Towards a Layperson's Security

Overview As techincal breaches and vulnerabilities are in the news nearly every day, getting no less sinister, and the US Presidential elections are beginning to heat up. Looking backwards, much of the Mueller Report appears unabsorbed by folks who either should or need to know better, and the propagation of an increasing amount of tough-to-explain information which confuses and contradicts a reasoned understanding of the security landscape is annoying, at best.

The Guardian v WhatsApp

What happened? Nathaniel Mott wrote and The Guardian published a false story about a WhatsApp “vulnerability” that’s more accurately described as a security trade-off appropriate for about 99.99% of their users and recommending folks use Signal instead. Outrage ensued, culminating in a rebuttal by the Signal protocol’s author and an open letter calling for an apology and retraction, co-signed by 72 academic and industry experts. The Guardian doubled down with an article by Tobias Boelter, the grad student responsible for the original claim, mis-representing the rebuttals as semantic arguments over what constitutes a “backdoor”.

The Economics and Politics of Free Basics

Facebook Internet: a nutshell Facebook’s Internet.org brand is starting to go away. Good. The initiative is not the internet and it’s not a non-profit organization. It is an advertiser funded micro-network, similar in function to earlier incarnations of AOL, and it’s now called Free Basics. This is a significantly more honest name, and for that, Facebook deserves credit. Honest PR is good PR because it allows us to move past semantics and into the politics and economics of the project.

The Economics and Politics of Free Basics

Facebook’s Internet.org brand is starting to go away. Good. The initiative is not the internet and it’s not a non-profit organization. It is the “free” model applied to a curated micro-network like the earlier incarnations of AOL, and it’s now called Free Basics. This is a significantly more honest name, and for that, Facebook deserves credit. Honest PR is good PR because it allows us to move past semantics and into the politics and economics of the project.

Apple, Lavabit, and Legal Intercept

This post summarizes my thoughts about what seem to be persistent misunderstandings about Apple’s iMessage and FaceTime cryptographic system and their relation to Lavabit’s legal case. The post ends with some history as well as opinions about security as it pertains to communications infrastructure. Apple Apple says they couldn’t comply with a wiretap order on iMessage and FaceTime even if they wanted to, but Nicholas Weave, echoing an idea often repeated, says otherwise:

Judicial Side Doors and Single User Encryption

In Theory Bruce Schneier writes: Someone recently noticed a Washington Post story on the TSA that originally contained a detailed photograph of all the TSA master keys. […] The whole thing neatly illustrates one of the main problems with backdoors, whether in cryptographic systems or physical systems: they’re fragile. Except in the case of cryptographic systems like full-disk-encryption, they are not. In the TSA baggage key scenario, a copy of the physical master key need to be present wherever baggage is screened.

VPN and WebRTC

A curious demo where a web server sends you JS that sends back your internal network IP address via the STUN protocol intended to work around the structure of NAT’s for peer-to-peer connections. What does that leak about a VPN connection? Over PPTP: Well, that’s worrying. What about over L2TP? hm… and over OpenVPN? Well, that’s somewhat comforting, at least. todo.add('learn how the VPN wizardry works')

Part 2: Crypto Magic

This piece is part 2 of a series about cryptography on the web. It outlines the building blocks, following up the first part, which explained why cryptography on the internet is needed in the first place. I. Overview From the outside, cryptography is very much like magic. Unlike the magic in Harry Potter which mostly works with things, however, cryptography works with data. Admittedly, that’s not as cool, but it is real and used billions of times a day all around you.

HTTPS Part 1: Chinese Whispers

This piece is the start of a series on cryptography on the web. It explains the reasons we need encryption on the web, and Part 2 explains the basic building blocks used. I. Behind the Curtain If you type amazon.com into your browser, your computer reaches out to another computer owned by Amazon, which sends back a bunch of code describing what to draw on your screen and what to do when you click and type into the window.

Wildcards and SAN's in SSL certificates

Prereqs This post assumes you understand the general concepts underlying https and expounds on how certificates specify which domains they validate and summarizes the kind of certifications that Certificate Authorities (CA’s) offer. Big-picture view There are three layers of rules governing how https certs work, set by various standards bodies and private companies: protocol specs from IETF like TLS and HTTP over TLS, publications of the CA/Browser Forum (CABF), and published practices and internal policies specific to a CA.