Join 3,520 readers in helping fund MetaFilter (Hide)


Pond, et al.
January 21, 2014 7:46 AM   Subscribe

Pond provides end-to-end encrypted forward-secure asynchronous messaging that uses Tor to resist traffic analysis, i.e. metadata collection (threat model, technical, github).

Pond's GUI presumably works well under Linux, but I found the CLI fares better under Mac OS X currently. At present, no Windows version exists.

Pond is afaik the only protocol that offers both forward-security and resistance to traffic-analysis :

Off-the-record messaging layers end-to-end encryption with strong forward-security over existing IM protocols like Jabber/XMPP, GTalk, Facebook chat, AIM, etc., but not Skype. ZRTP provides similar functionality for VoIP communication. Jitsi, Adium, and other multi-protocol clients provide mature support for both OtR and ZRTP.

Their forward-security makes OtR and ZRTP preferable to Email with GnuPG or PGP. Of course, GPG encrypted Email is vulnerable to traffic analysis as well. Yet, they're vulnerable to traffic analysis at either the network or server. Implementation I've used could not provide asynchronous communication, although presumably support could added, albeit perhaps with a warning.

Previously, TorChat resists traffic analysis but cannot provide asynchronous communication and lacks forward-security.


There are several interesting new tools for more public communications too, such as microblogging and group chat, where forward-security is arguably less stringent.

"Bitmessage is a decentralized, end-to-end encrypted, peer-to-peer, trustless communications protocol that can be used by one person to send encrypted messages to another person, or to multiple subscribers." Bitmessage appears relatively fast and stable, but possess several weaknesses, including a lack of forward-security. (demo, wikipedia, subreddit, Email gateway, github)

Similarly, "Twister is a fully decentralized peer-to-peer microblogging platform" designed to provide censor-resistant public posting. Twister end-to-end encrypts private messages, but offers no forward-security or resistance to traffic-analysis. (wired, faq, whitepaper, subreddit, github)
posted by jeffburdges (24 comments total) 32 users marked this as a favorite

 
Dear God, please don't use Pond for anything real yet. I've hammered out nearly 20K lines of code that have never been reviewed.
posted by pracowity at 7:51 AM on January 21 [4 favorites]


Up with this sort of thing.
posted by GallonOfAlan at 7:51 AM on January 21 [3 favorites]


Absolutely pracowity. You should use OtR IMs if you need forward-security right now.

In fact, I forgot completely that running OtR IM over Tor gives you traffic-analysis resistance against nations that dislike the U.S. like Iran, Syria, maybe China, etc. Ain't so hard to do even, just run your IM client inside Tails. Tor/Tails won't stop the NSA, FBI, etc. from doing traffic-analysis at Facebook's server however.
posted by jeffburdges at 8:04 AM on January 21


Very interesting, but I've seen a lot of "interesting" stuff over the years and it seems to make it to a 0.1 or 0.2 pre-alpha release and then die out when the developer behind it decides to scratch some other itch.

The problem isn't designing cryptography or even secure messaging frameworks. The design stuff is pretty well-understood by now. The problem is actually getting tools that support it out into the hands of users and getting them in use, so that network effects take over and you can't identify people of interest just because they happen to be using encrypted communications of some sort.

OTR Messaging probably has the biggest installed base of any perfect-forward-secrecy / encrypted messaging product, by virtue of being part of Adium by default. If you enable OTR and chat with someone else using Adium, your chats can be encrypted without having to do anything else. And I think it's great that they treat encryption as a core feature rather than a bolt-on afterthought is refreshing. (Contrast Pidgin, which requires you to install a plugin for OTR, which most users won't ever do, and is the unfortunately typical way of dealing with anything encryption-related.)

What we need isn't standalone products or apps, but for well-designed encryption to be baked in to commonly-used software (or even the base protocols), available and enabled by default, for everyone. I'd like to believe that maybe the NSA issues will get developers focused on security and encryption again, rather than leaving it only as the province of cypherpunks and activists.
posted by Kadin2048 at 8:21 AM on January 21 [8 favorites]


This is interesting. Thanks for posting it.
posted by double block and bleed at 9:21 AM on January 21


Very interesting, but I've seen a lot of "interesting" stuff over the years and it seems to make it to a 0.1 or 0.2 pre-alpha release and then die out when the developer behind it decides to scratch some other itch.

The problem isn't designing cryptography or even secure messaging frameworks. The design stuff is pretty well-understood by now. The problem is actually getting tools that support it out into the hands of users and getting them in use, so that network effects take over and you can't identify people of interest just because they happen to be using encrypted communications of some sort.


Agreed. This is just damning:

Pond's GUI presumably works well under Linux, but I found the CLI fares better under Mac OS X currently. At present, no Windows version exists.

The great task before us is usability, with secure defaults and safe erroring. Encrypted communication is hard enough as it is, without making software that requires using it in a precise way or you may as well be encrypting with ROT13.

The main problem with that is that secure open source software with good usuability is usually the province of large corporations, and given the current environment, we can't really trust them, nor is there a business case for making said software. If we could trust an organization we could just have a standard PKI, and let them deal with the certs.
posted by zabuni at 9:26 AM on January 21 [2 favorites]


Twister can be used in conjunction with TOR, and should be.
posted by Slap*Happy at 9:29 AM on January 21


It occurs to me I don't even vaguely understand the technotalk in this thread. I read about Tor but I don't know enough about any of it to protect my privacy. My privacy is important because say getting a state job, might mean I get hacked by the agency looking for a hire and they read my private stuff and decide I am not their cup of tea, well more like their can of Diet Coke. The truth is I can't protect my privacy at all. I can only do that by being as unimportant as one cod in a school of millions. I am not going to be that, however. The web was created by and for gathering information while creating it. For a while it was much freer than its creators hoped for, now they will chop off the bottom feeders by making it more expensive to use. But then again, they will find they can't do that, because they hope to mold opinion and create instability in the bottom tier, if they truncate that then they wreck their own plans. I don't like giving it all to them, so they have to work a little bit, but our finances are naked out there walking around on any day, any platform, since this is a society built around capital, then isn't that the whole bag of lard?
posted by Oyéah at 9:37 AM on January 21


word, zabuni. 'Trusted certificate authority' my ass.
posted by j_curiouser at 9:40 AM on January 21


It occurs to me I don't even vaguely understand the technotalk in this thread.

That's OK - we're still in the toolbuilding stage, and the FOSS folks are finally getting their act together on the UI front. When it comes time to roll these new technologies into something usable by everyday folks, it will be awkward but painless, much like Firefox, and with enough killer features to make the proprietary world scramble to catch up or sweat to keep ahead.

This stuff will be ready for primetime in the 2015-2016 timeframe,and start building a userbase slowly but surely. Eliminating the need for expensive server infrastructure automatically puts the commercial entities already in place at a competitive disadvantage, and idiocy like the end of Net Neutrality and NatSec Letters will drive a stake in it.

Twitter, for example, has to pay for servers =and= bandwidth coming and then again for bandwidth going, and they also need to narc you out to the Feds. Twister just needs spammers or trolls to mine namespace.

Right now the performance balance in the US has tilted back from the network and towards node - speeds have stagnated and are artificially capped, and almost everyone has a slab in their pocket that's got immense processing power and gigabytes of local storage. This actually bodes well for privacy - decentralization always benefits the user. We're going to see a decentralization of "cloud" services, and it will need to be driven by FOSS, as there's not much of a business model there, yet great demand.
posted by Slap*Happy at 11:04 AM on January 21


(FOSS = Free, Open Source Software. Linux and Firefox and VLC and the like.)
posted by Slap*Happy at 11:05 AM on January 21


Umm, "insecure defaults or unsafe errors" are usually issues with overlay cryptography like OtR and GnuPG, zabuni. In fact, avoiding the "insecure defaults" in these overlay protocols is the only reason using "secure open source software [might be] the province of large corporations".

Any protocol entirely designed around security avoids those pitfalls within whatever threat model the designers actually address. And forward-security is precisely about mitigating the damage caused by machines being compromised in the future.

As an aside, Adam Langley fixed the crashes I initially encountered, caused by not installing aspell-dict-en under macports.

Also, if you want to connect over pond then send me a shared secret via mefi mail.
posted by jeffburdges at 11:33 AM on January 21


Twister looks interesting, but why the fuck does everything have to be the micro-blogging/stream metaphor? I'm still waiting for my p2p/decentralized LJ style system. I suppose that'll never end up happening :(

Of to read more about OTR. I have heard of it over the years, but I'm still confused as to what it means, exactly.
posted by symbioid at 11:37 AM on January 21


Could my mum install and use it?
posted by scruss at 2:03 PM on January 21


jeffburdges: Looking through the user guide, I come upon this:

The state file should not be copied. Pond depends on the ability to delete past information and making copies of the state file may allow information that should have been deleted, to be recovered. Additionally, Pond is not designed to operate concurrently on multiple computers.

After setting the passphrase (or not), you may be prompted to setup TPM storage if your computer has a TPM chip. Pond depends on being able to erase old information but it is not clear how well modern computers, using SSDs or log-structured filesystems, are able to erase anything. Without some form of special storage, such as a TPM chip, it may be possible to recover “deleted” messages given the passphrase.


Let's see, don't copy this one thing, even though people usually have a habit of creating multiple copies of important files. And god help you if you have any type of raid or backup system running in the background.

WARNING: A manual key exchange message must be confidential as well as authentic. The key exchange message contains an authorisation key that allows the contact to send messages to you as well as public key material. Thus you must exchange it in a confidential as well as authentic manner. Don't put it on pastebin.

Or email it, unless you use (another!) encryption system, or use IM, unless using OTR.

In the interests of practicality, it's pretty secure to exchange a shared secret over IM or email.

I lack words to express how I feel about this sentence. I know that Pond is not really meant to fight against someone with the means and reach of the NSA. But there are already enough ways to screw this up. And the more people you communicate with, the more likely one of them will screw up.
posted by zabuni at 3:04 PM on January 21 [1 favorite]


I've honestly no idea why pond even supports manual key exchange, never use manual. There is minimal risk doing shared secret key exchange because your shared secret is no longer sensitive after the key exchange is complete :

Adam Langley's Phrase Automated Nym Discovery Authentication (PANDA) depends upon the shared secret to establish a "meeting point" and secure the Diffie-Hellman based key exchange (EKE2), which creates a shared key that math folks believe an eves dropper cannot discover.

If an attacker knows the shared secret, they could man-in-the-middle the key exchange, but the victims would discover this if they ever compare public identities or if the attacker dropped their attack. Anyone who knows crypto would compare public identities early, just like with OtR.

Can the NSA, etc. just man-in-the-middle non-crypto savvy people? No. Anyone might learn more later, or a warrant might expire, but the attack remains an exposure risk forever. Worse, the NSA would not necessarily know if their attack is compromised, thus creating a perfect "double agent" like channel.

In short, you're safe enough sending your shared-secret through email, mefi mail, etc. because "double agent panda" takes notes that'll expose their surveillance so you can flee the country, feed them disinformation, etc. And targets fleeing the country or providing disinformation gets agents fired. ;)
posted by jeffburdges at 4:26 PM on January 21


Just fyi, Pond and OtR both use "ratchet" algorithms also based on Diffie-Hellman key exchange to expose an attacker hacks your connection only temporarily, say by hacking your system.

Do you know what's absolutely scandalous? Browsers aren't enforcing HTTPS whenever possible by default. Most web servers still don't support HTTPS. And most web servers that support HTTPS use only simply RSA key exchange, not a Diffie-Hellman based key exchange like ECHDHE.
posted by jeffburdges at 4:46 PM on January 21


That's changing and quick. "Zero Trust" is the new buzzword now that there are Next Generation Firewalls™ built on open source components that can keep up with 10Gig-E at line speed with off-the-shelf 1u x86 servers. (Well, Zero Trust and SDN. SDN is going nowhere as programmers are expensive, CCNA's are cheep, CISSP firewall guys not cheep at all, programmers who are also CCNA's and CISSP's are way the fuck out the budget unless you're Googlebookterhoo-in.)

The gist of it is, new school firewalls kill unencrypted sessions dead, or are kind to the poor overburdened servers, and encrypt that shit for them before it leaves the collision domain, to be decrypted at the 100Gig-E port at the other end of the connection by the magic of proprietary ASICS! This is all east-west network, too... server-to-server. It going to be unthinkable to talk host-to-host in the clear soon, north-to-south/client-server to the point where it will be considered an attack signature and filtered.
posted by Slap*Happy at 6:57 PM on January 21


Could my mum install and use it?

If you're talking about the average computer user and not your actual mum who happens to be head computer scientist at a government research lab hidden beneath Oxford, then probably not.

I'm still waiting for tools that are that simple to install and use and that work with what people already know. For example, gazillions of people use Gmail, so work with that. Make a plugin that implements strong encryption in (on, under, around, whatever works) Gmail that everyone can switch to with little or no effort (click install and wait) and that doesn't make it hard to send or receive mail: open the usual edit window (or what looks like the usual edit window), type a message, and click Send. And your friend can just as easily and automatically receive and read it. Then encourage everyone everywhere to automatically encrypt every message they send, just as a matter of course. Make the snoops at least have to do a little work for their pay. Google should be implementing this itself.
posted by pracowity at 6:24 AM on January 22


  not your actual mum who happens to be head computer scientist at a government research lab hidden beneath Oxford

Damn, that would explain all the time she spent away from home “flower arranging”. And her mad Tetris skillz.

But yeah, the ease of use thing. I barely remember how to use gnupg every time I have to use it. If only network and security geeks were better able to explain why we needed these things (viz: encryption, Y2K, IPV6) we might actually have them in usable forms.
posted by scruss at 11:52 AM on January 22


cryptocat usability study [has found that] users panic at the word "fingerprint". @bcrypt
posted by jeffburdges at 5:50 AM on January 25


ritter.vg : Initial thoughts on Pond
Hacker News : Adam Langley's Pond
posted by jeffburdges at 7:40 PM on January 25


r/decentralisedinternet
posted by jeffburdges at 7:27 AM on January 27


Just a like that appear relevant to traffic analysis resistance :

You Know Who Else Collected Metadata?
"the Stasi files are an important reminder of what a repressive regime can do with so little information"

And of course we're targeting drone strikes by metadata.
posted by jeffburdges at 11:21 PM on February 13


« Older So, why was there a ten year long winter starting ...  |  That’s the latest gambit in th... Newer »


This thread has been archived and is closed to new comments