Recruiting Testers for End to End Encrypted Private Messaging Extension

katos

Count me in to help testing as always @Kyrne

Kyrne

matteocontrini messages will still be stored on the server but will not be viewable by admins.

MikeJones

You know I like helping you test! But I may be camping and away from data this weekend

Kyrne

Going to try to keep everyone updated on progress with the ext.

I don't have an ETA at the moment but as of today the core systems are basically done and it would almost work as it is. I still need to integrate the encryption system and this will take the longest.

I hope to have it out to 2-3 of you come the weekend with a full release by the end of May. This is obviously subject to change.

matteocontrini

Kyrne do you think it would be possible to have a version of this without the encryption? 😅

I think the UX/UI you designed is great, but having the encryption makes it hard or impossible to moderate private chats, which is something that is usually done by forum owners/moderators to prevent spam.

Kyrne

matteocontrini potentially in the future. I talked to another person about it and they thought it would be good to have a "request moderation feature." In which messages would be selected and then encrypted in a way moderators can view.

Yalfoosh

Kyrne This is better, because it doesn't screw with privacy laws. I have headaches because of GDPR and privacy laws in Europe because of how Byobu is structured. For spam there is fof/ignore-users, which you should have on a forum regardless of whether or not you have this extension.

While people might think that seeing other users' messages is part of the forum moderation, you have to be careful of how you advertise your messaging system. Byobu (or any other system without end-to-end encryption) is not even close to private messaging, and advertising your messaging like that could get you sued (instead you have to say it's direct messaging).

The only reason why you might need the messages themselves is for the police and courts. Private messaging should be the responsibility of those who message.

matteocontrini

Yalfoosh I'm sorry, but that's what privacy policies are for... Users shouldn't "think" that messages are moderated, they should read it in the privacy policy before they accept it.

Ralkage

Yalfoosh when I was speaking to the other person in our ReFlar group at the time who was working on a “PM” system before we let him go, we had a huge debate about it being a “Private Message” vs “Direct Message” system and I always fought for the latter 🤣

I mean are Private Messages actually private if you allow other people such as Admins or Mods read messages that are supposed to be considered “private” in the first place? This is why Vbulletin never had a UI to view private messages and it wasn’t until someone created an add-on for it that cause a big fuss in the modding community.

I will always favor “Direct Messages” all the time because that’s what they are essentially. We can thank Instagram for making that terminology popular.

Alkir

Kyrne
I'm ready!
👨‍💻
Alkir#9885

Yalfoosh

matteocontrini As I've said - sure. But you cannot say that is private messaging because there is no privacy since a third party can see whatever is said. It's direct messaging, and a legal headache (because privacy laws are different from country to country).

I guess my point is this: while it's true that you can just write whatever in the privacy policy, you cannot override law. If you're dealing with users in which country some part of your privacy policy is illegal, you'll have to disable either the extension for those users, disable their access to the forum as a whole, or just change the extension you have to comply with the law.

rob006

Ralkage I mean are Private Messages actually private if you allow other people such as Admins or Mods read messages that are supposed to be considered “private” in the first place?

That depends what do you mean by "private". For me it means more like "owned by me/dedicated for me" (like private company or private banking) instead of "secret/confidential".

Yalfoosh

Ralkage The thing is we already have Direct Messaging (Byobu) We do not have private messaging.

[deleted] This opens up an awkward can of worms for GDPR in the sense that if you are requested by subpoena or similar court order to disclose information relating to any ongoing or incumbent case and it is encrypted, there will be issues arising from this in the sense that you are not able to provide the information requested.

But GDPR requires you to implement end-to-end with a backdoor anyways, so that means that this issue, as well as others, don't actually exist, otherwise you're violating GDPR. Because it's likely that this extension's end-to-end would be self-hosted, the backdoor already exists in the form of you having the private keys (and not a third party). The question is only what kind of notification/logging would there be in the case of you decrypting stuff yourself. I'd be in favor of there being simple logging in case of a government intervention that requires confidentiality, with a mandatory user notification in case of a simple moderation intervention.

That way you cannot actually personally abuse that you're someone with the access to the database without the user knowing (nor can any attacker), but you still allow pretty much everything direct messaging would allow.

rob006

Yalfoosh There is nothing about encryption there. User may ask you to provide all his data, but if all you have is encrypted data without decryption keys, then this is what you give him: encrypted data.

[deleted]

rob006 exactly that.

tankerkiller125

[deleted] I've split the GDPR discussion 😉

Yalfoosh

[deleted] But wait. In the case of this extension where it's possible that there won't be a third party who would host the keys, but you, you DO have access to the keys. I realize it's not really end-to-end encrypted since you could practically decrypt stuff yourself, but you'd have to decrypt stuff then upon request because you can, right?

Kyrne

Little pre-weekend update:

Still making steady progress on the extension. I spent today and yesterday adapting and implementing my encryption scheme into the extension. As of now, all necessary encryption keys are able to be stored securely on the server. I'm running about a day-day and a half behind my schedule in the last post, but I will be working on it all weekend.

Mark73

Kyrne
Could you please provide us with a demo to see it in action after releasing it?

Kyrne

Mark73 I mean it's going to be free, but yeah I can do that.

Kyrne

I've finalized the encryption architecture, here's an overview in as laymen terms as possible.

The encryption scheme is based on the Double-ratchet/3x Diffie-Hellman protocol. With a few distinct changes (see below). This scheme is entirely custom made for the extension as there is no current implementation in JS.

The term “Double Ratchet” comes from how the protocol makes sure each message gets a new key: their Diffie-Hellman keys are “ratcheted” with each new message exchange. So are the send/receive
keys (the symmetric ratchet).

OVERVIEW

IdentityKeys

Each peer in the protocol has an IdentityKey, these are secp256r1 keys. These keys are used to authenticate both PreKeys and ExchangeKeys. IdentityKeys are used similarly to the public key in an X.509 certificate.

ExchangeKeys

ExchangeKeys are unique to my implementation, they are used to derive PreKeys. The ExchangeKey is signed by a peers IdentityKey.

PreKeys

A PreKey is a secp256r1 public key with an associated unique id. These PreKeys are signed by the IdentityKey.

On first use, clients generate a single signed PreKey, as well as a large list of unsigned PreKeys, and transmit all of them to a server. Once a user "exhausts" their prekeys, new conversations with that user cannot be started until he/she generates more. (This will be automated in the ext)

Server

The server in the protocol is an untrusted entity, it simply stores preKeys and the encrypted identity (containing the respective private keys) for retrieval when the peer may be offline and unreachable or the identities owner changes devices/clears their cache.

Sessions

The Double Ratchet protocol is session-oriented. Peers establish a session with each other, this is then used for all subsequent exchanges. These sessions can remain open and be re-used since each message is encrypted with a new and unique cryptographic key. This is not like a websocket session where there is an active open connection socket, but more like a chain that is asynchronously maintained.

DIFFERENCES

I am using secp256r1 with ECDSA and ECDH instead of ed25519 and x25519 because browsers do not have support for these algorithms in their WebCrypto implementations at this time. The use of these browser supported algorithms has several benefits, including:
- Native cryptographic implementations that should be more resilient to subtle implementation issues such as side channels,
- Ability to utilize non-exportable keys for both identity and authentication keys when used in the browser,
- The use of WebCrypto should also provide both increased performance and better battery life,
- Reduced bandwidth requirements because the crypto implementation is available nativly,
- Keeping your identity and exchange keys on easily availble smart cards like the YubiKey Neo which supports secp256r1.
The decision to use secp256r1 also meant i needed to extend the protocol to support separate keys for signing and encryption. ed25519 is based on EC-Schnorr which is believed to not leak details about the key, the NIST EC curves do not have this property, hence the change. The change includes the newly introduced encryption key being signed by the corresponding identity key.
Due to patent concerns I also utilized uncompressed keys in the wire protocol, these uncompressed keys are larger but I believe them to be unencumbered.
Unlike the original double ratchet protocol, my protocol uses Protobufs instead of TLV for packing messages, this simplifies parsing for easy import and export.

PRIVATE KEY ENCRYPTION

As I mentioned in another thread, the identity that is sent to the server containing the private keys is encrypted using PBKDF on the user's password. This stretches (or compresses if the user has a ridiculously long password) the password into a 256 bit key (salted of course) which can be used for AES-GCM-256. PBKDF is iterated 128000 times (for reference, last time apple was asked, they run 100000 iterations for iMessage). This means that it would take upwards of a 100,000 years for the world's fastest supercomputer to crack the key and decrypt the identity. (A hacker with an average sized botnet would take about 834,000,000 years to crack it) but it only takes the user about 80ms to decrypt or encrypt it. If the user has not setup their keys, or are on a new device, the extension will ask for the user's password a second time, preventing admins using impersonate from seeing the user's messages.

Finally (this is new as of today) the key and salt are stored in different locations in the buffer, this is called buffer address space layout randomization (BASLR, similar to ASLR). This will make it impossible for 99% of forum admins to decrypt the identity key, even with the user's password, it will make it a massive pain in the a** for the other 1%. This portion of the extension is coded in C and compiled into webassembly and thus is completely read only (cannot be easily modified without the source code).

When the key is on the user's computer, it is stored decrypted in the indexeddb which is sandboxed on each website protecting it from XSS.

The extension's JS source code will not be public at any point in the future. If you would like to conduct a security audit you may contact me for a copy of the source code (excluding BASLR).

f00wl

Kyrne Thanks you for your answer. I really don't want to offense you, this discussion is quite important for me, sorry if my words are a little raw.

Kyrne I made my own as a fun project to do. I have an extensive background in cryptography and cyber security. Also that library hasn't been updated in years, there are some better and more efficient ways to implement the algorithm in JS in 2020.

I think fun is a self-sufficient reason for scripting. You're right, the code hasn't been updated past two years.

Kyrne People can request the source code to do a security audit, closed source to prevent admin tampering.

I understand and indeed It prevent admin tampering (although it's possible to disassemble it), but it don't prevent dev tampering, so the problem is the same, how can we trust your app ? Not just me, maybe I can review the code, and also I would like to compile it myself to be sure no backdoor added since my review. The privacy policy of the forum I manage don't allow us to use proprietary software (and we don't spy users for very short), and admins are organized as a transparent nonprofit collegial association. It's not perfect of course but users can trust this organization. What about one person who said "trust me, I'm cyber security expert" ? I really want to trust you, and I think you are well-meaning, but I can't be sure. Do you think people trust more one dev than admins who are hosting the forum where they choose to be. Honestly I don't know...

f00wl in your design is there something prevent the manipulation of keys server side ?

Kyrne Please see my post a few up from this, it details the processing of keys on the server.

Kyrne The server in the protocol is an untrusted entity, it simply stores preKeys

Kyrne These PreKeys are signed by the IdentityKey

If binary is necessary to prevent admin tampering, so yes the server is an untrusted MITM entity, so there is no way to be sure that is a real e2e encrypted session unless users are able to verify keys through another trusted channel, like signal does with safety numbers in fact.

Kyrne rob006 to clear things up, I'm not making the source private to prevent exploits, I'm making it private in an attempt to prevent admins from modifying it and stealing a user's keys to read their messages.

I fully agree that admins have to much power on user data, generally I mean. And that is why we want to host opensource software our self. One thing great with opensource is that if I don't trust any community admins I can host my own. And flarum is opensource <3.

Kyrne Would you rather I just release it paid?

Of course not, really, that is not the point. The point is what happen if at anytime you want to sell it ? Or just stop maintain it ? I want to provide a long term support/security/stability to the community, I can't made a part of it dependent of only one person. This is not a good strategy for us.

Kyrne How is this a step toward the market model, but my other premium exts aren't? It's totally free.

I'm new, I didn't even know that you developed premium exts. Indeed they are. Thanks for pointing that, this is an other subject just as important. I will probably open a thread about this.

Kyrne I've put more hours into this extension than any other I've made, it's the most requested extension of all time (and thus likely very sellable), and yet I'm giving it away for free.

Yeah, It's a really good idea and I'm personally happy because I care about privacy, and I'm very grateful you share it with us freely and many thanks for all your contributions! I receive your proposal very seriously. NB: There is a difference between free no cost and free libre (in french).
If you didn't planned to sell it, then you can opensource it. I didn't find a full review but the question about opensource more/less secure than closedsource is far as trivial. I notice that in this whitepaper (first ranked in google scholar with query open source software more secure):

In this research, we have been unable to demonstrate greater security through obsecurity or cloaking, and thus unable to assert that closed source offers additional protections or tangible security features we can leverage in pursuit of a more secure system.

So, If we can't decide only with the security point, and as you say money is not your goal so...

Kyrne Also I'm not hiding my code, since I made it, I get to choose what I do with it.

rob006 "Because I don't want to" is good enough reason to keep your code private. 😉

You're free to do what you want with it :-)

Kyrne Once again you can request the source code to do an audit if you'd like, no one is going to force you to use it.

If you change you're mind and open source the full code publicly, let me know I will be very glad to audit it. I would like to use it but I can't because of all stuff I wrote here and because of our chart (and I fully support it).

« Previous Page Next Page »