs,
> thunderbird, evolution, kmail, outlook, whatever have smime support

I see. I have never heard of anyone (but you) using S/MIME with any of
these programs.

>    > This seems to be a negative for S/MIME: it is easy to generate a PGP
>    > key. How do you generate an S/MIME certificate?

> It is not easy to generate a pgp for an illiterate, trust me. You can
> generate a S/MIME certificate, but it will be self signed and therefore
> useless, most clients would refuse a message from someone with a self
> signed certificate. So you apply for certifcate which is signed by a
> root authority, in one of the dozen services like commodo, they provide
> with a class 1[1] certificate for one year.[2]

So, in my eyes, PGP is much easier here. I don't even know how to tell
someone to "apply for a certificate signed by a root authority", much
less how to get the certificate into their chosen email-program. But
every "illiterate" computer user knows this?

>    > I've set up Gnus/GnuPG to automatically fetch keys for every person I
>    > see a signature from, so there is nothing manual for me to do here.
>
> Again this is not as trivial as you think. An my fetch you mean from a
> keyserver where that person has uploaded his key I presume.

It is literally one line of configuration. Much easier than "applying
for a certificate signed by a root authority" - what so-called
"illiterate" person even knows what those words mean, much less how to
do it?

Oh, and, ooops, that's exactly what you say the problem with creating a
PGP key is.

Maybe we should wrap this up, as both are, as far as I know, equally
supported by Gnus, and so this is wandering off topic.


  Best regards,

    Adam

-- 
 "Lef ma nine imma Jeep"                                      Adam Sjøgren
                                                         asjo@koldfront.dk


_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: S/MIME with OpenSSL?

[Peter Münster]

On Thu, Nov 12 2015, Uwe Brauer wrote:

> Suppose you want to interchange confidential information with someone
> outside the GNU/emacs world and that person has very little computer
> knowledge. For him/her pgp is a nightmare to install.

I've guided 3 such persons through GPG utilisation. They use seahorse
and thunderbird: easy, no nightmare. (Just my personal experience...)

-- 
           Peter

Re: S/MIME with OpenSSL?

[Uwe Brauer]

>>> "Peter" == Peter Münster <pmlists@free.fr> writes:

   > On Thu, Nov 12 2015, Uwe Brauer wrote:
   >> Suppose you want to interchange confidential information with someone
   >> outside the GNU/emacs world and that person has very little computer
   >> knowledge. For him/her pgp is a nightmare to install.

   > I've guided 3 such persons through GPG utilisation. They use seahorse
   > and thunderbird: easy, no nightmare. (Just my personal experience...)

Linux or windows or mac users?
Thunderbird+ is the easiest option, apple mail is a little harder,
outlook seems even more so.


Did you try smime also? I am just
curious.


_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: S/MIME with OpenSSL?

[Uwe Brauer]

>>> "Adam" == Adam Sjøgren <asjo@koldfront.dk> writes:

   > Uwe writes:
   >> This is not about impose, this is about practical matter.

   > Sure. My point is that I don't want to tell people how to handle their
   > email.

I still don't understand. I say: I want to interchange encrypted mail
with someone. I don't care whether it is gpg or smime, but my experience
tells me it is easier for the other one to use smime. What has this to
do with «imposing»?

   >> Suppose you want to interchange confidential information with someone
   >> outside the GNU/emacs world and that person has very little computer
   >> knowledge. For him/her pgp is a nightmare to install. Smime not.

   > I understand that this is how you feel. You haven't convinced me
   > this is the case. You just keep stating that it is.

I cannot convince you, since you obviously have not had the same
experience, good for you.


   > I see. I have never heard of anyone (but you) using S/MIME with any of
   > these programs.

Oh, 99\% of the persons I am in contact with (not counting people on
mailing lists on software issues like the gnus or auctex list etc) do
not use Emacs but use either Apple mail, Thunderbird or outlook (or a
webmail interface which is another matter). So if I want to interchange
encrypted emails with them, I am faced between pgp or smime. Smime is
included already in these programs, well that first step is therefore
solved, no extra installation is needed.

   > So, in my eyes, PGP is much easier here. I don't even know how to tell
   > someone to "apply for a certificate signed by a root authority", much
   > less how to get the certificate into their chosen email-program. But
   > every "illiterate" computer user knows this?

I explain that it a minute.

It seems that you are not familiar with the issue of PKI
https://en.wikipedia.org/wiki/Public_key_infrastructure
or with smime https://en.wikipedia.org/wiki/S/MIME

I don't want to write here a long explanation since this gets off topic
easily.

The main issue with asymmetric encryption is not encryption but
authentication. In a nutshell: how can you be sure that the public key
you obtain belongs to the person, it claims it belongs to? This is the
famous man in the middle attack. The answer is to sign a public key and
here PGP and SMIME take two very different approaches:

    -  PGP creates a net of trust: there are key servers where you can
       upload your public keys so that it can be signed by people you
       trust. As a rule of the thumb: one should trust a public key if
       its signed by somebody one trusts or if this is not the case,
       trust a key which has a lot of signatures. One should never just
       use a public key which has been sent to him/her, since one cannot
       trust it.

    -  SMIME has a hierarchical model: there are a dozen or so
       certificate authorities (CA) which can sign keys. Keys signed by
       these authorities have to be trusted 100 \%. All software mail
       programs I listed are configured such that public keys signed by
       these authorities are trusted. That is why it is unproblematic to
       send a public key by email, contrary to pgp.

If you don't think that obtaining a certificate (a public key signed by a
CA) is easy please visit


https://www.comodo.com/home/email-security/free-email-certificate.php

(This is just a site I know there are dozen others)

Fill in name and email address, after a while you receive an email with
a link, which after clicking on it[1] , does the following

    -  if you (not you Adam, but you the generic user) use seamonkey the
       certificate is already installed and since seamonkey is basically
       firefox+thunderbird  you are done.

    -  if you are using firefox, the certificate is installed in firefox
       you have to export it and then to import it to your mail client
       thunderbird say or gpgsm/gnus

    -  if you use safari, the certificate gets downloaded to your
       Desktop you double click and restart Apple mail and you are done.

This is *not* easy?

Installing pgp, a plugin and generating a pgp key is easier? Well if you
think so then I cannot convince you.


   > It is literally one line of configuration. Much easier than "applying
   > for a certificate signed by a root authority" - what so-called
   > "illiterate" person even knows what those words mean, much less how to
   > do it?

But this is a serious security risk (if not a breach) if you download a
key without checking its signatures it before. See my comments above.

   > Oh, and, ooops, that's exactly what you say the problem with creating a
   > PGP key is.

   > Maybe we should wrap this up, as both are, as far as I know,
   > equally supported by Gnus, and so this is wandering off topic.

This topic has turned to «what is easier to use SMIME or PGP», which
came up in that tread, however in fact is not so relevant for the GNUS
list and that is why it better to drop it here and to continue off-list
if needed.


Regards

Uwe 

Footnotes: 
[1]  (important: you must use the *same* browser on the *same* machine,
     you used for applying the certificate for that operation)



_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

Trust and public keys (was: S/MIME with OpenSSL?)

[Jens Lechtenboerger]

On 2015-11-13, at 18:55, Uwe Brauer wrote:

>     -  PGP creates a net of trust: there are key servers where you can
>        upload your public keys so that it can be signed by people you
>        trust. As a rule of the thumb: one should trust a public key if
>        its signed by somebody one trusts or if this is not the case,
>        trust a key which has a lot of signatures.

The number of signatures does not tell much.  Attackers can create
as many as they like.

>        One should never just
>        use a public key which has been sent to him/her, since one cannot
>        trust it.

That depends on the scenario.  If I know your “real” e-mail address,
it does not hurt if I use a public key for that e-mail address that
I just “found” (e-mail, key server, homepage).

If an attacker, say Mallory, created that key in your name, Mallory
would need to intercept all e-mails encrypted under that forged key
and replace them with e-mails encrypted to your real key (or
plaintext ones) to go undetected.  I don’t think that ordinary human
beings need to care about attackers of such power.

Of course, if they did care, all they would need to do is verify key
fingerprints via some out-of-band channel.  No signatures required,
but admittedly beyond the reach of “illiterate” users.

(Besides, attackers that are able to replace encrypted e-mails should
also be able to create S/MIME certificates for other people’s e-mail
addresses.)

>     -  SMIME has a hierarchical model: there are a dozen or so
>        certificate authorities (CA) which can sign keys.

The color map at [0] shows about 650 of them.

>        Keys signed by these authorities have to be trusted 100 \%.

Do you realize what you just said?  With CAs, the positive term
“trust” is misused to hide something else.  “Having to trust” just
does not make sense.

I don’t trust CAs, for good reasons.  Trust has to be earned.
PKIs fail with the weakest link, and there are too many examples of
broken links [1, 2, 3, 4, 5].

>        All software mail programs I listed are configured such
>        that public keys signed by these authorities are
>        trusted.

Please, do not misuse the term “trust”.  I wrote about that in some
detail elsewhere [6].

Best wishes
Jens


[0] https://www.eff.org/files/colour_map_of_cas.pdf
[1] http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html
[2] https://blog.mozilla.org/security/2013/12/09/revoking-trust-in-one-anssi-certificate/
[3] https://googleonlinesecurity.blogspot.com/2014/07/maintaining-digital-certificate-security.html
[4] http://googleonlinesecurity.blogspot.de/2015/03/maintaining-digital-certificate-security.html
[5] https://googleonlinesecurity.blogspot.com/2015/09/improved-digital-certificate-security.html
[6] https://blogs.fsfe.org/jens.lechtenboerger/2013/12/23/openpgp-and-smime/

_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: Trust and public keys

[Uwe Brauer]

   > On 2015-11-13, at 18:55, Uwe Brauer wrote:

   > The number of signatures does not tell much.  Attackers can create
   > as many as they like.


   > That depends on the scenario.  If I know your “real” e-mail address,
   > it does not hurt if I use a public key for that e-mail address that
   > I just “found” (e-mail, key server, homepage).

   > If an attacker, say Mallory, created that key in your name, Mallory
   > would need to intercept all e-mails encrypted under that forged key
   > and replace them with e-mails encrypted to your real key (or
   > plaintext ones) to go undetected.  I don’t think that ordinary human
   > beings need to care about attackers of such power.

   > Of course, if they did care, all they would need to do is verify key
   > fingerprints via some out-of-band channel.  No signatures required,
   > but admittedly beyond the reach of “illiterate” users.

   > (Besides, attackers that are able to replace encrypted e-mails should
   > also be able to create S/MIME certificates for other people’s e-mail
   > addresses.)

I am bit confused by all the scenarios. Just to make that clear.

If I had to communicate something really secret say with Ed Snowden, I
would use of course use gpg[1] and not smime, ,
then I would try somehow to compare the fingerprints of the keys by some
secure means (a secure chat).

Now if you say that all the above scenarios are usually out of reach of
«normal» attackers, I am curious to see what a security breach in a CA
would really imply (see below)

   > The color map at [0] shows about 650 of them.

Nice map, however on my laptop screen I cannot see much and understand
what these colors mean, sorry.

   > Do you realize what you just said?  With CAs, the positive term
   > “trust” is misused to hide something else.  “Having to trust” just
   > does not make sense.

C'mon, sigh, don't take this «literate». I just wanted to describe the
basic concepts of smime. There are two type of certificates, self signed
which are not to be trusted and those signed by a CA, these are trusted
by the model.

Whether you (the user) should trust them is another question.

   > I don’t trust CAs, for good reasons. Trust has to be earned. PKIs
   > fail with the weakest link, and there are too many examples of
   > broken links [1, 2, 3, 4, 5].

Ok, now let us play this to the end. Let us assume that a CA, say comodo
is breached, now what does this imply??

When I apply for a certificate the private key is generated by the crypt
module of my browser. Are you suggesting that this is also hacked? That
indeed would be disastrous. Then indeed the intruder could obtain a copy
of my private key and sell it to some sinister organisation.

Or what else could the attacker do, and how long realistically would
such a breach go on undetected? For months?


   > Please, do not misuse the term “trust”.  I wrote about that in some
   > detail elsewhere [6].

I know.

Again I just claimed that for the «normal» user, with moderate security
demands smime is the easier solution, nothing more.

Best

Uwe


Footnotes: 
[1]  Among other things, with gpg I can generate a larger key say 4096
     that with smime.



_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: Trust and public keys

[Uwe Brauer]

[+]
   > On 2015-11-13, at 18:55, Uwe Brauer wrote:

   > The number of signatures does not tell much.  Attackers can create
   > as many as they like.


[+]
   > That depends on the scenario.  If I know your “real” e-mail address,
   > it does not hurt if I use a public key for that e-mail address that
   > I just “found” (e-mail, key server, homepage).

   > If an attacker, say Mallory, created that key in your name, Mallory
   > would need to intercept all e-mails encrypted under that forged key
   > and replace them with e-mails encrypted to your real key (or
   > plaintext ones) to go undetected.  I don’t think that ordinary human
   > beings need to care about attackers of such power.

   > Of course, if they did care, all they would need to do is verify key
   > fingerprints via some out-of-band channel.  No signatures required,
   > but admittedly beyond the reach of “illiterate” users.

   > (Besides, attackers that are able to replace encrypted e-mails should
   > also be able to create S/MIME certificates for other people’s e-mail
   > addresses.)

I am bit confused by all the scenarios. Just to make that clear.

If I had to communicate something really secret say with Ed Snowden, I
would use of course use gpg[1] and not smime, ,
then I would try somehow to compare the fingerprints of the keys by some
secure means (a secure chat).

Now if you say that all the above scenarios are usually out of reach of
«normal» attackers, I am curious to see what a security breach in a CA
would really imply (see below)

[+]
   > The color map at [0] shows about 650 of them.

Nice map, however on my laptop screen I cannot see much and understand
what these colors mean, sorry.

[+]
   > Do you realize what you just said?  With CAs, the positive term
   > “trust” is misused to hide something else.  “Having to trust” just
   > does not make sense.

C'mon, sigh, don't take this «literate». I just wanted to describe the
basic concepts of smime. There are two type of certificates, self signed
which are not to be trusted and those signed by a CA, these are trusted
by the model.

Whether you (the user) should trust them is another question.

[+]
   > I don’t trust CAs, for good reasons. Trust has to be earned. PKIs
   > fail with the weakest link, and there are too many examples of
   > broken links [1, 2, 3, 4, 5].

Ok, now let us play this to the end. Let us assume that a CA, say comodo
is breached, now what does this imply??

When I apply for a certificate the private key is generated by the crypt
module of my browser. Are you suggesting that this is also hacked? That
indeed would be disastrous. Then indeed the intruder could obtain a copy
of my private key and sell it to some sinister organisation.

Or what else could the attacker do, and how long realistically would
such a breach go on undetected? For months?


[+]
   > Please, do not misuse the term “trust”.  I wrote about that in some
   > detail elsewhere [6].

I know.

Again I just claimed that for the «normal» user, with moderate security
demands smime is the easier solution, nothing more.

Best

Uwe


Footnotes: 
[1]  Among other things, with gpg I can generate a larger key say 4096
     that with smime.



_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: Trust and public keys

[Jens Lechtenboerger]

On 2015-11-15, at 21:07, Uwe Brauer wrote:

> If I had to communicate something really secret say with Ed Snowden, I
> would use of course use gpg[1] and not smime, ,
> then I would try somehow to compare the fingerprints of the keys by some
> secure means (a secure chat).
>
> Now if you say that all the above scenarios are usually out of reach of
> «normal» attackers,

That came out wrong, then.  Part of my problem would be to figure
out the “real” e-mail address of “Ed Snowden”.  If you registered
the fresh e-mail address “ed.snowden@gmail.com” and uploaded a
matching key to usual keyservers, then I might fall for that.  No
special attack skills required.

I don’t know too much about CAs that issue e-mail certificates for
free.  However, based on your description of Comodo I guess that you
could also obtain an S/MIME certificate in the above case (for
ed.snowden@gmail.com after registering that address).  So the
“trust” built into S/MIME seems worthless.

> When I apply for a certificate the private key is generated by the crypt
> module of my browser. Are you suggesting that this is also hacked? That
> indeed would be disastrous. Then indeed the intruder could obtain a copy
> of my private key and sell it to some sinister organisation.

For me as malicious CA (or intruder into a CA) there is no reason to
steal the private key as I could generate a certificate with
matching private key in your name for your e-mail address, which is
“trusted”.  Then I could send signed e-mails in your name.  That
alone might get you into trouble, but you might receive responses
that alert you about some ongoing attack.  If I was a powerful
attacker, able to replace e-mails on the way, I could additionally
re-encrypt (modified) responses to your real certificate (or drop
messages entirely), and you would never know I was there.

If I cannot replace e-mails on the way, I can still send “trusted”
signed e-mails in your name and tell the recipients to switch to
different e-mail addresses with “trusted” certificates.  Then,
again, I can re-encrypt responses to your real certificate and
e-mail address.

Best wishes
Jens

_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: Trust and public keys

[Uwe Brauer]

   > On 2015-11-15, at 21:07, Uwe Brauer wrote:

   > That came out wrong, then.  Part of my problem would be to figure
   > out the “real” e-mail address of “Ed Snowden”.  If you registered
   > the fresh e-mail address “ed.snowden@gmail.com” and uploaded a
   > matching key to usual keyservers, then I might fall for that.  No
   > special attack skills required.

Correct but this applies to smime and gpg.


   > I don’t know too much about CAs that issue e-mail certificates for
   > free.  However, based on your description of Comodo I guess that you
   > could also obtain an S/MIME certificate in the above case (for
   > ed.snowden@gmail.com after registering that address).  So the
   > “trust” built into S/MIME seems worthless.

For class 1 certificate yes, for class 2 not, there you have to show up
(and to pay.)

   > For me as malicious CA (or intruder into a CA) there is no reason to
   > steal the private key as I could generate a certificate with
   > matching private key in your name for your e-mail address, which is
   > “trusted”.  Then I could send signed e-mails in your name.  That
   > alone might get you into trouble, but you might receive responses
   > that alert you about some ongoing attack.  If I was a powerful
   > attacker, able to replace e-mails on the way, I could additionally
   > re-encrypt (modified) responses to your real certificate (or drop
   > messages entirely), and you would never know I was there.

   > If I cannot replace e-mails on the way, I can still send “trusted”
   > signed e-mails in your name and tell the recipients to switch to
   > different e-mail addresses with “trusted” certificates.  Then,
   > again, I can re-encrypt responses to your real certificate and
   > e-mail address.

But in all of these scenarios you need to hack the email account. It is
not sufficent just to use a linux smptmail server and manipulate the
form field. You also have to intercept the reply.

I don't see much of a difference between

    -  the pgp scenario: to place a falsified  pgp key on a server 

    -  the smime scenario:  to crack a smime certificate by breaching a
       CA (which is more difficult that placing a falsified pgp key).


Best

Uwe

Again the question was is smime easier to use.


_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

Re: Trust and public keys

[Jens Lechtenboerger]

On 2015-11-18, at 15:04, Uwe Brauer wrote:

>    > That came out wrong, then.  Part of my problem would be to figure
>    > out the “real” e-mail address of “Ed Snowden”.  If you registered
>    > the fresh e-mail address “ed.snowden@gmail.com” and uploaded a
>    > matching key to usual keyservers, then I might fall for that.  No
>    > special attack skills required.
>
> Correct but this applies to smime and gpg.

I’ll refer to this point below.

> [...]
>    > For me as malicious CA (or intruder into a CA) there is no reason to
>    > steal the private key as I could generate a certificate with
>    > matching private key in your name for your e-mail address, which is
>    > “trusted”.  Then I could send signed e-mails in your name.  That
>    > alone might get you into trouble, but you might receive responses
>    > that alert you about some ongoing attack.  If I was a powerful
>    > attacker, able to replace e-mails on the way, I could additionally
>    > re-encrypt (modified) responses to your real certificate (or drop
>    > messages entirely), and you would never know I was there.
>
>    > If I cannot replace e-mails on the way, I can still send “trusted”
>    > signed e-mails in your name and tell the recipients to switch to
>    > different e-mail addresses with “trusted” certificates.  Then,
>    > again, I can re-encrypt responses to your real certificate and
>    > e-mail address.
>
> But in all of these scenarios you need to hack the email account. It is
> not sufficent just to use a linux smptmail server and manipulate the
> form field. You also have to intercept the reply.

No, please re-read the paragraph starting with: “If I cannot replace”

> I don't see much of a difference between
>
>     -  the pgp scenario: to place a falsified  pgp key on a server 
>
>     -  the smime scenario:  to crack a smime certificate by breaching a
>        CA (which is more difficult that placing a falsified pgp key).

I agree to your above statement “Correct but this applies to smime
and gpg.”  Thus, I consider the following attacks to be comparable:
Upload some OpenPGP key and register some S/MIME certificate.

However, newbies are warned not to trust downloaded OpenPGP keys,
while I’m not aware of similar warnings for “trusted” (signed)
S/MIME certificates.

> Again the question was is smime easier to use.

No.  The question was whether someone on this list uses S/MIME with
OpenSSL and would object to a change of defaults to epg.

The current topic is “Trust and public keys.”  I changed that in
response to your e-mail where you stated: “Keys signed by these
authorities have to be trusted 100 \%.”

The ensuing discussion helped me to see clearer: There are S/MIME
certificates that have been issued without checks (except ability to
receive e-mail), which I find ridiculous given the goal of
certification.  The situation is even worse than I thought
initially.

Best wishes
Jens

_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english

[smime and gpg] (was: Trust and public keys)

[Uwe Brauer]

>>> "Jens" == Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes:

   > On 2015-11-18, at 15:04, Uwe Brauer wrote:
   >> Correct but this applies to smime and gpg.

   > I’ll refer to this point below.

   >> [...]

   > No, please re-read the paragraph starting with: “If I cannot replace”

So you are talking only about evil clear signed messages, which are sent
by some smtpmail hacking, say in my name.

Well this does not pass the reality check in my experience. People
usually do not check clear signed messages, that is they do not check
whether an un encrypted message is signed or not.

They tend to check whether *encrypted* mails are signed.

Now in order that the attacker sends an evil *encrypted and signed*
message say in my name, to Joe Foo, this attacker needs the public key
of Joe Foo.

However in the smime model he usually cannot download that key from some
server but has to interchange with Joe Foo smime signed messages (which
include the public keys) so either at the end he needs to hack my mail
account or obtain that key by some other more complicated (social)
attacks.

In order to do something similar in gpg the attacker needs to hack
directly my account where I have my private gpg keys installed. Well.




   >> I don't see much of a difference between
   >> 
   >> -  the pgp scenario: to place a falsified  pgp key on a server 
   >> 
   >> -  the smime scenario:  to crack a smime certificate by breaching a
   >> CA (which is more difficult that placing a falsified pgp key).

   > I agree to your above statement “Correct but this applies to smime
   > and gpg.”  Thus, I consider the following attacks to be comparable:
   > Upload some OpenPGP key and register some S/MIME certificate.


Agreed.


   > However, newbies are warned not to trust downloaded OpenPGP keys,
   > while I’m not aware of similar warnings for “trusted” (signed)
   > S/MIME certificates.

Well most users I know are not over--enthusiastic about applying for a
free certificate from a organisation they barely know[1], but in
practise I tell them I will send them a signed message in 5 minutes
which contains my public key. So they do not over trust that model and
accept every key from everybody without thinking.

But again my scenario is about having a on the fly encryption which
works without much hassle for the newbies.

A question I really would like to ask Edward Snowden is what he thinks
about smime and whether NSA and friends have backdoors installed.


   >> Again the question was is smime easier to use.

   > No.  The question was whether someone on this list uses S/MIME with
   > OpenSSL and would object to a change of defaults to epg.

Right, the original question was that, but I made a point about the
simplicity of the smime model.

   > The current topic is “Trust and public keys.”  I changed that in
   > response to your e-mail where you stated: “Keys signed by these
   > authorities have to be trusted 100 \%.”

Again by the model, not as an recommendation or a moral advice.

   > The ensuing discussion helped me to see clearer: There are S/MIME
   > certificates that have been issued without checks (except ability to
   > receive e-mail), which I find ridiculous given the goal of
   > certification.  The situation is even worse than I thought
   > initially.

Well you could go for a class 2 certificate.[2]  But I admit I also learnt
something about gpg: it is not as safe as I thought, since it seems to
difficult to identify trusted public keys from a server.

Best

Uwe 

Footnotes: 
[1]  and they are even worried that this organisation keeps a copy of
     their private key. That however I have checked, and seems not to
     happen with Comodo, I don't know the other organisations.

[2]  actually I don't know anybody who posses such a certificate.



_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english