Because the user doesn’t have control over the web server that is providing the web app, any web service provider can change the application that is delivered to end users. This includes potentially providing a malicious application that could compromise the encryption. Because of this, ProtonMail should not provide a web application.
This issue is not specific to ProtonMail, of course, but applies to any web app in existence today. That includes all end-to-end encrypted services which provide a web app (practically all of them). The author’s claims would, therefore, apply equally well to WhatsApp, Telegram, Wire, Tresorit, Threema, etc.
We use Tarsnap to back up laarc periodically.
If tarsnap were a webapp, we wouldn’t trust it. It’s too important.
Your mail can sometimes be used against you. This is rare. Most people care about not leaking their sultry notes, personal thoughts written to others privately, and other private but not life threatening information. But there is already a fine system in place for that: you can’t beat Apple’s security team. I know from my time at Matasano just how seriously they take their work. Crucially, they also have internal political support for security, up and down the chain of command. This is also rare.
One of the counterintuitive aspects of security is that sometimes you are in a situation where you cannot have layers of defense. If one link in the chain breaks, this kills the security. If your decrypt routine is vulnerable to timing attacks or if you foolishly roll your own system without proving to yourself that it can’t break (in the cperciva sense of the word “prove”) and your exponents aren’t armored or your nonces are predictable or you forget to increment that one very-important counter variable during your encryption step (which even tarsnap once fell to), you’re screwed. There are no layers here. In these cases, you’re done for.
Look how carefully they’ve responded in the quoted text. The argument reduces to “yes, everyone knows it’s a problem.” And the fact is, they have no response other than to point to others in the same situation and say, “but you trust them. Why not us? Also we’re going to use the latest standards, whenever they come.”
There is a reason Snowden forced reporters to use GPG. He would have been tortured in prison had he failed. (Solitary condiment is one of the worst tortures, to some.)
We have no secure way of sending notes to others. Except... GPG. And it’s one of the most unsatisfying twists of fate that the GPG designers had no affordance or empathy for humans. Normal humans can’t use GPG. Snowden was almost horrified to discover that it was his only communication channel, yet he could not coax anyone to humor him and put in the N hours to set it up.
And it’s easy to see why. You aren’t Snowden. I’m not Snowden. And if you’re someone Snowden was hoping to talk to, you likely would have received nutcase emails >98% of the time, had you set up a GPG channel.
The world needs a better answer. If you’re a young upstart hungry to make a name for yourself, this is worth pursuing. Standards committees won’t yield secure apps users love.
You don’t need to be as smart as cperciva. You just need to respect how easy it is to fool yourself. But once you do that, you’ll find it’s possible to do beautiful work.
At least, beauty that will be recognized.
"But there is already a fine system in place for that: you can’t beat Apple’s security team. I know from my time at Matasano just how seriously they take their work. "
Didn't know you were at Matasano. Interesting. These comments about Apple security always confused me given the Mac was way behind Windows in security features for a long time. At one point, Eugene Kaspersky said it was Apple was 10 years behind Microsoft in securing their products. They were also lying to users saying it was "immune" to malware rather than targeted less due to low, market share. The government evaluation rated all of them at EAL4, but Mac at EAL3.
They did get better over time, esp with iOS. It's just strange seeing one set of security professionals talk about how poor their security was while you mention their great internal security. Maybe your work was after they got their stuff together. I don't know. Security, except for personnel security, seemed like an alien concept to them when I reviewed them a long, long, time ago. My favorite was some network service (can't recall) that let you log in as admin so long as you typed a password. Not the password: any password. It passed if it wasn't blank. :)
"We have no secure way of sending notes to others. Except... GPG. And it’s one of the most unsatisfying twists of fate that the GPG designers had no affordance or empathy for humans. Normal humans can’t use GPG. Snowden was almost horrified to discover that it was his only communication channel, yet he could not coax anyone to humor him and put in the N hours to set it up."
Yup, it's pretty sad. My counterpoint to Moxie on this subject was that the Snowden leaks showed the NSA itself feared GPG while they had hacks on all mobile platforms. They have a $200 million a year budget for breaking stuff. If it stops them, then we should use it. The problems were interaction with email clients and general usability. So, I simplified it. Start with a cheat sheet:
Then, either tell them how to or improve UI on generating keys, exporting them, and importing them. This is a critical step. Then, instead of emails, they just write stuff into a text file with boring name, encrypt the text file with GPG, and email the encrypted file. Likewise, they receive an encrypted text file, decrypt it, and read it.
This is how I use GPG with the few people that I use it with. It's super simple. Just a bit tedious. I think it has high automation potential. Additionally, I use so little of GPG that lots of the code (attack surface) could be deleted in such a build. So, I think we need to stop teaching how to "use GPG" so much as "use GPG to encrypt and decrypt files." Turns a hard problem into a simpler one.
"The world needs a better answer."
One of the few people who listened to advice from high-assurance security on Schneier's blog was Markus Ottela. He factored Clive Robinson and I's suggestions into his program. Tinfoil Chat was a brilliant design that, with a professional implementation, might be NSA proof. Currently, it's written in Python since that's all he knew. A company like Galois could do a secure hardware/software version that's in one package looking like one device. Alternatively, they do the hardware instructions and firmware/software published openly for review. Then, 3rd parties build the hardware to decentralize it a bit.