[cryptography] The Compromised Internet

Wed Sep 25 18:16:44 PDT 2013

At 01:07 PM 9/25/2013, John Young wrote:
>Now that it appears the Internet is compromised what other
>means can rapidly deliver tiny fragments of an encrypted
>message, each unique for transmission, then reassembled
>upon receipt, kind of like packets but much smaller and less
>predictable, dare say random?

Fundamentally, what you're asking for doesn't make sense.
Threat models are about economics, scale, and mistakes,
and even if we don't have security bugs, we still have economics.

The internet is designed to be a system that lets everybody
in the world talk to everybody else, without pre-arranged connections,
with enough bandwidth to say the things they want to say
(e.g. watch cat videos on YouTube funded by advertising.)

Spread-spectrum radio is great for short distance concentration;
we most commonly use it in wifi or cellular phone technologies,
but then that data gets concentrated by long-haul fiber and routing providers.
Content traditionally gets handled by end users, but in practice
by a bunch of service providers who have economies of scale
that provide concentrated data to advertisers or low operating costs.

The recent internet security attacks have been based on scale,
though they've sometimes taken advantage of security mistakes as well.
Endpoint service providers can be forced to give up content and addresses;
transport service providers can be forced to give up address pairs,
traffic volumes, and sometimes end user identities, and in some cases
can also be forced to divulge content.

You have to fight scale threats with scale defenses.
If you want to get security at vaguely current internet prices
(e.g. tens of dollars per mbps per month instead of thousands),
you'll still need to piggyback on the existing infrastructure.
So you'll need to do encrypted tunnels over it,
with lots of endpoints (to make traffic analysis harder),
limited information visible to the endpoints,
and ways to make compromising endpoints harder.
That means technologies like TOR and remailers,
and one of the risks is finding that half the TOR nodes
are actually run by the KGB/FBI/other attackers.
The way to change scale is to move from communications networks
that can be wiretapped wholesale to types that can only be
wiretapped one at a time (e.g. 1024-bit DH PFS is better than
subpoenaable reusable 2048-bit RSA keys.)

You can do some jurisdictional arbitrage, if you know that the
NSA not only won't be wiretapping your server in Europe,
but also that they won't be trading favors with the local European spooks.
But it seems like that's a mug's game these days.

None of that means that it wouldn't be fun to build UUCP-over-IPSEC,
but if you and your buddy Bob are the only two users,
it's still susceptible to traffic analysis.