Cryptography Tools

From DevSummit
Jump to: navigation, search

Overview of Crypto – People of unfamiliar – why you might want to use encryption. Common places interact – network services – encryption can work well. Are some people – who need encryption to stay safe. In an act of solidarity – by using encryption we can raise the bar. Start a community against surveillance.

HTTPS

HTTPS – (HTTP) Add secure s is added at the end.

  • Browser add-on = https everywhere.
    • https everywhere force sites that use it for the client to user it.
  • Other sites support it and make it optional.
  • HTTPs relies on servers to support it.
  • Some support https by default some do not
    • Ok cupid – didn’t support secure connections at all.
    • Very concerned – Garret was heartbroken that OK cupid wouldn’t use https. Wrote to them and did not listen. Eventually they did overtime.
  • Used to work for Mozilla. In the browser community – trying to use https all the time and everywhere.
  • A ton of info about what you do online. More data that can be collected – more the NSA can build a profile about you.
  • In the context of the web – combating mass surveillance.
  • HTTPS does not obscure your location.

E-mail

E-mail – PGP or GPG used to encrypt your e-mails. A way to bolt security on the e-mail protocol. As the internet grew - malicious activity started to happen more frequently. Tried to use e-mail in a secure way – closest thing we have to making e-mail more secure.

E-mail has fields (headers) – meta data – How to send e-mail from one place to another. Nothing to be done to encrypt that information. All routing information is public. All GPG encrypts body of the e-mail. Which is good and an improvement. It’s not anonymous – Larger state adversaries can still do traffic analysis. Able to extract lots of information about who is talking to who. Trivial for them to collect it and build lots of information or a profile on someone. GPG or PGP should not be used. Garret personally does not recommend it.

A number of problems with PGP. Does not hide meta-data. Depending on threat model you may want to do that. You should always hide meta-data. NSA only collects meta-data – can paint a huge picture about who you are talking to and when.

PGP is not that great. Another problem. It uses old crypto. Might be easier for older people to break it. Uses RSA. It’s difficult to use. A really big problem. Technical problem. PGP and GPG lack forward secrecy.

When set up encrypted channel use secrete keys. If keys are secret then it’s secure. If not then they can be decrypted. Can re-use keys over and over again OR can use one time use keys. When connected to gmail.com over https. Send keys back and forth. Used same keys for everyone. If someone where to break into gmail servers. Post Snowden. Really bad. Not cool. Big push to support forward secrecy. Everyone talks to gmail negotiate a new key just for that session. Afermeral or session key. Makes it hard for other malicious actors (NSA) to go back and decrypt. Forward secrecy – key compromise a lot harder.

If Garrets private key (secrete) is compromised – can go read all of garrets e-mail. If loose GPG key. In huge trouble.

  • Smart card. Can only get in Germany.
  • Yubi keys.

What do you recommend in opposition to PGP??

  • OTR – forward secure chatting. Signal encrypts calls and messaging.

Tor

Traffic analysis is fairly easy. Tor makes it more difficult to track who is doing what or an anonymizing network. Sites cannot see who is actually visiting what websites. If you can see entire network. Global passive network – can make assumptions on who is doing what. Not entirely sure if gov agencies or NSA can deanonymize tor. In 2011 according to Snowden documents we knew the NSA couldn’t. Anyone can see the traffic on a exit node.

Difference between Virtual Private Network (VPN) and Tor

Used VPNS to connect to external work network. Used to proxy over the internet. Route traffic through your server. Observers of your connection cannot see what you are doing. Can only see that you are connecting to a VPN. VPN can see everything you do?

In China cannot google Tiananmen square. Connect to a VPN outside of China. VPN always knows what you are doing. TOR can be a better solution than using a VPN. Run by volunteers. One server knows who you are.

Tor servers that are run by volunteers. 7000 exit nodes. List of all servers is public. There are some sites that will intentionally block all servers. Very annoying. People use tor for abuse and SPAM all the time.

TOR is slow – three times longer to do everything. Tor makes multiple hops around the world. Pretty good. Can stream audio and video not great.

Do not use bittorrent over tor. Makes entire slow. Not really anonymous. Try to pirate content over tor. Bit torrent protocol not safe over tor. Bad etiquette – slow the entire network down. Use an encrypted channel in tor.

Downloading from a site that is using http. Traffic can be intercepted. Source forge no encryption. Easy for whoever is control of the exit node or relay and intercept traffic. If connection using https inside of tor cannot mess with it.

VPN question – Safer if you run open VPN server? It is a a bit more secure? It depends on threat model. Spy agencies – not a good threat model. Cause virtualize server cloud provider – controlling server for you. Run infrastructure. Do not as a good of a job for people who it for there job. People do it better. Attacker will look for the weakest link in.

SSL Certificates

SSL Certs – Domain validate – extended validations certs. Cash cow for people who make the certs. Certs not really secure it all. Domain validation. Extended validation – not just you control a domain. You are who you say you are. Bank of America. Provide tax records. You are who you say you are. Has gotten cheaper. Keep out for let’s encrypt. Free SSL certs for everyone. Automate process – nonprofit created by EFF. Issue certs for websites for free. Have become certificate authority. Cross signature from another CA. Wants that because it looks better. Same crypto for a “nicer” a bank.

Freedom of Press – automating – ansible –

POND – encryption tool – hide meta data – obfuscate traffic analysis ricochet – much easier to use. Not quite as secure.

Mobile

HTTPS – When using whatsapp – message contains metadata to tell who and where to send message. Whatsapp takes body and headers and uses whatsapp in encrypted tunnel. HTTPS – can do nothing to do with that. Still have to do a DNS lookup. DNS first connection cannot be hidden. TOR or VPN used over encryption.

  • Phones – baseband. Proprietary.
  • Compartmentalize – keep things separate. Best way to avoid making mistakes.