Re: [PLUG] news

brent timothy saner via plug <plug@lists.phillylinux.org> · Mon, 10 Aug 2020 17:29:28 -0400

On 8/10/20 5:09 PM, Thomas Delrue wrote:
>> "Encrypt everything all the time" is generally not a good stance to take.
> 
> I take issue with this and am of the opposite opinion: I think
> everything should be encrypted by default.
> 

In an ideal world where this expectation was designed bottom-up,
absolutely. But it isn't, and it wasn't.

>> Encrypt things that should be, like sensitive data? Absolutely. But
>> unquestioned enforced encryption is a generally bad idea because
>> encryption requires trust, which leads to either needing to verify every
>> single site or trusting a central authority. Which can then be a single
>> point of failure, technologically or politically.
> 
> So does not-encryption. In fact, that requires more trust, it requires
> trust with everyone in the entire universe, trust that they won't abuse
> the information they glean from looking over my shoulder.
> Sure, my trust might be misplaced, but even if it is, the compromising
> is limited in my encrypted communications with you. That misuse of trust
> can be compartmentalized.

This is incorrect. You treat plaintext comms with the implicit
*expectation* they're exposed to this, and therefore have extra
mechanisms in place to workaround that. With encrypted communication,
the entirety of the trust is on the transaction itself. OpenSSL's CVEs
over the years should be enough to give pause and reconsider that
perhaps one should adjust how they view encryption.

> 
> Note that I'm not talking about HTTPS and the problems around the certs,
> just about the premise that "only sensitive things need encryption".
> 
> The thing is, I don't have any business looking at your comms, and you
> don't have any business looking at mine. With encryption being so
> 'cheap', why wouldn't I encrypt it? Why wouldn't I put something in
> place to make your life just a little shittier if you want to pry into
> my comms?

Because the scale of shitty-making you make to eavesdroppers or would-be
tamperers is directly inversely proportional to the ease of use for
those not familiar with the technology involved.

Every try getting your grandmother to use PGP/GPG-encrypted email?

> 
>> You don't need to encrypt a website that's purely informational, for
> 
> Of course I do. Because you (as non-party in the conversation between me
> and the purely informational site) have no business looking at what I'm
> talking about with that server. That server might even be hosting
> multiple different sites, and in that case, using ESNI, you don't even
> know which site on that server I'm talking to. Because you have no
> business knowing that.
> 
> What is 'informational' to you, is deviant to another, and the decision
> is not yours to make when it comes to what /I/ find 'sensitive' and what
> I don't.
> What is innocent today, may be illegal tomorrow.
> 
> On top of this all, when you encrypt it all, you're making it harder for
> anyone to target everyone... just think about that for a while.

I might as well get guards, triple sets of locks, and half-inch steel
doors on my house because I don't know if that knock is the postal
worker, the neighbor, or an assailant.

Perhaps you misunderstand me.

*Ideologically*, I agree with you. Encryption should absolutely always
be an option, and be unrestricted by mandate. Its use should never be
questioned or assumed malignance or anything of the sort. Everyone
should have a right to privacy and integrity of data, and so forth. I've
been a pretty steady patron of the EFF for many years.

*Practically*, however, I take issue with "encrypt all the things
always, and fuck you if you disagree because we say so". In a *perfect*
world, things would have been designed to allow for this. But they
haven't, so it's incredibly short-sighted to just jump to the guns
without consideration of the issues it's going to present. (Like what
happened with DoH.)

> 
>> instance, unless it contains that sensitive data. It can of course help
>> with *ensuring integrity* of that data, but it's generally not without
>> its complications and a whole new can of worms.
>>
>> This proposal also complicates (needlessly, in many cases)
>> reverse-proxying and load balancing, it breaks numerous "upper"
>> protocols that rely on HTTP as a transport (but don't account for TLS
>> tunnelling), it breaks XSD validation, it complicates (if not breaks)
>> NATted LAN HTTP communication, and makes packet tracing/packet dumps
>> utterly useless for debugging. Just to name a few off the top of my head.
>>
>> A good example of this is the DoH hype. Now Comcast, with its arguably
>> quite questionable decisions regarding business ethics, is doing this:
> 
> Don't get me started on DoH... I'm not a fan to say the least.
> 

It is a direct result of the "encrypt all the things always" perspective
in practice.