<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello Bjarni,<br>
<br>
Good to hear from you, remember a few years ago together with
Michiel we submitted an entry to the Access Innovation Prize for
combining FreedomBox+Unhosted+PageKite.<br>
I'm running the freedombox.me domain and its associated PageKite
service.<br>
This service is open source and documented at: <a
class="moz-txt-link-freetext"
href="https://github.com/peacekeeper/freedomkite"><a class="moz-txt-link-freetext" href="https://github.com/peacekeeper/freedomkite">https://github.com/peacekeeper/freedomkite</a></a><br>
<br>
Since it's currently just used for testing, it's certainly not as
sophisticated as your service, and it doesn't have the same kind
of protections that you have put in place. Maybe at some point we
can have a conversation how to improve it.<br>
<br>
We're currently also working on adding Let's Encrypt support to
FreedomBox.<br>
Here's my box with PageKite and Let's Encrypt:
<a class="moz-txt-link-freetext" href="https://markus.freedombox.me/">https://markus.freedombox.me/</a><br>
<br>
I think your analysis is super helpful!<br>
<br>
I think the FreedomBox perspective is that a PageKite service is
an optional feature, and that DNS/connectivity can come to your
box in different ways.<br>
Currently, a "names" module is being developed for Plinth that
will allow you to manage the various names that point to your box.<br>
But I agree with you that for most users, PageKite will be a key
infrastructural component to make the box useful.<br>
<br>
I believe charging users a small fee for a domain name and
connectivity is acceptable.<br>
Owning your own domain name is central to a lot of communities
that have emerged in the last few years, e.g. IndieWeb, or various
self-hosted identity protocols, so the idea of having your own
domain name should be promoted anyway.<br>
<br>
So the way I imagine it is that if you want a FreedomBox, you can
buy one from various providers (or install one yourself), and then
you can buy a domain name + PageKite service, again from various
providers (or set it up yourself).<br>
<br>
I completely agree that a single entity running a PageKite service
for a large FreedomBox community pretty much contradicts the idea
of decentralization.<br>
Also agree with you that there's probably no reliable way to
prevent MITM, and that users definitely won't run browser plugins
to monitor certs.<br>
<br>
So, your idea of a community-run network of PageKite services
sounds very interesting, and I think we'd all like to learn more!<br>
If you have any more concrete thoughts, I'd love to contribute and
try out ideas, etc.<br>
<br>
There's a FreedomBox progress call today (Sunday), maybe you have
time?<br>
<a class="moz-txt-link-freetext" href="https://wiki.debian.org/FreedomBox/ProgressCalls">https://wiki.debian.org/FreedomBox/ProgressCalls</a><br>
<br>
all the best,<br>
Markus<br>
<br>
On 11/21/2015 08:50 PM, Bjarni Runar Einarsson wrote:<br>
</div>
<blockquote cite="mid:20151121143139-16209-74016-mailpile@slinky"
type="cite">
<pre wrap="">Hello Freedombox folks!
tl;dr: There are security risks involved in running PageKite
relays which I wanted to warn you about. I'm also wondering if
folks here are interested in collaborating to build a
community-run free-of-charge network of PageKite relays.
Sorry, this got long...
It's been a while since I posted anything here; for those of you
who don't remember me, I'm the author of PageKite (owner/operator
of <a class="moz-txt-link-freetext" href="https://pagekite.net/">https://pagekite.net/</a>) and the lead developer on Mailpile.
I've been lurking on this list for ages.
For the rest of this e-mail I'm going to just assume that
FreedomBox, Mailpile and similar personal-home-server solutions
will never succeed in reaching the masses without PageKite (or
something just like it). Folks who disagree may want to stop
reading now. :-)
Unfortunately, if we consider PageKite.net's current business
model (my paycheck...), it's pretty clear that it will hinder
adoption if every single user has to pay a small fee to connect
to the network. Freedom is important, but folks are also very
price-sensitive about network services. People are so used to
free stuff online, that convincing them to pay a subscription for
something like PageKite is a very hard sell.
If we want efforts like the FreedomBox to succeed, eliminating
friction like this is important. When I am wearing my Mailpile
hat, I struggle with this same concern.
(Makers of embedded server products currently solve this exact
issue by purchasing PageKite accounts in bulk and including the
expected costs in the price of the hardware that is sold. This is
a viable model, but I suspect it's not one that appeals strongly
to this particular community...)
In any case, it would be *really cool* if PageKite service were
available free of cost, provided and supported by a community,
similar to the Tor relay network. I haven't tried to build such a
thing yet and I'd like to tell you why... and why I might be
about ready to change my mind and work on this.
I'm bringing this conversation to the FreedomBox list, because of
two things: it appears freedombox.me is trying to clone
pagekite.net, with less friction and no money involved;
community-run-relays might be a natural evolutionary direction
for that project. I also saw in Plinth's github someone
requesting the ability for one FreedomBox to be a PageKite relay
for another. Both of these ideas must be approached with care, or
users will be harmed.
The main concerns:
0) Users of a pagekite.me-style service are completely at the
mercy of the person who provides them with a sub-domain. Adding
some volunteers and decentralization to the mix at the relay
stage doesn't actually solve the main social/political problems -
the domain owner still controls everything.
1) PageKite relays can be abused in much the same way as Tor exit
nodes - if anyone can volunteer to run a relay, some will do so
for antisocial reasons, in particular to spy on the traffic. Or
worse; to manipulate the traffic, injecting ads, malware etc.
Using your friends' relays is NOT a solution, few people are more
interested in spying on you than your friends, relatives and
coworkers.
2) Phishing campaigns regularly try to use PageKite relays to
anonymize their operations. If they succeed, then PageKite relays
get automatically blacklisted in various firewalls, preventing
legitimate users from accessing their kites.
3) Fly-by-night makers of cheap home-server devices may try to
freeload off the community network without contributing anything
back.
Points 1) and 2) are critical security issues, point 0) begs the
question "what's the point?" I am not sure whether 3) is a bug or
a feature!
Neither of the security risks is theoretical; Tor exit node
manipulation is common and I shut phishers down on pagekite.me on
a regular basis. I have managed these risks at pagekite.net
through careful monitoring and manual oversight - and by charging
money so I know who my users are and they know who they're doing
business with.
Addressing these concerns in a community pagekite service:
0) Centralized control can be reduced somewhat by having multiple
service domains and multiple providers of DNS and pagekite
authentication, and by encouraging users to use their own
domains. While domains cost money, users will be jeopardize their
freedom/security in exchange for a free sub-domain.
1) End-to-end encryption may prevent tampering and spying on
content; protecting metadata from the relay operators is largely
impossible unless everyone uses Tor (in which case you might as
well just use a Tor hidden service and skip PageKite).
For e2e crypto, we have to deal with TLS certificates which has
made this impractical until now. Letsencrypt.org may help, but
it's unclear to me whether anything prevents the relay operator
from simply using letsencrypt.org to set up their own MITM
anyway. Hopefully letsencrypt.org monitor things well enough and
warn certificate owners about re-issued certs...
Another attack vector, if the TLD owner and the relay operator
are one and the same (this is currently the case with both
pagekite.me and freedombox.me), then the owner of the TLD can
register a wild-card certificate and use that to MITM their
usres. Most users will never notice a thing. Security improves if
DNS management and relay operations are separated. This attack
can also be thwarted by only ever using sub-sub-domains
(foo.bar.freedombox.tld).
All of these risks can be mitigated if the users know how to use
browser plugins like Certificate Patrol, or know how to manage
self-signed certificates and navigate scary browser warnings. For
non-technical users, neither is appealing.
Clear-text HTTP relaying in a volunteer-run PageKite network
should be strictly forbidden; relay operators that offer
clear-text HTTP relaying should be blacklisted. (Who watches the
watchers?)
2) Phishing abuse has no solution except active policing of
relayed domains, or a high-friction non-anonymous signup process
(preferably involving money). It may be possible to automate
policing to a certain extent, but this will always be an arms
race.
Conclusion:
I think letsencrypt.org *may* be enough of a game-changer that it
is worth revisiting how to create a volunteer-operated relay
network and make the DNS side of the PageKite solution easily
installable, so a more diverse ecosystem can emerge.
On the other hand, it might still be premature - the demand isn't
there yet, is it? It's certainly not urgent.
Are there folks on this list that would be interested in
participating and providing resources to such an effort? I've got
my hand tentatively raised... :-) I've also had the domain
pagekite.org registered for ages, for exactly this use-case.
All the best,
- Bjarni
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freedombox-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freedombox-discuss@lists.alioth.debian.org">Freedombox-discuss@lists.alioth.debian.org</a>
<a class="moz-txt-link-freetext" href="http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss">http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss</a></pre>
</blockquote>
<br>
</body>
</html>