A few weeks ago, I met up with a friend I hadn’t seen in a year or so. We both knew cypherpunk (unlisted) co-founder Hugh Daniel who recently passed away, very well. She said that she now really wanted to introduce me to her little kids, because since Hugh passed away, I was now the most principled person she knew. That statement actually hit home pretty hard. If I’m the most principled person left, then we are all pretty much doomed.

Unlike me, Hugh was infuriatingly principled on all subject matters. I often told him (and John Gilmore) that fighting all fights at once, only ends up with you losing all fights. Pick one or two, and focus on those. Not Hugh (or John). Every single fucking bug he had to take the time to report upstream. Usually in email to software authors that was not in the least way filled with kindness about the author’s code quality. Everyone, everywhere were “Linux Children” (the reason why all my VM disk images live in a directory /vol/children). Kids these days did not understand the unix philosophy (or libertarian principles). Every single time I wanted to talk to Hugh, half the time would be lost in setting up, fixing, re-configuring IPsec between our networks, so we could talk IPsec encrypted SIP. But then we would have good conversations. I would poke fun of his absolute gun freedom lunacy, he would poke fun at my european communist subduing health care package.

And he was easily distracted by bugs. In my friends circle, when someone gets distracted from their time critical overdue work, we say such a person is “re-compiling KDE” because that’s what Hugh actually did – repeatedly! He would find some kind of bug in KDE, flame about and in fact recompile the entire KDE suite to see if it was fixed. He in fact did this for years, on laptops that were a couple of generations outdated. Breaking things is what Hugh did best. The problem was there were always bugs worth reporting, delaying the actual work we wanted him to do. Real crypto work! The important stuff!

Every single time Hugh sent me an email, I had to live through the pain of opensource crappy pgp software to read it. Every time I sent someone his way, Hugh would whine about needing to send an “e-postcard” because he did not have the crypto key of that new person. He would complain that finger did not work to obtain a public GPG key. Hugh’s death has single-handed reduced the amount of PGP encrypted email sent over the internet by at least 50%. We all should be pretty ashamed by that and we owe it to him to work on improving that percentage.

But I did end up getting him to compromise on rare occasions. As a KDE user and Gnome-hater, he did run pidgin because it was the only software at the time that could use Off-The-Record – although we both agreed pidgin is a terrible terrible piece of junk.

So getting back to the title of this post,

Hugh was a royal pain the ass to communicate with. Unlike Hugh, I do not believe that insisting on encrypting all communications should come at the expense of actually being able to communicate at all. So while I will continue to work on making OTR and GPG (and IPsec) easier to use, I won’t become another Hugh Daniel. However, I do believe that OTR has gotten to the point where it can be used by anyone without technical skills. Just install the right Linux, Windows or OSX client to use, and it just works. There are even Android and IPhone IM clients with OTR support now. If you are not using them, you are just plain lazy. It has nothing to do with your skill level.

So, in light of our lovely “Five Eyes Axis of Alliance” as well as in remembrance of Hugh Daniel (see below) I will change my IM client’s OTR setting to “require private messaging”. The only exceptions I will make to temporarily disable that encryption in the future, is to teach the other end on how to install and use OTR. If you cannot be bothered to invest 5 minutes of your time to increase our mutual privacy in light of the exposure of the collective world’s governments information tapping hunger, perhaps we should no longer be talking.

So there you go Hugh Daniel, I’ll pick up one of your fights. As of June 23rd, 2013, 4pm PDT (the start of Hugh’s memorial service on the beach at Pacifica), I will no longer accept unencrypted instant message communication.

And our next goal can be to do the same with SMS within the year, and email in two years from now.

Today, I got this email in my inbox. I had already hit delete skimming it, but it caught my attention at the last moment:

Paul,

Do not be surprised, You haven’t interacted with me directly recently but I’d like to thank you for your contributions and hard work for all these years to openswan. Was just browsing through old mailing lists so here this is.

Thanks,
Elison

And it made me smile. I know my efforts are appreciated, but I don’t get much feedback about it. it is far more common for someone to ask repeated questions (and not googling first), and then vanish without telling me whether or not they got it working.Though from experiences in the past, I’ve found they usually did get it working, but I only find out the next time they have a question.

It reminds me of Ben Laurie’s .sig,

“There is no limit to what one can achieve if one doesn’t mind who gets the credit.”.

(Ironically, I don’t know if Ben is the author or just the distributor of that quote, which somehow makes the quote even better)

So I had done some tests with “real” certificates, so I used the Comodo free SSL certificate for 90 days offer. I put some TLSA records in the dns for nohats.ca, and this allowed me to test the firefox plugin I was testing that deals with CA backed and DNSSEC backed certificates.

So of course, the SSL certificate expired, and I did not want to pay $99 to renew it. So I replaced it with a self-signed certificate and updated the TLSA record.

Then neither firefox or chrome would connect to my website. They both threw an error about the certification being invalid. And they both refused to give me the override option. They knew better then me. This is exactly what you get when the publisher of the certificate is not in control of telling you if the new certificate is valid. If these browsers had confirmed via DNS and DNSSEC that this is in fact the new real certificate, they wouldn’t have had to block my access (or witheld the override option from me)

The way to fix this, is to delete all the browser history. Then it will have forgotten the pinned certificate and it will re-ask you with the familiar “untrusted, do you want to continue anyway” dialog. I had to spend about 10 minutes to figure out how to do this. There go your website visitors. Both Chrome and Firefox acted in this way.

Expect many such false positives when you are dealing with certificate pinning, such as TACK

Ironically, many of you will have to do exactly this, before you can read this blog entry. How long did it take you?

In the last few years, I’ve clearly seen a rise in the offering of commercial VPN services. I would find out about these VPN hosting networks in the past by a new yahoo, gmail or hotmail account on the openswan-users mailing list, repeatedly asking the same questions. They would tend to not like the answers we gave them but develop and deploy their systems anyway.In the last few years, more and more keep popping up and vanishing really fast, making me wonder if these are run by the same group of people constantly rebranding themselves, or whether new people keep inventing the same brain-dead idea. Yes, offering a commercial VPN service to “help” people is a very brain dead idea.

Legal issues

The first and foremost reason all these commercial VPN providers are nothing more then snake oil is because it quickly runs afoul with the law. Most, if not all, OECD countries have computer crime laws in place that mandates every ISP service that adds a cryptographic layer for their customer must be able to remove that cryptographic protection lawyer and hand over decrypted traffic to any law enforcement agency (LEA). And that is the best case scenario. I would not recommend the casual reader to attempt to work around encryption laws in non-OECD countries – whatever you’re trying to do, it’s likely not worth the jail time usually associated in such countries for using “illegal encryption”.

These laws mean you can never outsource your crypto to someone else. You must do it yourself. At most, you are putting a few legally separated jurisdictions between yourself and your government. If you’re just one of the four million people downloading Game of Thrones you’re more protected by the sheer numbers of violators, then by adding any commercial VPN service between you and The Pirate Bay. If you gave that VPN provider your name and credit card details when you signed up you might actually end up being in a worse position. Courts often will not take an IP address as proof that the person paying for the internet service (you) did something illegal. However, a credit card transaction in combination with traffic statistics showing you are using the service will be an excellent argument in court against you. And the VPN provider will have to hand those over as soon as a LEA knocks on their door. It might be using a non-US based credit card or paypal processor, but in the end, all roads lead to a few major US based financial institutions with enough US economic ties to turn your VPN provider over to the FBI at the first sign of trouble.

Technical dependencies

And on top of that, most VPN providers have technical dependencies in the US, for example by using a com/net/org domain name for their service, running DNS servers within the US, or even having their website or VPN servers located inside the US.

But measures like in The Netherlands where people need to subvert the Pirate Bay censorship at the ISP level to be able to watch Game of Thrones (not broadcast by any commercial TV service in the country) seems to attract a lot of new customers for these types of services. Other frequent annoyances that people want to circumvent are geo-restrictions based on IP address. I cannot watch The Daily Show or South Park using their own video streams, because I live in Canada, and they have commercial reasons why they cannot serve non-US customers. The same applies (or applied) to other services like Hulu, Netflex, etc.

VPN’s are not just a button that protect you. Realise that all your traffic is being intercepted and sent through this VPN tunnel. The people you’re paying about $10/month get to have a copy of all your traffic! How much dedicated security do you think they can offer their customer? How many lawyers do you think they have on staff to verify all warrants and tapping orders coming in?

Using VPNS for a few bucks a month to “steal” these services won’t get you in too much trouble, it’s just petty crime. The real trouble with these VPN services happen for people who’s lives depend on their anonymity.

Marketing and other lies

The real danger with these VPN services are the blatant lies about what services are provided. Take for example the latest one that came to my notice, SuperVPN.net. It’s a very typical offering. They promise “complete anonymity“, “absolute anonymity” and “your real IP address will never be stored“. It offers “128 bit encryption” without specifying anything about the encryption algorithm. It’s all marketing to the ignorant. Your IP address likely leaks immediately to any malicious website that wants it. You probably already sent some HTTP cookies when those browser tabs reconnected to facebook, gmail and twitter.

You can have the strongest encryption on every packet you send out on the internet, but that says absolutely nothing about anonymity. Your browser is full of cookies, history and the ability to run code like javascript or flash or html5 that could reveal your identity. People could play DNS tricks on your and leak your location. Any true anonymity solution will try to handle both the operating system and application level, as well as the network encryption. If you need anonymity, please use something like tor. Do not depend on any of these services!

Technical issues

Again looking at SuperVPN as example, they offer PPTP, SSL, OpenVPN and L2TP services. Some of these require certificates that will reveal who you are while you authenticate with your VPN provider. Or they use prehared keys meaning you can easily be fooled by another customer pretending to be your VPN provider. And most importantly, all of these protocols are not hiding the fact that they are VPNs. If the country you are in out-laws cryptography, you just pointed a targeting laser at yourself.

If you ever see anyone promising security using PPTP, you know you arrived at snake oil heaven. PPTP was broken about 10 years ago, and its successor L2TP had its native encryption layer mostly replaced by IPsec. L2TP itself is now on its way out to be replaced by a pure (IKEv2) IPsec solution. VPN services that offer these obsoleted VPN protocols value your money more then your privacy or security.

And even with strong L2TP/IPsec VPNs, your anonymity can easily leak, especially when used on mobile devices that hop from network to network, guaranteeing your VPN will go up and down repeatedly, inevitably leaking some unencrypted data to reveal your identity. More on that soon by some of my fellow cypherpunks….

If you’re just using these vpn services to bypass GEO IP locations and the traffic you send over this VPN is just a video stream, then it might be worth your $10/month (though it might be illegal for you to do this). If you need real VPN security, use a trusted party to provide you with a VPN connection, or run your own virtual or real server in your favourite jurisdiction.  If you need privacy, use TOR.