July 23, 2006
Case Study: Thunderbird's brittle security as proof of Iang's 3rd Hypothesis in secure design: there is only one mode, and it's secure.
In talking with Hagai, it was suggested that I try using the TLS/IMAP capabilities of Thunderbird, which I turned on (it's been a year or two since the last time I tried it). Unfortunately, nothing happened. Nothing positive, nothing negative. Cue in here a long debate about whether it was working or not, and how there should be a status display, at least, and various other remedies, at most.
A week later, the cleaning lady came in and cleaned up my desk. This process, for her, also involves unpowering the machine. Darn, normally I leave it on for ever, like a couple of months or so.
On restarting everything, Thunderbird could not connect to the mail servers. Our earlier mystery is thus resolved - the settings don't take effect until restart. Doh!
So, how then did Thunderbird handle? Not so well, but it may have got there in the end. This gives me a change to do a sort of case study in 1990s design weaknesses, a critique in (un)usability, leading to design principles updated for this decade.
To predict the punch line, the big result is that there should only be one mode, and it should be secure. To get there more slowly, here's what I observed:
Firstly, Thunderbird grumbled about the certificate being in the wrong name. I got my negative signal, and I knew that there was something working! Hooray!
But, then it turned out that Thunderbird still could not connect, because "You have chosen secure authentication, but this server does not offer it. Therefore you cannot log in..." Or somesuch. Then I had to go find that option and turn it off. This had to be done for all mail accounts, one by one.
Then it worked. Well, I *guess* it did... because funnily enough it already had the mail, and again had not evidenced any difference.
Let's break this up into point form. Further, let's also assume that all competing products to be as bad or worse. I actually *choose* Thunderbird as my preferred email client, over say Kmail. So it's not as bad as it sounds; I'm not "abandoning Thunderbird", I'm just not getting much security benefit from it, and I'm not recommending it to others for security purposes.
- No caching of certs. There is no ability to say "Yes, use that cert for ever, I do know that the ISP is not the same name as my domain name, dammit!!!!" This is an old debate; in the PKI world, they do not subscribe to the theory that the user knows more than any CA about her ISP. One demerit for flat earth fantasies.
- No display anywhere that tells me what the status of the security is. One demerit. (Keep in mind that this will only be useful for us "qualified cryptoplumbers" who know what the display means.)
- I can choose "secure authentication" and I can choose "secure connection." As a dumb user, I have no idea what that means, either of them. One demerit.
- If I choose one of those ON, and it is not available, it works. Until it doesn't -- it won't connect at some later time and it tells me to turn it off. So as a user I have a confusing choice of several options, but ramifications that do not become clear until later.
Another demerit: multiple options with no clear relationship, but unfortunate consequences.
- Once it goes wrong, I have to navigate from a popup telling me something strange, across to a a series of boxes in some other strange area, and turn off the exact setting that I was told to, if I can remember what was on the popup. Another demerit.
- All this took about 5 minutes. It took longer to do the setting up of some security options than it takes to download, install, and initiate an encrypted VoIP call over Skype with someone who has *never used Skype before*. I know that because the previous night I had two newbies going with Skype in 3 minutes each, just by talking them through it via some other chat program.
- Normal users will probably turn it all off, as they won't understand what's really happening, and "I need my mail, darnit!"
(So, we now start to see what "need" means when used by users... it means "I need my email and I'll switch the darned security rubbish off and/or move to another system / supplier / etc.)
- This system is *only useable by computer experts.* The only reason I was able to "quickly" sort this out was because I knew (as an experienced cryptoplumber) exactly what it was trying to do. I know that TLS requires a cert over the other end, *and* there is a potential client-side cert. But without that knowledge, a user would be lost. TLS security as delivered here is a system is not really up to use by ordinary people - hence "brittle."
We can conclude that this is a nightmare in terms of:
Let's put this in context: when this system was designed, we didn't have the knowledge we have now. Thunderbird's security concept is at least 3 years old, probably 8-10 years old. Since those years have passed, we've got phishing, usability studies, opportunistic crypto, successful user-level cryptoapps (two, now), and a large body of research that tells us how to do it properly.
We know way more than we did 3 years ago - which was when I started on phishing. (FTR, I suggested visit counts! How hokey!)
Having got the apologies off our chest, let's get to the serious slamming: If you look at any minor mods to the Thunderbird TLS-based security, like an extra popup, or extra info or displays, you still end up with a mess. E.g., Hagai suggested that there should be an icon to display what is going on - but that only helps *me* being an experience user who knows exactly what it is trying to tell me. I know what is meant by 'secure authentication' but if you ask grandma, she'll offer you some carrot cake and say "yes, dear. now have some of this, I grew the carrots myself!"
(And, in so doing, she'll prove herself wiser than any of us. And she grows carrots!)
Pigs cannot be improved by putting them in dresses - this security system is a pig and won't be improved by frills.
The *design* is completely backwards, and all it serves to do is frustrate the use of the system. The PKI view is that the architecture is in place for good reasons, and therefore the user should be instructed and led along that system path. Hence,
"We need to educate the users better."
That is a truly utterly disastrous recommendation. No! Firstly, the system is wrong, for reasons that we can skip today. Secondly, the technical choices being offered to the users are beyond their capabilities. This can never be "educated." Thirdly, it's a totally inefficient use of the user's time. Fourthly, the end effect is that most users will not ever get the benefit.
(That would be a mighty fine survey -- how many users get the benefit of TLS security in Thunderbird? If it is less than 10%, that's a failure.)
The system should be reversed in logic. It should automatically achieve what it can achieve and then simply display somewhere how far it got:
- Try for the best, which might be secure auth, and then click into that. Display "Secure Auth" if it got that far.
- If that fails, then, fallback to second best: try the "Secure Conn" mode, and display that on success.
- Or finally, fall back to password mode, and display "Password only. Sorry."
The buttons to turn these modes on are totally unneccessary. We have computers to figure that sort of nonsense out.
Even the above is not the best way. Fallback modes are difficult to get right. They are very expensive, brittle even. (But, they are better - far far far cheaper - than asking the user to make those choices.) There is still one way to improve on this!
Hence, after 5 demerits and a handful of higher-level critiques, we get to the punchline:
To improve, there should only be one mode. And that mode is secure. There should be only one mode, because that means you can eliminate the fallback code. Code that falls back is probably twice as large as code that does not fallback. Twice as brittle, four times as many customer complaints. I speak from experience...
The principle, which I call my 3rd Hypothesis in Secure Protocol Design, reads like this:
There is only one mode, and it is secure.
If you compare and contrast that principle with all the above, you'll find that all the above bugs magically disappear. In fact, a whole lot of your life suddenly becomes much better.
Now, again, let's drag in some wider context. It is interesting that email can never ever get away from the fact that it will always have this sucky insecure mode. Several of them, indeed. So we may never get away from fallbacks, for email at least.
That unfortunate legacy should be considered as the reality that clashes with the Hypothesis. It is email that breaches the Hypothesis, and it and all of us suffer for it.
There is no use bemoaning the historical disaster that is email. But: new designs can and will get it right. Skype has adopted this Hypothesis, and it took over - it owns VoIP space in part because it delivered security without the cost. SSH did exactly the same, before.
In time, other communication designs such as for IM/chat and emerging methods will adopt Hypothesis #3, and they will compete with Skype. Some of the mail systems (Start/TLS ?) have also adopted it, and where they do, they do very well, allegedly.
(Nobody can compete with SSH, because we only need one open source product there - the task is so well defined there isn't any room for innovation. Well, that's not exactly true - there are at least two innovations coming down the pipeline that I know of but they both embrace and extend. But that's topic drift.)
Posted by iang at July 23, 2006 07:19 AM
Ian, you may want to check out Nelson Bolyard's comments in mozilla.dev.tech.crypto regarding the Thunderbird SSL/TLS-related options. Also, I think your point about "There is only one mode, and it is secure" is well-taken. This worked for Skype because Skype controlled both ends of the communication channel. It's possible in IM as well because typically the client and server are tied together (e.g., AIM client talks to AIM servers, MSN client talks to MSN server, etc.). Obviously this is not the case in legacy email (a partial exception being the Outlook/Exchange combination).
Ian, I have a lot of experience deploying and supporting Thunderbird in "secure mode" to a number of users. I must say that I did not encounter as many problems as you describe, while I was able to provide a TLS connection to POP3 and IMAP, using server authentication, and disallowing non-TLS, non-secure connections for the users. Moreover, I added OpenPGP support with the Enigmail plugin, to achieve encrypted and signed e-mail among this group of users. However I do agree that several things should be done differently in Thunderbird.
You claim that "There is only one mode, and it is secure" and it seems from your post that Thunderbird is completely at fault for not complying to this single mode (secure mode).
I think it is unfair to dump all responsability on Thunderbird, because the infrastructure (e-mail servers and CAs) take part in this process as well, and as you very well point out, e-mail has been insecure from its very beginning.
Lastly, I'd like to point out that if e-mail had been designed with stringent security features and requirements from the get-go, e-mail would probably have not flourished as the killer app that it is. We would have a secure e-mail system, without much use.
I would also like to point out that Skype offers confidential connections between two users, but there is no authentication of the remote user. I have no way to verify the identity of the other user before I establish the voip call with them. I may not want an attacker to have a recording of my voice, but an attacker can try to voip me using a made-up Skype ID that sounds familiar to me, and then try to impersonate the voice of someone I know, while recording my voice. Therefore, Skype may be very cool and all, but I would not call it "secure". In any communication, I regard authentication as much more important than confidentiality.
> There is no ability to say "Yes, use that cert for ever, I
> do know that the ISP is not the same name as my domain name,
See the Remember Mismatched Domains plugin:
Pedro: thanks for your comments. I am sure that an experienced systems guy can whizz through the Thunderbird install for users. That's not the point; can a user? No, I suggest, there are too many barriers.
The rant probably reads as quixotic. That's because I know more than a user, but when I use software, I have a habit of being a user, not knowing enough. That's partly because I don't have time to learn it all, partly to help me see the user's perspective, and partly to understand the long term value of the solution. I find that thinking like a techie helps me understand how the guy built it, and thinking like a dumb user helps me understand how the product will fail or succeed in the marketplace. In this particulate case I have little interest in how it was built, and a lot of interest in how we get crypto to the user.
> I think it is unfair to dump all responsability on Thunderbird,...
I agree Thunderbird has little of the responsibility.
They were handed a design from way back when, back in the days when email had no validated threats. The logic of this design is lost in time, and it is only over the last 3-6 years has there been a concerted attempt to rework designs for the new knowledge we have. We now know so much more, and only one instance of this knowledge is:
"There is only one mode, and it is secure."
The reasons for this are long and noisy ... which I do not go into in the post. I simply point out that practically all the woes listed disappear when we adopt that principle.
Frank underscores above how this won't work for email, and you may think it is unfair to use Thunderbird as the whipping boy for these ills. That's not my point although I accept it will appear unfair; my point is that the old designs are bad, and new designs should not copy them. We can only make that point by showing the old designs to be bad.
Pedro, on this specific point:
> I would also like to point out that Skype offers confidential connections between two users, but there is no authentication of the remote user. I have no way to verify the identity of the other user before I establish the voip call with them.
This is the PKI position, and it is wrong. There's no other way to call it.
What skype does is to authenticate that who you are talking to is the same login account as last time. It leaves to you to determine what that means. In contrast, what PKI does is to authenticate to you that the CA says the machine is a person calling themselves X. See Lynn's comment above.
Both of them have a flaw. In Skype you have to figure it out yourself (easy, listen to the voice). In PKI, you are vulnerable to the brittle architecture, which is far more loose than you can possibly imagine (click on the link for just how hard this is).
Both work technically for mild situations. Skype wins because it is free, which is why there are nearly 6 million people using skype right now, and maybe 200-400k websites using certificates. I have no stats on how many people use certs in email clients, but it is probably less than a million, more like 100k. That's after a decade of trying...
> Therefore, Skype may be very cool and all, but I would not call it "secure". In any communication, I regard authentication as much more important than confidentiality.
Right. This is correct: your definition of security is different to everyone elses. Skype is secure, according to their definition. PKI is secure by its definition. So the question is, what definition of security is best?
The market is deciding. Skype's may not be what you want, but it is what the users want. 6,047,744 users logged in right now - the most successful crypto tool ever, by the only metric that matters: usage. I think we've shown over a decade or so that PKI isn't what the market wants.
The thread Frank was referring to is here:
In brief, it seems like the mozo users & developers are also discussing this, for the laudable purposes of bettering Thunderbird. It starts:
=========== Deneb Meketa writes:
Looking at the "Server Settings" panel for an email account in [Thunderbird/Mozilla] 1.5, I see these options:
Use secure connection:
() TLS, if available
 Use secure authentication
I'm curious what "use secure authentication" actually does. I'd like to see security be really easy for users, and I think they will find it confusing (I certainly do) that "use secure authentication" is separate from "use secure connection". How do the two differ?
I have a few theories:
another kind of digital signature certificateless operation
where characteristics of each chip is recorded in the fab manufactoring standard manifest
http://www.garlic.com/~lynn/aadsm24.htm#49 Crypto to defend chip IP: snake oil or good idea?
http://www.garlic.com/~lynn/aadsm24.htm#51 Crypto to defend chip IP: snake oil or good idea?
http://www.garlic.com/~lynn/aadsm24.htm#52 Crypto to defend chip IP: snake oil or good idea?
basically extending chip manufactoring serial number with digital signatures and private key that is never divulged ... as countermeasure to things like "copy chips" (akin to copy/counterfeit watches, copy/counterfeit DVDs, copy/counterfeit jeans, etc).
so the chip claims to be an original, provides a digital signature and a public key as evidence supporting the assertion ... and then the serial number and public key can be used to lookup the chip in the fab's manifest and obtain the associated information (like integrity characteristics of the chip). Trivial information is binary condition whether the chip is original (or possible copy/counterfeit).
Standard serial number is static and vulnerable to skimming and replay attack. Public key and digital signature is dynamic and countermeasure to simple impersonation replay attack.
Another variation is public key for kerberos,
the original PK-init draft for kerberos just specified certificateless public key operation ... where a public key was registered for a userid in lieu of registering a password. under various pressures, the kerberos pk-init draft was extended to include PKI certificate-mode of operation.
now, if the certificate was sufficient, by itself ... then anybody with a valid certificate could connect to every system (that support kerberos authentication ... like all the windows systems).
however, instead ... a PKI kerberos infrastructures now will have redundent and duplicated administrative infrastructures ... one for the registration and issuing of a digital certificate and one of registration and specification of allowed userids .... along with matching a digital certificate to userids .... compared to the certificateless pk-init which simply added public key registration (in lieue of password) to the existing, single kerberos administration infrastructure.
so i typically want to register my list of friends (or other entities with specific characteristics meaningful to me) ... and I could do it by having a local repository (various kinds of address or phone book) where i register their public key (and other meaningful personal context information)
Any sort of generic digital certificate may aid in validating that whoever some entity claims to be, was able to provide some proof to a certification authority that appeared to substantiate a similar claim. However, that would fail to provide a local context ... i.e. just because somebody is authenticated within the context of a generic digital certificate would still fail to indicate whether they should be allowed to enter my house, drive my car, or use my computer.
previous post in this thread: