Opportunistic encryption
(No, not like opportunistic infection.) We've been having some discussions about Brad Templeton's opportunistic encryption idea, which is approximately based on using public key cryptography without PKI or formal key exchange or key verification. It gives you security against passive eavesdropping, but not against man-in-the-middle attacks. Brad argues that this is still worthwhile because man-in-the-middle attacks against public-key exchange in e-mail are rare, difficult, and expensive, and because most people's privacy can be invaded in other ways. In addition, doing away with key-infrastructure requirements would allow you to have a "zero UI" system, which Brad thinks could dramatically increase the number of people willing to use e-mail encryption, in that you could then have e-mail encryption without needing to know about it.
One scheme which is along the lines of what Brad has in mind is called Herbivore, and he also found one by the name of Passive Privacy System, or PPS.
It seems that doing away with key verification is a cryptographic heresy of the highest order: aren't we all supposed to be more worried, not less, about key exchange? Aren't we supposed to become more aware of the risks associated with even sophisticated uses of PKI? How can we throw away PKI, fingerprints, certificates, keysigning, and webs of trust altogether?
Brad's answer is more or less that these things are solving different sorts of problems: public key cryptography with something PKI-ish protects you against certain kinds of adversaries, and public key cryptography with automatic, unverified key exchange protects you against fewer adversaries, but still against all the adversaries most people are likely ever to encounter. (When was the last time someone even attempted an active man-in-the-middle attack against the average e-mail user? When was the last time a law enforcement agency, intelligence agency, or criminal had a motive, means, and opportunity to perform passive surveillance against such a user? I guess my answers to those questions would be "never" and "routinely".)
On the other hand, practical MITM tools are being published. dsniff was notable for containing convenient, practical, free MITM tools you can use against popular public key cryptographic protocols. If doing MITM is really becoming easier for attackers, won't it be more and more important to defend against it?
There's a real conflict between the effort to devise simple schemes which a novice computer user would feel comfortable using, and the effort to devise truly secure schemes which an expert would feel comfortable trusting.
Fred was talking about the conflict between the good system and the perfect system -- he regrets that people have held off on deploying good technology because they were waiting for perfect technology. This argues for a cost-benefit analysis, in which passive eavesdroppping appears as a huge risk and active eavesdropping as a relatively small risk. On the other hand, frustratingly, we know how to solve active eavesdropping too! We just make everyone go to keysigning parties! We provide them with free beer and pizza!
