[Freedombox-discuss] PageKite relay service; risks, community and collaboration?

Sun Nov 22 02:13:44 UTC 2015

We're building a personal UMA Authorization Server to run under FreedomBox.
The project, just launched, is at https://github.com/HIEofOne We hope to
leverage the easy installation and management features of FreedomBox. A
standard open source personal AS is useful for all sorts of
personal machine-to-machine transactions from health records to IoT.

An UMA AS needs to be acceptable to large corporations and government
servers. Personal domains and letsencrypt SSL certificates will be
essential lest these institutions decide that personal servers are insecure.

Personal domains can be as little as $4/year and I would not consider that
a significant barrier for typical AS users. I hope FreedomBox supports an
easy setup for this kind of use-case, including a solution to the dynamic
DNS config.

Best,

Adrian

On Saturday, November 21, 2015, Bjarni Runar Einarsson <bre at pagekite.net>
wrote:

> Hello Freedombox folks!
>
> tl;dr: There are security risks involved in running PageKite
> relays which I wanted to warn you about. I'm also wondering if
> folks here are interested in collaborating to build a
> community-run free-of-charge network of PageKite relays.
>
>
> Sorry, this got long...
>
> It's been a while since I posted anything here; for those of you
> who don't remember me, I'm the author of PageKite (owner/operator
> of https://pagekite.net/) and the lead developer on Mailpile.
> I've been lurking on this list for ages.
>
> For the rest of this e-mail I'm going to just assume that
> FreedomBox, Mailpile and similar personal-home-server solutions
> will never succeed in reaching the masses without PageKite (or
> something just like it). Folks who disagree may want to stop
> reading now. :-)
>
> Unfortunately, if we consider PageKite.net's current business
> model (my paycheck...), it's pretty clear that it will hinder
> adoption if every single user has to pay a small fee to connect
> to the network. Freedom is important, but folks are also very
> price-sensitive about network services. People are so used to
> free stuff online, that convincing them to pay a subscription for
> something like PageKite is a very hard sell.
>
> If we want efforts like the FreedomBox to succeed, eliminating
> friction like this is important. When I am wearing my Mailpile
> hat, I struggle with this same concern.
>
> (Makers of embedded server products currently solve this exact
> issue by purchasing PageKite accounts in bulk and including the
> expected costs in the price of the hardware that is sold. This is
> a viable model, but I suspect it's not one that appeals strongly
> to this particular community...)
>
> In any case, it would be *really cool* if PageKite service were
> available free of cost, provided and supported by a community,
> similar to the Tor relay network. I haven't tried to build such a
> thing yet and I'd like to tell you why... and why I might be
> about ready to change my mind and work on this.
>
> I'm bringing this conversation to the FreedomBox list, because of
> two things: it appears freedombox.me is trying to clone
> pagekite.net, with less friction and no money involved;
> community-run-relays might be a natural evolutionary direction
> for that project. I also saw in Plinth's github someone
> requesting the ability for one FreedomBox to be a PageKite relay
> for another. Both of these ideas must be approached with care, or
> users will be harmed.
>
>
> The main concerns:
>
> 0) Users of a pagekite.me-style service are completely at the
> mercy of the person who provides them with a sub-domain. Adding
> some volunteers and decentralization to the mix at the relay
> stage doesn't actually solve the main social/political problems -
> the domain owner still controls everything.
>
> 1) PageKite relays can be abused in much the same way as Tor exit
> nodes - if anyone can volunteer to run a relay, some will do so
> for antisocial reasons, in particular to spy on the traffic. Or
> worse; to manipulate the traffic, injecting ads, malware etc.
> Using your friends' relays is NOT a solution, few people are more
> interested in spying on you than your friends, relatives and
> coworkers.
>
> 2) Phishing campaigns regularly try to use PageKite relays to
> anonymize their operations. If they succeed, then PageKite relays
> get automatically blacklisted in various firewalls, preventing
> legitimate users from accessing their kites.
>
> 3) Fly-by-night makers of cheap home-server devices may try to
> freeload off the community network without contributing anything
> back.
>
> Points 1) and 2) are critical security issues, point 0) begs the
> question "what's the point?" I am not sure whether 3) is a bug or
> a feature!
>
> Neither of the security risks is theoretical; Tor exit node
> manipulation is common and I shut phishers down on pagekite.me on
> a regular basis. I have managed these risks at pagekite.net
> through careful monitoring and manual oversight - and by charging
> money so I know who my users are and they know who they're doing
> business with.
>
>
> Addressing these concerns in a community pagekite service:
>
> 0) Centralized control can be reduced somewhat by having multiple
> service domains and multiple providers of DNS and pagekite
> authentication, and by encouraging users to use their own
> domains. While domains cost money, users will be jeopardize their
> freedom/security in exchange for a free sub-domain.
>
> 1) End-to-end encryption may prevent tampering and spying on
> content; protecting metadata from the relay operators is largely
> impossible unless everyone uses Tor (in which case you might as
> well just use a Tor hidden service and skip PageKite).
>
> For e2e crypto, we have to deal with TLS certificates which has
> made this impractical until now. Letsencrypt.org may help, but
> it's unclear to me whether anything prevents the relay operator
> from simply using letsencrypt.org to set up their own MITM
> anyway. Hopefully letsencrypt.org monitor things well enough and
> warn certificate owners about re-issued certs...
>
> Another attack vector, if the TLD owner and the relay operator
> are one and the same (this is currently the case with both
> pagekite.me and freedombox.me), then the owner of the TLD can
> register a wild-card certificate and use that to MITM their
> usres. Most users will never notice a thing. Security improves if
> DNS management and relay operations are separated. This attack
> can also be thwarted by only ever using sub-sub-domains
> (foo.bar.freedombox.tld).
>
> All of these risks can be mitigated if the users know how to use
> browser plugins like Certificate Patrol, or know how to manage
> self-signed certificates and navigate scary browser warnings. For
> non-technical users, neither is appealing.
>
> Clear-text HTTP relaying in a volunteer-run PageKite network
> should be strictly forbidden; relay operators that offer
> clear-text HTTP relaying should be blacklisted. (Who watches the
> watchers?)
>
> 2) Phishing abuse has no solution except active policing of
> relayed domains, or a high-friction non-anonymous signup process
> (preferably involving money). It may be possible to automate
> policing to a certain extent, but this will always be an arms
> race.
>
>
> Conclusion:
>
> I think letsencrypt.org *may* be enough of a game-changer that it
> is worth revisiting how to create a volunteer-operated relay
> network and make the DNS side of the PageKite solution easily
> installable, so a more diverse ecosystem can emerge.
>
> On the other hand, it might still be premature - the demand isn't
> there yet, is it? It's certainly not urgent.
>
> Are there folks on this list that would be interested in
> participating and providing resources to such an effort? I've got
> my hand tentatively raised... :-) I've also had the domain
> pagekite.org registered for ages, for exactly this use-case.
>
> All the best,
>  - Bjarni
>

-- 

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151121/992d4eed/attachment.html>