Author Topic: 24 Oktober hangout with Greg from OKTurtles raw unedited recording  (Read 2261 times)

0 Members and 1 Guest are viewing this topic.

Offline JoeyD

Curious whether arhag and greg had a "does okturtles/dnschain actually fix TLS mitm" argument?

Iirc Gamey also asked him about that. He did mention something about changes in the tls-protocol, but kinda dodged the issue when he was asked if he had contact with tls-devs or how that would be implemented. In the end what can be done on this level is limited, even-though you can alleviate some of the mitm attack-vectors with known endpoints and compromised hardware- and software manufacturers you can't do much about man-looking-over-the-shoulder-attacks (sorry don't know the official slang for that).

I also have my very strong doubts about his estimation on how rational the discussion with governments and the public at large will be on this subject.

I forgot to ask him about the differences with freespeechme. To bad you didn't record your skype talk arhag.

Oh, does anybody have any way of pointing Greg to these recordings? He might want to use them for his own promotional uses. I haven't checked the quality, but sound quality during the session seemed to be fairly good. I wonder what microphone he is using.

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
Curious whether arhag and greg had a "does okturtles/dnschain actually fix TLS mitm" argument?

Yes, we chatted on Skype. Greg explained to me that the extension does modify the browser's TLS validation behavior similar to Convergence/FreeSpeechMe plugins (that wasn't clear to me in any of the literature I found available on the website). So that takes care of any MITM concerns. There is still a non-security-related concern regarding whether this extension can be ported over to other browsers like Chromium (much less IE and Safari, but those are closed source anyway).

By the way, I am glad JoeyD brought up the Squid approach during the hangout, which is an approach I advocated earlier in this post. That approach is backwards compatible with any browser, but unfortunately it would only be practical to run on a laptop/desktop (I don't think it is even possible to do on an unrooted/non-jailbroken smartphone). I mean it is possible to do with a separate trusted server, but it would have to be really trusted since it would have access to all the plaintext communication over the HTTPS connection.

Finally, the concern I had with regards to web site itself (not a MITM attacker) getting access to the plaintext before okTurtles encrypted it (or after okTurtles decrypted) was also addressed by Greg in the Skype chat. As I suspected he is using iframes to prevent the web site from having DOM access to the plaintext typed by the user, and only the extension javascript which is in its own browser sandbox can access the plaintext contents of that textarea element. The only remaining concern are "phishing" attacks, where the web site operator creates a textarea that looks like the okTurtles one (or maybe used some kind of invisible overlap to capture keys) to trick the user into typing the plaintext into an element that the web site can access through the DOM. Unfortunately browser security isn't really well designed to protect against these kinds of attacks, but I suppose the risk of them is pretty low anyway. If you need really sensitive communication, I would recommend that the encryption/decryption be done outside of the web page window, which of course becomes inconvenient.  The encryption of typed plaintext or decryption of copy-pasted cyphertext would be done in a separate program window that is managed by a trusted program running on your machine (utilizing the OS's traditional GUI mechanisms of establishing the relationship between the trusted program you are running and the windows in which you are typing the sensitive text). I suppose this can also be done in a separate window of a web browser as long as the browser's chrome clearly showed which trusted local extension had control over the window's contents (sort of like Chrome's app/extension shortcuts on the local machine).

« Last Edit: October 25, 2014, 03:14:44 am by arhag »

Offline toast

  • Hero Member
  • *****
  • Posts: 4001
    • View Profile
  • BitShares: nikolai
Curious whether arhag and greg had a "does okturtles/dnschain actually fix TLS mitm" argument?
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
Thanks for uploading JoeyD.


Amusing side note. I was intently listening to the hangout when the topic of reimplementing TLS in a language other than C/C++ came up, and when gamey asked "What should it be implemented in?" I said aloud without skipping a beat "Rust". You can imagine the smile on my face when Greg said "Rust" as well immediately after. So +5% to taoeffect for that.

Offline JoeyD

Second hangout of the day with Greg Slepak of OkTurtles, about his project, DNSChain and possible use cases and integration in BTS/KeyID.

Ogg
Mp3
M4a/Aac
Flac