[Freedombox-discuss] FBX Server/Client Communication Model and Threat Modeling

Melvin Carvalho melvincarvalho at gmail.com
Sat Feb 16 11:21:06 UTC 2013 

On 16 February 2013 04:25, Nick M. Daly <nick.m.daly at gmail.com> wrote:

> Hi folks, here's an active question that I'd appreciate your input on.
>
>     What is an appropriate threat-model for the FreedomBox's
>     client-server communications?
>
> Please discuss on list or feel free to add to the FBX wiki:
>
>     http://wiki.debian.org/FreedomBox/ClientServerCommunication
>
> This question has a number of obvious answers, but keep in mind the
> project's end-goals: to bring communication freedom to as many folks in
> as many situations as possible.  To that end, what are appropriate
> compromises between server and client security, accessibility, and
> availability?
>
> It seems to me that client devices fall into one of two basic
> categories:
>
> 1. Those on which the user has root privileges and fully trusts (like
>    their own laptop, running a fully free operating system and BIOS, in
>    which no mal/spy/inscrutable-ware exists).
>
> 2. Those on which the user doesn't have root privileges and therefore
>    can't fully trust (an iPhone, a laptop with non-free software and/or
>    binary kernel blobs, a desktop with a non-free BIOS).
>
> I've illustrated the fact that there's a range of trustworthiness,
> though I don't know how to meaningfully measure this quantitatively (I'd
> like to survey and classify devices, but I don't know how to massively
> and remotely detect un-trustworthy or malicious software, suggestions
> are welcome).
>
> At this point, I'm worried about secret key (identity) material.  This,
> being the most important and secret of data, can teach lessons that can
> be applied to nearly all other data.
>
> I'll start by throwing out a few more directed questions to start off
> the discussion:
>
> 1. Who can be trusted with which secret key material?
>
>    1.A. Can servers be trusted with the client's key?
>
>    1.B. Which clients can be trusted with parts of the server's key?
>
> 2. In what ways is it acceptable for devices to give up which secrets?
>
>    For example, is it acceptable if the client's secret key be exposed
>    when the box is rooted by attackers?  (Probably not, but that does
>    let the host act as a trust proxy without relying on subkeys, or
>    other weird yet conceptually interesting trust models).
>
> 3. What is the client application delivery model?  Is it:
>
>    3.A. Browser-based interaction between client and server?
>
>    3.B. Browser-plugin-based interaction?
>
>    3.C. Appstore-based interaction?
>


Hi Nick, great topic.  Which client/server interactions would you envisage
as being high on the priority list?  e.g. ssh to box, login to dashboard
via a browser, using gpg based tools for email etc. ... a specific context
may be slightly easier to visualize the possible attack surface ...


>
> Thanks for your time,
> Nick
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130216/d9a68b68/attachment.html>

More information about the Freedombox-discuss mailing list