Usability as a Security Concern
Building new technologies involves making tradeoffs. A programmer can only develop so many features in a day. These tradeoffs are particularly hard in building privacy enhancing technologies. As we work to make them more secure, we often want to show the user more information to help them make better decisions. This impacts usability. The security of network anonymity systems like the Freedom Network or TOR depends on routing traffic through several nodes. Even if processing on the node is close to instantaneous, the transit between them is not. Security of these networks gets better the more latency[1] you’re willing to tolerate. That latency makes it harder to be sure your message is getting through, and it can make it impossible to do things like browse the web.
These usability concerns can keep users away from the system. When the system doesn’t have lots of users, it is less secure. In “Anonymous blogging made simple,” Justin Mason writes:
Now, quinn at
ambiguous.org quotes a review of EFF’s recent ‘anonymous blogging’
guidelines, which largely comes up with one conclusion: it’s a
usability nightmare. The problem is, the EFF
report recommends using
invisiblog.com, which in turns uses the Mixmaster remailers. Those things
are awful, and I doubt anyone but their authors could possibly know how to use them 😉
I am quite sympathetic to these concerns. But I’m forced to question Justin’s claims that Tor is substantially more understandable. Understanding Tor, and why it helps protect you is hard enough. (Actually, Ethan Zuckerman agrees on usability, but disagrees on Tor, but Ethan is a smart, technically savvy guy who uses PGP, not a dissident. My experience trying to explain the difference between no hop, one hop, and three hop systems while at Zero-Knowledge Systems taught me that it’s really, really challenging to bring people up to speed on how networks work well enough that they can understand monitoring. It’s then again challenging to bring them up to speed on Mixes enough that they understand how to distinguish the different systems. Maybe there’s a different route to take, but understanding the problem, and how to address it seems like the right approach.
[1] Technically, pooling and mixing give you that security, and latency is irrelevant. Because that latency is the price you pay for security, and it is user-visible, I pretend it’s what counts.
Having used both, TOR is much easier to use than Mix+Invisiblog. The hardest part is setting your browser to use a proxy. BTW I recommend using a different browser for anonymous vs non-anonymous browsing; like using Firefox for one and IE for the other. This keeps cookies from leaking between them.
However, Invisiblog gives far greater security. The remailer network has enormous traffic going through it which provides plenty of cover for an occasional blog posting. With TOR, I was never too sure of how many people are using it, plus the real-time nature of the connections makes tracing inherently much easier.
The problem with Invisiblog is not only setting up the mixmaster client, you have to create a special GPG key for blogging, register it a certain way, sign your blog entries with that key and email them via mixmaster to a certain address. It’s a complicated procedure that not many people will be willing to go through. But the resulting security is second to none.
To live in interesting times – open Identity systems
As the technical community is starting to realise the dangers of the political move to strong but unprotected ID schemes, there is renewed interest in open Internet-friendly designs to fill the real needs that people have. I’ve written elsewhere about…