Trust and DE

[Note to readers: Robert Martin and I have been having a blog2blog discussion about what he terms digital existence. You can see the start of the conversation here.]

You raised one point in your last post that fascinates me - audited Internet services. Before I get to that let me dispense with a couple other discussion points in no particular order.

Regarding Hushmail you wrote,

Since I am paranoid about my personal information, a better solution for my web mail might be something like Hushmail, which both Chris and I have used in the past. I stopped using Hushmail because you did, Chris, so maybe you can explain why you stopped using it.
[Crypto and DE, The Life and Times of Robert W. Martin. October 2, 2007]

This question really takes me down memory lane. Not only does it remind me of many years as a Hushmail user, but it also reminds me of what remains to this day my two most popular blog posts ever. This pair of posts on security and AJAX in March of 2005 still garner a few hits daily according to my vanity web monitoring. These posts have even been sighted, somewhat unflatteringly, in an IEEE conference address by Michael Sonntag, and in the O'Reilly book Ajax Design Patterns in connection with the Host-Proof-Hosting pattern. It is kind of cool as it is the only time in my life that my name is going to appear inside of an O'Reilly book other than when I scribble my name inside my own copies. In these posts, I discuss a general solution to using AJAX to provide cryptographic services, including digital signatures and cryptographic timestamps, to web applications. I also dissect the Java applet-based architecture of Hushmail as an illustration.

Anyway, why did I stop using Hushmail? Two reasons. First, the Java applet-based version of Hushmail that was available in those days (now they have a version that does not require Java) did not work through most corporate firewalls, which was a serious inconvenience to me. Second, from a pure usability stand point, other less secure email services such as gmail, yahoo mail and hotmail all left Hushmail behind in the dust. Still, it is fascinating that with the Java applet version of Hushmail, even the lead Hushmail sys admin could not decrypt my email. I have to claim ignorance on how the non-Java version of Hushmail operates.

You also wrote,

Your differential risk analysis did a good job pointing out that the two areas of concern are the mail client and the mail server. I agree that a well-chosen mail client and a well-chosen browser are arguably equivalent from a security point of view. The issue that comes to mind though is that your DE access point of choice might not offer a well-chosen browser.
[Crypto and DE, The Life and Times of Robert W. Martin. October 2, 2007]

Upon reflection, I missed a jarringly crucial point because my analysis factored out threats that are common to both scenarios under discussion: forget the mail server, can you trust your access point? From keystroke loggers to corrupt Java virtual machines, the permutations of potential threats to your privacy and security at the access point are countless. Cryptography has great potential to protect your messages across untrusted networks, and even on untrusted mail/data servers, but the access point is your encryptor/decryptor! How can you rely on cryptography when your encryptor/decrypto cannot be trusted?

Perhaps you have already suggested the answer in your previous post, "Someone like Gmail could help assuage my fears and increase my level of trust with them if they offered an audit service." If we take this notion one step further, you could also have audited Internet cafes or even audited shared workstations at the office. This workstation audit could provide some assurance that the workstation is free of malware, has no hardware keystroke loggers installed, and that the browser(s) and OS seem to be standard and unmodified at a certain patch level.

Similarly, your idea of audited webmail servers, and by extension other servers as well, is brilliant. One can imagine webmail and remote storage firms providing audited personal information access logs, and submitting periodic security audits and operational audits which would be published by trustworthy auditors in the public domain for all to scrutinize. (Note: I have always felt that credit bureaus ought to operate this way as well, but that is another topic.)

How would this be done? Who would the auditors be? Is there enough market pressure to compel webmail firms to submit to these invasive audits?

Photo by: michele pedrolli