As one of people who built Martus, an encrypted database used by thousands of human rights activists around the world, I routinely confront the needs of users who are not in wealthy countries, as well as the difficult problem that creating real, easy-to-use security poses. My thoughts here are focused on the democracy activists, citizen journalists, and human rights workers in the world’s toughest political environments. These are our Martus users, and my colleagues and friends. These are people who need security more than just about anyone: it can be literally a question of life and death.



Patrick Ball Patrick Ball has spent over 20 years applying scientific measurement to human rights. He designed databases and conducting quantitative analysis for truth commissions, non-governmental organizations, international criminal tribunals and United Nations missions in El Salvador, Ethiopia, Haiti, Chad, Sri Lanka, East Timor, Sierra Leone, South Africa, Kosovo, Liberia, and Peru. Dr. Ball is currently involved in HRDAG projects in Guatemala, Colombia, the DR Congo, Syria, and others. (Photo: Miguel Cruz)

My concerns stem from a sharp debate over software called CryptoCat — a debate spurred largely by an admiring profile at Wired. CryptoCat is a web-based chat application which uses encryption to scramble the contents of a conversation, in theory resisting electronic snooping. The interesting twist is that CryptoCat does the crypto without using the easily-thwarted security built into browsers (called SSL), and without requiring the user to download and install additional software (like Pidgin and OffTheRecord).

Seems great, right?

Well, not so great. CryptoCat is one of a whole class of applications that rely on what’s called “host-based security”. The most famous tool in this group is Hushmail, an encrypted e-mail service that takes the same approach. Unfortunately, these tools are subject to a well-known attack. I’ll detail it below, but the short version is if you use one of these applications, your security depends entirely the security of the host. This means that in practice, CryptoCat is no more secure than Yahoo chat, and Hushmail is no more secure than Gmail. More generally, your security in a host-based encryption system is no better than having no crypto at all.

CryptoCat’s security is based on how it convinces your browser to do the encryption on your computer. To simplify, there are two parts to an encryption system: the encryption engine, and the key. The encryption engine is the software that does the actual work — everyone who uses the tool uses the same encryption engine. The second component is your key, which is unique to every user. The key holds, well, the key to your security. It must be kept secret, so only you have it. Again simplifying, the key consists of a tiny computer file and your passphrase. (If you want to know more about keys, see my earlier blog post on this topic).

In host-based systems, the host keeps the tiny computer file, but not your passphrase. The idea is that only you know your passphrase. In theory, the host cannot access your data because although they have part of your key, they don’t have your passphrase. When you login, the hosts sends the encryption engine to you in a computer program (called an applet) that runs inside your browser; the tiny computer file with part of your key is attached alongside the applet. All the encryption and decryption happens in your browser, on your computer. That means that the host only ever sees the encrypted data. Since only you have your passphrase, your data should be secure, even if the host wants to attack it.

But there’s a problem. If an attacker can get access to your key and your passphrase, all your encrypted data is now accessible to him. Remember that the host already has your key. All they need is your passphrase. So if the host wants to attack you, all they need to do is send you a special encryption engine that captures your passphrase the next time you use the service. As usual, it does all the encryption and decryption for you, right on your computer. But it also remembers your passphrase, and sends it secretly back to the host. This is the heart of the attack: if the server sends you a special applet that spies on you, all your encrypted data is now wide open.

Once the server has captured your key and passphrase, you have no more security from the host: the host knows everything. This system was employed by the Hushmail tool which compromised the security of its users. Though he was first to report this flaw, Threat Level editor Ryan Singel nonetheless suggests to readers that they should still consider using Hushmail simply because it is easy to use. Consider the following passage from his recent commentary:

Now, web-based crypto is hard and is not immune to bending itself to comply with court orders, which as Soghoian notes to make his case, is something I reported. Wired discovered that the online encrypted e-mail company Hushmail had created a way for governments that had a Mutual Assistance Legal Agreement with Canada to subpoena Hushmail users’ accounts. Hushmail even created rogue downloadable software to help bust open encrypted accounts for the government, though it’s not clear the company was under any legal obligation to do so. But, as I reported then, that doesn’t mean that Hushmail is a bad choice for everyone or even most people – it simply depends on your threat model. If you are a journalist working to expose illegal U.S. government actions that include national security secrets or you are running a meth lab, it’s probably not a great choice. If you are a dissident in the Middle East or a psychiatrist wanting secure communication with clients, Hushmail is a very good security option, especially since it’s very easy to use.

Singel’s article suggests that the problem with Hushmail is that law enforcement can convince Hushmail to decrypt the user’s mail without the user’s knowledge. The article is entirely correct here, as far as it goes. However, it then asserts something very dangerous: that because the U.S. government is not a threat, “a dissident in the Middle East” could use Hushmail which would be a “very good security option” for her.

This is inaccurate, and dangerous because government pressure on a host is far from the only threat to a host-based system. In fact, in a host-based system, anyone who can gain control of the server can decrypt the user’s information. So a rogue employee could attack you, either because the employee is truly malicious, because he was coerced by personal threats, or by a legal instrument like a court order. Or if a malicious cracker broke into the server, he could force the server to perform the same attack. Web servers get cracked all the time — they are notoriously insecure — so this is a very likely scenario.

In conversation, Singel told me that his view of Hushmail’s usefulness to dissidents is informed by an interview he conducted with Phil Zimmermann, the inventor of PGP, and the person who first taught me about strong crypto. But I think it’s time to reconsider that discussion.

Any host-based system that delivers the encryption engine to you each time you log in, and in which your keys reside on the server, you are never secure against the host (there’s new research on this called “host-proof hosting,” but it’s a long way from being ready to use in real applications). That means that if the host attacks you, or they fail to protect themselves, your encrypted data will be available to them. Remember that the host might attack you because someone evil has taken control of the host. If you are the hypothetical dissident in the Middle East, your government might contract a hacker to break into the CryptoCat server, Hushmail, or other host-based server, and thereby get access to all your data. Or they could bribe an employee at a host-based service. Again: in host-based security, all your security rests on your personal trust for the people at the host, and their ability to protect the server. There’s no real security in a technical sense.

This means that Hushmail is no more secure than any other email service, like Gmail. In fact, Gmail might be more secure than Hushmail, if we think that Gmail has better personnel screening and more skillful engineers protecting their servers against malicious attacks than Hushmail does (many experts do believe this). By the same logic, CryptoCat is no more secure than Yahoo chat.

At Benetech, we’ve been working with human rights data for over twenty years, and providing secure software for ten. Martus has been downloaded by users in more than 100 countries. We’ve learned that, unfortunately, security is hard, and people who tell you that it’s easy or that there are shortcuts are probably fooling you — and maybe themselves. Our best efforts have all come from building security into the applications we already want to use, like Martus, which has security built into a database. For both email and chat, there are real security solutions (GPG and Pidgin/OTR). They’re a little harder to use, but their security is real.

We know how important good data security is for dissidents, citizen journalists, democracy advocates, and human rights activists. Journalists should stop looking for shortcuts that weaken everyone.

Even the CryptoCat project is working to evolve to a better model than the weak version I’ve critiqued here. CryptoCat still follows the weak host-based model if you log into it directly. However, in addition to this model, CryptoCat now offers the option to install a browser extension for Chrome or Firefox. It’s much too new to trust, but once it matures, and is carefully reviewed, if you install that extension, you might be more secure than using Yahoo or Gchat (the devil is in the implementation details). It might someday be as good as existing chat encryption tools like OffTheRecord. With all these tools, you have to install new software.

But CryptoCat’s existing web application is still as vulnerable as I warn in the discussion above. I urge CryptoCat to shut down the vulnerable site.

Good security is about not trusting people. It’s about studying math and software and assuring that the program cannot be turned to bad intent. We publish all the code for Martus specifically because we want users to know that they do not have to trust Benetech in order for their data to be secure. We do not hold users’ keys, and we certainly do not want to know anyone’s passphrases. If our servers get cracked, or law enforcement seized our servers, the attackers would get only the encrypted data, with no way to get keys and passphrases. The data would remain secure. Furthermore, we make the software available for free download, and we have no idea who is downloading the software or how they get it. That way we have no way attack the users to capture their keys and passphrases.

I understand the desire to find better solutions — real security is still too hard for many people, something we see every day in our Martus trainings, and we are working with other software projects to make it easier. But the unfortunately all-to-common media journalist rushing to embrace and publicize phony shortcuts as if they were the solution for human rights activists around the world not only doesn’t help, it can be deadly.

Here are a few ways to think about a security tool: When someone offers you a security tool, ask yourself: who holds the keys? Can an attacker get my keys? Can an attacker read my passphrase? How does the cryptographic software get to my computer? Can I review it? Authenticate it? Can an attacker steal my passphrase? Where is my trust placed, and what does it mean to trust? These can be useful questions to keep in mind. When it’s really important to keep your data secret, it’s worth consulting an expert.