Encryption in Diaspora
One thing which has always been in the background in Diaspora but rarely seems to make it to the foreground. (Of course, there might be much discussion and development around encryption in the background, but I'm not aware of it.)
In a decentralised network, the existence of many pods run by many different people is one potential source of weakness from the point of view of data security. So far a lot of this seems to be taken on trust that no podmin is going to abuse the trust placed in them. (I raised two years ago the possibility of criminal gangs setting up rogue pods in order to harvest user data, and was told it was fine because all the podmins were really groovey people. That's fine in a tiny start-up, but as the network grows in size, it will become a more attractive target.)
I imagine encryption will include:
- encryption of data stored on a pod
- encryption of communications between pods
- encryption of notifications (emails and others)
- encryption of any chat/VoIP services built in
- encryption of data exported/imported as part of account migration
- and possibly others.
(The chat and migration ones are, I think, being dealt with on the discussions for those issues.)
As encryption is likely to become a more pressing issue as the network grows, and an attack of some sort becomes slowly more likely, I thought it would be a good time to start discussing the issue: whether it is really necessary (I think it is, but I may be wrong); what sorts of encryption are needed, and in what areas; what would be the best approach to use in Diaspora, and how to go about implementing it.
I suspect this is going to be one of those topics which require a lot of thought and a lot of work, so I propose setting up a working group dedicate to looking into this issue and reporting back, in the way L3MNcakes has proposed on this discussion on federation, if it is considered an issue that needs looking into at this time.
Of course, it's easy for me to say, as I don't have the technical expertise to actually be involved in working for this! But I'll do what I can to help. With this big and important issues, such as encryption, federation and so on, I suggest we use the DHQ account and other means open to us to advertise for people to take part in these crucial and large projects.
Rasmus Fuhse Sat 29 Jun 2013 7:08PM
@Justinthomas has had a nice fork that is able to encrypt private messages from user to user in diaspora in the webbrowser via Javascript. In fact, this works only for direct messages with only one recipient, status-messages are something very different. And yet it is a bit clumpsy for the user, but as a prrof of concept it works absolutely nice.
Flaburgan Mon 1 Jul 2013 2:07PM
@jonnehass
If your podmin is going to be rough, he'll simply put a sniffer on his server capturing your password as you login
Yeah, sure. Of course, we have to trust our podmin. But do we have to trust every podmins? That's really different.
@goob Currently, data are stored in plain text, that means that we have to trust our podmin and every podmins of every friends. The Diaspora* logic is, everyone trusts his podmin (so my friend trusts his podmin and I trust my podmin), and I trust my friend, so everything is okay.
Jonne Haß Mon 1 Jul 2013 6:33PM
@flaburgan the point is that with having your plaintext password he has the same access rights that you have, so he can see everything you can see. So that's the same situation we have currently, just with a lot more overhead.
Flaburgan Tue 2 Jul 2013 7:14AM
@jonnehass but my podmin has my password, but not the other podmins. There is a big difference between trusting one node or trusting the whole network. Is this possible to have to trust only your podmin, not the others?
Jonne Haß Tue 2 Jul 2013 7:23AM
When encrypting data when stored, the amount of information a podmin could see wouldn't change.
Think about until you got it or can prove me wrong.
goob Tue 4 Feb 2014 7:02PM
@jonnehass I've just noticed I never acknowledged or thanked you for your explanation, which was really useful. Apologies for that oversight.
Jonne Haß Wed 5 Feb 2014 7:16AM
No worries ;)
Christian Wiwie Fri 23 May 2014 3:43PM
I am agreeing here with @goob and @flaburgan .
@jonnehass I think people that are moving from facebook and Co to diaspora (like me) are doing so, primarily because of the privacy issues. Especially in these times. I think, to be successful, diaspora HAS to concentrate on the privacy thing, as with the other aspects it's far from the current feature set of e.g. facebook.
What is in your eyes the argument, that drives people away from facebook towards diaspora?
"Diaspora is about taking your data from cooperation, ensuring its value isn't exploited without you noticing.".
And I think, that you cannot ensure that with the current diaspora. If a company wants to crawl some diaspora data they just have to set up a pod, create some pod users, friend with ppl. on other pods and soon they will have collected data which they can sell. Or am I wrong?
But actually, this is the even smaller risk. Even worse, if somebody hacks an existing pod, preferably a big one, and collects all the unencrypted data from there. There are many bad ppl. out there. Storing the data unencryptedly and saying that this is OK for what diaspora is, sounds kind of naive to me (no offence), because such a hack will definitely happen at some point.
Now in times of NSA and PRISM. Ok, they can not read the transported data. But they can hack the pods. So, in my eyes its not the podmin who is the risk, who might have access to the unencrypted date on the pod, but every hacker who intrudes it.
So, to conclude. I would like to hear some real contra arguments, why it wouldn't be a good thing to incorporate this into diaspora. I don't think it would be easy to implement in an efficient way, but is that a reason to say no altogether? If performance on the pods is an issue, it might even be possible to make the encrypted storage optional on the pod, but then i as a user would like to be able to select, whether my data is transferred to unencrypted pods.
Jonne Haß Fri 23 May 2014 7:44PM
It's hard to impossible to properly implement and that alone should suffice as an argument. Let's face it, we currently don't have anybody with enough time and the required skill set to achieve this in any sane way contributing to diaspora. Anything we would do would be half-baked, make us look like amateurs even more and just create a false sense of security. Currently it's the podmins job to properly secure his system, encrypt his servers hard disks and have the wipe tools ready.
Jonne Haß · Sat 29 Jun 2013 7:47AM
I think Diasporas mode, encrypting the transport, is fine for what Diaspora is.
Diaspora is not for providing a ultimately secure communication channel. If you need that you're better of with things like PGP or OTR. Diaspora is about taking your data from cooperation, ensuring its value isn't exploited without you noticing.
Full and secure storage encryption simply isn't possible with Diasporas current model, without limiting the user experience a lot, at least. While you can encrypt all data with a private key that's encrypted by the users password and blablabla... that's simply wasted resources. If your podmin is going to be rough, he'll simply put a sniffer on his server capturing your password as you login. You can't be secure if the data is leaving your machine isn't encrypted so that nobody else than the recipient can decrypt it, and vice versa. Which currently is almost impossible to do for webapps.
Please note that we do already effectively block the friends of friends style social graph analysis. Only your home pod knows all your contacts, and even that doesn't allow to go beyond that one level. This is what the "you could also like" algorithms are based on in classical social networks.
So the real issue I see here is communication. Lets make clear that Diaspora is not meant as secure communication channel, it's not meant as the ultimate privacy machine. It's meant to save your data from exploitation, without limiting you too much in your user experience.