1. 15
  1.  

  2. 5

    Great. Now I have a certain song stuck in my head.

    1. 5

      Exactly what happened to me. That was evil, cvoxel. A DOS attack on Lobsters' brains. :P

      1. 3

        I’m always happy to have been of service! ;P

    2. 5

      PGP signing scares me a little. You’re creating cryptographic proof that you wrote the thing, and it becomes pretty hard to deny that once you’re caught with the private key that signed a message by Dread Pirate Roberts. Even if you’re not the kingpin of a vast illegal operation, maybe one day someone will sign some song lyrics and create indisputable proof that they may owe Sony Music some royalties.

      There’s also replay attacks. Unless the message itself contains a lot of context that disproves it, I can take a signed message, add my own context around it and claim it proves something it doesn’t (“I asked someone what their favourite song was and they replied with a signed message that contained these lyrics”). Others can dispute my context of course, but I can keep handwaving and appeal to mathematics while others have to rely on those darned logic and reason things that humans are so bad at (this is possibly a similar problem to signify’s “untrusted comment” header). I’m nervous for people who sign every outgoing message they send to mailing lists because it’s only a matter of time before they sign something that they’ll either regret later (I wish there was cryptographic proof that I wrote everything that I’ve ever written on the internet, said nobody ever) or that can be taken out of context. This is worse than DKIM because at least DKIM usually includes some important headers (To/From/Date/Subject) in the signature.

      One of the only signed messages I’ve ever sent was an absentee vote in an election for the Galactic Empire*. I was careful to include the date and specifically what my vote was for, but if I wasn’t and my message just said:

      ---BEGIN PGP MESSAGE---
      I vote for Darth Vader
      ---END PGP MESSAGE---
      

      I would look pretty stupid a year later when whoever I sent my vote to conspires and claims that I voted for Vader that year, even after the whole Death Star scandal. Or someone intercepts my message and claims I was voting Vader for Worst Boss of the Year. Even the way I did it, I still created proof that on a specific day of a specific month of a specific year in the election for Supreme Commander of the Imperial Fleet, I voted for Vader, who then went on to blow up Alderaan. Darn, knew I should have voted for that other guy. Wish I could deny that now.

      I would like deniable signing for 1-on-1 messages (I think reop does this, IIUC?) so it’s encrypted and signed by a combination of your private key and the recipient’s public key and it’s impossible for an outside party to determine if the sender or the recipient wrote it, so the signature is only useful to the specific person it was sent to since they know that if they didn’t write it the other person must have, unless this becomes a plot point in a Memento sequel. Now your friend can confirm those really are your Signal safety numbers, but no officer I didn’t send those safety numbers to that degenerate what are you talking about.

      *This did happen but I may have changed some details to make it sound more interesting than it was

      1. 1

        I’m nervous for people who sign every outgoing message they send to mailing lists because it’s only a matter of time before they sign something that they’ll either regret later (I wish there was cryptographic proof that I wrote everything that I’ve ever written on the internet, said nobody ever) or that can be taken out of context.

        It’s a risk, sure. Is it substantially better than the risk we already take? I’ve sent some regrettable signed messages to mailing lists, but I’ve also sent some regrettable unsigned messages under my real name, and claiming I was hacked and framed doesn’t sound like it would be terribly convincing.

        This is worse than DKIM because at least DKIM usually includes some important headers (To/From/Date/Subject) in the signature.

        If you can’t just copy/paste plain text it’s much harder to verify in a compatible way. PGP oficially prefers using PGP/MIME, which I think would include the headers(?), but everyone uses the (officially deprecated) ASCII format because that’s a lot more practical.

        I would like deniable signing for 1-on-1 messages (I think reop does this, IIUC?)

        Your link explicitly claims it doesn’t hide sender identity.

        Generally if you want real security you get to choose two of signing, asynchronous messaging, and forward-secrecy. (Signal claims all three but at the cost of having trusted central servers, which to my mind is giving up actual security). There are chat-like cases where you’re happy to be synchronous, for which PGP is a poor fit and OTR or signal’s thing I can’t spell are what you want. But there are also letter-like cases where the PGP model is a better fit.

        1. 2

          Sender confidentiality and deniability are different things. If Alice sends Bob a PGP signed message over Signal, Bob and repost the text of that message on pastebin and anyone with Alice’s public key can prove she wrote it (or at the very least that it was signed by her private key). If Alice sends Bob a reop encrypted message, Bob can verify and decrypt the message, but if he posts the text somewhere else, it doesn’t prove anything as Bob can forge a message with the same authenticators. All it proves is that one of Alice or Bob wrote/signed it.

      2. 1

        Yeah, I guess you can step around the whole (sub)key management problem by just copying the keys you use on the desktop to your (pretty much known insecure, unless you paid Google $700 for a Nexus/Pixel) Android device.

        1. 1

          … or you just flash a custom ROM to your phone

          1. 2

            Yep, doing that, CyanogenMod, but the problem is that not all software can be updated, especially the firmware, binary drivers, and in most cases the Linux kernel as the upstream vendor gave up on the phone a long time ago. Furthermore, as far as I know only Copperhead OS has signed releases, secure boot and provides a secure way to install them, which, again, requires a Nexus.

            My i9300 (Samsung S3) runs CyanogenMod, signed with “testing” keys and has kernel 3.0.101, which hasn’t been maintained upstream for quite some time now. Hopefully someone backports all security fixes :-)