thefoundation

Diaspora — Can the Social Graph be Our Web of Trust?

2010-08-23T01:30:22Z

On Friday we had Max, Ilya and Raphael from Diaspora over at Mozilla. They talked about their effort in creating a distributed social network. Where I think they are on the right track, and where they should think even bigger.

Why we need Diaspora

Personally, I see three major challenges that everyone passionate about the open internet needs to make up their mind about:

The erosion of Net Neutrality
Participants switching to closed environments of apps and appliances, becoming mere consumers (*)
People entrusting their personal data and social activity to Facebook, forced to choose between control and connectedness

In the context of the Diaspora talk, I’ll focus on the third issue.

We need Diaspora because people need to be in control over with whom they share personal information. Every time Facebook sneaks in a new default that breaks privacy, we grudgingly change the settings again — and stay, not wanting to lose our friends. Or we just don’t know about it and leave it as it is. Combined with the social monopoly that Facebook has established, this makes privacy and security optional features, subject to change like any other.

How Diaspora can help already

The main distinguishing factor of Diaspora compared to Facebook et al. is in that it decouples your social graph from the network provider, bringing back real competition to the social space. Like with E-Mail, there can be lots of network providers, loosely connected over push-interfaces. Whenever a pod (the equivalent to an e-mail-provider in Diaspora) should violate your trust, you can just switch to another one, or set up your own pod.

What could be done better

On the downside, this means that you have to trust your pod as well as all your friend’s pods. No big deal? Well, where the same server software is used on a distributed network, it is very prone to exploit of vulnerabilities due to patch delay and misconfiguration (correctly setting up TLS is still a big challenge, not only for regular people).

Secure HTTP is great when a large, anonymous group of people needs to trust a central service. It allows us to do online banking and purchases, free from eavesdropping and man-in-the-middle attacks. However, it is not peer-to-peer: When you fetch your mail over a secure IMAP connection, you might be sure that your password is protected, but you do not know who actually sent you that e-mail (think about it: that is the reason why phishing works). When you get it from Google Mail, you might be using TLS, but Google is still able to read your every conversation.

How PGP can solve this

I propose that Diaspora pods should be dumb post boxes that are not able to actually look into status updates, private messages, friend lists and so on. How? The technology for that has been available for quite some time and is called PGP.

Basically, PGP allows you to send and receive messages that cannot be decrypted by the servers that route them. So, if you were to encrypt your message inside your browser, you would establish secure end-to-end communication. No need to trust the shady pods that some of your friends decided to use, not knowing any better. But encryption in a web client? That sounds awfully slow! Well, Firefox Sync does it already with your entire browsing history (the pass phrase to your key is never sent to the server), and I would imagine that JavaScript interpreters have become fast enough to emulate the cryptographic capabilities of a PC from 1991.

I do have ideas on how to approach search and incremental profile updates with this, and on the new security considerations that apply here (Can you always trust your browser? Could a pod not make you use an insecure web client that transmits your passphrase?). However, that is rather technical, possibly material for a follow up post.

The social network is a key signing party

The problem with PGP has always been that people have been unable to exchange public keys in a manner that is both trustworthy and extensive. Because a web of trust can often not be established, people refrain from using encrypted e-mail. Turns out that social networks come with a mechanism that is just made for this: Friending. In the secure social network, accepting a friend request would be equivalent to exchanging keys. Usually you are referred to friends from people you already know, so there already is a basic level of trust.

This means that online social networks can be transformed from a jeopardy to our security to a vehicle of the same. This idea is of course also not entirely new. What might be new is the idea of building the social web entirely on top of PGP rather than just integrating that as an optional feature.

Any Comments?

I have not gotten around to add Commenting or Pingback to this blog, but I would love to incorporate any (links to) comments in a follow up post, please write to michael at this domain.

Update:

If I understand correctly, the diaspora guys are already planning to use GPG for cryptography somewhere. This is a pretty good start. If they really already plan on generating keys for everyone, then they would only need to pull the actual encryption into the web client.

(*) Like any intern at Mozilla I had the opportunity to to talk to John Lilly, and I got the impression that Mozilla takes this development very seriously.

Operation e-mail

2008-10-20T14:51:04Z

E-mail communication is great …if everybody plays by the rules! A synopsis why encrypting is important and html e-mails are evil.

Why the e-mail is dying

The communication medium e-mail's advantages is the fast and easy delivery – nowadays actual worldwide. Also as a mode of group communication e-mail has great potential which in practice is rarely exploited. Though modern spam filters and mail applications made progress in handling our mail routines undesired mails still bother. In this case I do not want to constrain undesired to spam mails, also newsletters or mailing list mails may be of low interest in our daily routines.

Ways to improve our e-mail workflows

Todays mail applications (online as well as offline) have powerful possibilities to filter and sort out incoming mail. This way you can create various inboxes to sort out priorities – at least for the moment. Furthermore you can organize your newsletters in subfolders. As for me, I am subscribed to several interesting newsletters but, honestly I read them sporadically and stacked. The smart filter capabilities are also useful to sort out e-mails of certain topics in mailing lists.

IMAP is a nice way to keep your e-mails available everywhere. Maybe you have the possibility to redirect all your mails to one central mail account. This way you have all your e-mails gathered at one place, automatically filtered by recipient and moved into certain folders you have the possibility to keep different inboxes for different e-mail accounts. Thunderbird and Apple Mail as well as the web-based e-mail application Horde additionally provide the feature of identity management!

But, pst, do not tell anyone so nobody will play fast and loose with it!

Sounds a bit like conspiracy and agents! This way you are able to send e-mails from one account but use different e-mail addresses. Every mail is stored in one IMAP sent folder – no recipient will ever notice you using another e-mail address!

Fine, but where can I configure these identities?

Just a short overview on how to configure these so-called identities in: Thunderbird, Apple Mail, Horde.

Thunderbird: In the menu choose Tools → Account Settings → [account name] → Manage Identities → Add. The rest should be pretty self explanatory.
Apple Mail: Again use the main menu to choose Preferences → Accounts → [account name] → Account Information → e-mail address and insert here a comma separated list of the different e-mail addresses you are going to use.
Horde: After logging in into your web front-end of Horde mail select Options → Personal Information → Edit your Identities. Again, the rest should be self explanatory.

Who is interested in your e-mail?

e-mails provide a lot of possibilities to address e-mails to recipients. There is the to field, the carbon copy- and the blind carbon copy field. Make use of them! It is very convenient, knowing to be directly addressed by an e-mail or just be informed what is going on – be it the scheming way or be it the normal carbon copy way!

HTML e-mails are evil

Some people apparently have giant displays with outrageous low resolution, or they are using magnifying glasses sitting in front of their screens. Otherwise I cannot tell why this Comic Sans comes so damn small and blurry onto my display! There are other useful purposes for HTML in e-mails! Background images and tables – oh, how we all love them.
More than ever I can hardly see any need for markup in e-mails. Like mentioned before, e-mail should stay a fast medium of getting message from A to B, HTML just bloats the filesize thus slows down the transfer. Also there may be problems in quoting HTML mails. I guess colorful text decreases readability in almost 100 % of the cases and markup in general potentially breaks the correct display when viewed with another e-mail client. Attached e-mails are shown inline at the end of the e-mail in most of today's e-mail clients, which besides is convenient concerning scaled display on smaller or larger screens respectively.

No, Apple Mail stationaries did not make that any better!

But there is another reason: many companies try to pep up their services and products by sending newsletters and spam mails containing HTML which – at least for me – resulted in a subtle presumption to have one or another kind of unwanted or not-so important e-mail when receiving HTML e-mails. Of course images are pretty useful for junk mail because possible text cannot be analyzed by any filter. You get the point!

Privacy

There are several reasons why you definetely should encrypt your e-mails. Although nowadays it seems, that personal communication is kinda public interest – everything is communicated using ubiquituous online interfaces, everything is twittered, everybody shows off in facebook or some of its derivations. As if this would have any public benefit! But not enough, the web features more possibilities to promote yourself. Just like the network platforms the blogosphere is stage of vanitas, …uhm, what did I say? Vanity? Guess, both! And despite the many interesting blogs about politics, web development and gadgets the majority of blogs is attended as personal journal – which is a periphrasis for diary.

I think Andy Warhol got it wrong: in the future, so many people are going to become famous that one day everybody will end up being anonymous for 15 minutes.

Banksy – graffiti artist
Bristol, UK

Why has nobody anything to conceal from anybody? I do not want everybody to know everything about me, neither do I want to know most things about people surrounding me. Alright, it is a bit different with my friends. But what about neighbors, fellow students and co-workers? It is really of no interest, which movie I am watching right now, who I am seeing, what I am writing, where I am surfing, which drink I am having at the very moment! In particular, of no interest for my boss or perhaps any kind of administrative authority.
That is one point: politics and administrative bodies. Nowadays we have the special situation of the war on terror. Gosh, I just googled terrorism in order to get this Wikipedia link! Hopefully, nobody will recognize and suspect me to have any sympathy for things like that!

[…] but Mama said it was just a little white lie, it wasn't hurting nobody.

Forrest Gump

Although you got nothing to conceal, you may not want people watching you watching TV or doing this and that now and then. Or why do you ever draw your curtains? Sometimes the idea creeps up to me, that people just do not understand what they are telling everybody on webpages and what they are chatting to individuals on any chatting application! Most people do not seem to have the faintest idea that the internet is public indeed. Moreover nobody knows if we are attending the dawning of a new (perhaps even dark) age during these days of economic crisis and global terrorism. Thus nobody has any clue what will be appropriate in the future and you know anything you say can and will be used against you!

Signing and encrypting

The free encrypting software GNU Privacy Guard (below GnuPG) uses asymmetric encryption which for you results in having two different keys (public and private key) needed to encrypt something. With GnuPG you are able to encrypt files as well as texts. Let us presume we only want to encrypt our e-mail correspondence for this time. Along with your keys you will need the recipients public key for every instance of encrypting. One will need your public key as well, if he or she wants to encrypt something for you! While your public key consequently should be accessible for potential interlocutor of yours, your private key has to be kept as save as possible and only accessible for you, the owner of this key!
Supplemental to the encryption you can sign your e-mails with GnuPG, i. e. everybody may verify if a particular e-mail has been sent from you. If you do not have a receiver's public key, this person would at least be able to check if your e-mail is authentic – if he or she knows what to do with GnuPG signatures!

Pros and cons

Yes, encrypting is great and outclassing. But it also has a dark side. Let me give you some arguments about the merits and demerits:

Advantages

Verification of the e-mails sender
Verification if the e-mail has been altered on the way through the web
Even if your e-mail account gets hacked – your correspondence is save
Nowadays ease of use with various mail clients and plug-ins

Disadvantages

Without a running GnuPG system you are not able to read your mail
Do not loose your private key or you will not be able to read your mails ever again
Your e-mail client is not able to search for specific text in your e-mail archive (however you are still able to search for recipients and senders)
You will not be able to read your e-mails online in your webmail's interface

There is no standard routine how to exchange the public keys, thus to verify the public keys you receive. Best practice would be a personal exchange. One concept to ensure public keys are valid is the Web of trust, which allows you to sign public keys.

It is up to you to appraise these arguments. Since not everybody is using GnuPG you will not be able to send all your messages encrypted anyways. Personally, I try to use it as often as possible – especially for personal data (accounts or access data).

GPG-encrypted mail with ease – Installing GnuPG

Since there is a bunch of very good and detailed tutorials I leave it at redirecting you to some of them:

http://macgpg.sourceforge.net/index.html: Home of GnuPG for Mac OS X
http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html: GnuPG plug-in for Apple Mail
http://fiatlux.zeitform.info/en/instructions/pgp_macosx.html: Various detailed information on GnuPG usage on Mac OS X
http://enigmail.mozdev.org/home/index.php: Website for the Thunderbird plug-in Enigmail.
http://www.macnotes.de/2007/01/23/tutorial-sicherer-e-mailverkehr-mit-gnupg-mail/: Detailed german tutorial with a lot of screenshots.
http://entouragegpg.sourceforge.net/: Microsoft Entourage plug-in.

These steps are definitely worth the effort, not just, that it is safer to communicate in times of dragnet investigation, perhaps we are able to get rid of these fatuous footer, which tells hundred things to do, if you are accidently chosen as recipient. At least in germany this form of contract is not valid at all. Rescue e-mail&nbps;– keep this medium of mass communication fast, simple and safe.