1998-10-16 - Re: FYI: More on WebTV security

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: pablo@microsoft.com
Message Hash: 5822c68b5cdaa4f096edfb2bcdfbd6324b7fa94262b6d00e898e1375e9638aec
Message ID: <199810160938.KAA13027@server.eternity.org>
Reply To: <v04020a51b24c4b244dc8@[139.167.130.246]>
UTC Datetime: 1998-10-16 13:12:54 UTC
Raw Date: Fri, 16 Oct 1998 21:12:54 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Fri, 16 Oct 1998 21:12:54 +0800
To: pablo@microsoft.com
Subject: Re: FYI: More on WebTV security
In-Reply-To: <v04020a51b24c4b244dc8@[139.167.130.246]>
Message-ID: <199810160938.KAA13027@server.eternity.org>
MIME-Version: 1.0
Content-Type: text/plain




Pablo Calamera writes:
> > Perhaps I am overly cynical, but I am guessing that they are
> > using SSL (TLS) from a web based email application on the
> > client to WebTV's servers. I presume email data is decrypted
> > at the servers, then re-encrypted to the recipient when she
> > uses the WebTV client to read email.
> 
> Close.  We could not even export SSL (TLS) with 128 encryption in
> this scenario.  We have a proprietary transport protocol that we use
> that employs 128 bit RC4.

Hope you are doing sensible things with RC4 -- sounds like you/webTV
group know what you are doing, but we have seen a lot of dumb things
done with RC4 by microsoft (and by others) in the last couple of
years.  Things like using the same key multiple times (doh!) etc.

Only it is worrying that they would refuse SSL (which is presumably
going to be 128 bit RC4) and make you design another SSL-alike
replacement which uses the same cipher and key size.  Perhaps they are
hoping that you will make subtle errors in a non-peer reviewed
protocol.  As you have given them your protocol spec (they require
this, so I presume you have), it may be that your export permission
hinges on a exploitable flaw they have found.  SSL went through a few
revisions before it got to be very secure.

The other crucial point is this: do you use a forward secret key
negotation alogrithm?  So that a court ordered demand for decryption
definately only gets traffic from that point onwards (and not all
traffic going backwards if the LEA has been unofficially recording all
the traffic to the user / all users).

> Partially true. We believe a major component of our security is indeed in
> the encrypted transport of your email from the service through the internet,
> through a leased POP to your box.  Our Privacy Policy and Terms of Service
> are available for your viewing.
>   http://webtv.net/home/privacy_text.html
>   http://webtv.net/home/tos_text2.html

Will look at those, thanks.

> > I am concerned that carefully constructed wording of
> > Microsoft's press release implies stronger email security
> > than really exists. I hope I am wrong.
> 
> We believe that with the level of encryption and the quality of our network
> operations that we have the best level of privacy protection for our users
> of any online service.  

That's a strong claim.  I don't think you provide as much privacy as
say Infonex (pay with cash, no ID required), ssh, use a nymserver,
anonymous web pages etc.  There are a few others with similar offers
also.

I wonder -- do you archive mail?  (As it goes in the clear through
your mail hub which the users are connecting to.)

> I agree that the carefully worded press release may imply more than
> what we got.  But we are very happy with this initial step.  It has
> taken a very long time just to get export approval for this
> architecture and we look forward to further relaxation of export
> controls so we can compete on even footing with our foreign
> competitors.

It does seem to be somewhat of a relaxation, and is potentially useful
at that.  For example Phil Karn said Qualcomm where refused use of
3DES between their US and an non-US office with only their own staff
using it, though this was a few years ago.

In all I am very pleased to see this being discussed.  Microsoft as a
norm does not get involved in answering it's critics (in other than
carefully spun press releases).  

Thanks!

Adam
-- 
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`





Thread