When I first heard about Marco Barulli’s idea for a “Zero-Knowledge Web Application” I was happy. I felt I had found someone who thought the same way I do, with which we could collaborate, and I told him so. But when I read the first definition, I was less impressed. I tried to open a discussion with Marco about it, but to no avail.
Since then, he has continued on his way, and I have continued on my own. Recently, thanks to the big name Richard Stallman, there has been much buzz about Freedom in the cloud and Zero Knowledge Web Applications.
So it’s time for me to attempt to open a discussion again. Last time I did it privately and got no response. This time, I’ll talk here on the Passpack blog (for the first time ever – Tara is helping me with my English).
Host-Proof Hosting and Data Privacy
From Ajax Patterns:
- Problem: How can you mitigate the effects of unauthorized access to your Application data?
- Solution: Host sensitive data is in encrypted form, so that clients can only access and manipulate it by providing a pass-phrase which is never transmitted to the server.
This is the core of a Host-Proof Hosting approach to secure data management.
Zero Knowledge Web Application
A Zero-Knowledge Web Application is a Host-Proof Hosting application which adds additional restrictions:
“The basic idea was to deliver a no trust needed service, where users had the ability to inspect and verify anything running in their browser. We had to drift the attention away from trusting us and let users focus on trusting the application.”
Here is the definition of how this is intended to work.
It is my belief that the definition adds un-needed elements which do not stand the test of an in-depth analysis.
The Trust Fallacy
The concept that an application can be trusted without having to trust the application provider is pure Utopia. The Zero-Knowledge Web Application is a risky type of idealism which attempts to convince people that they need not trust an application provider, because the technology is inherently trustworthy.
It is no secret that anyone who provides you with a web service, has the ability to change the source code behind that service, perhaps even put a back-door if and when they wanted to. But why would they want to? Luckily, few people would risk completely ruining their good name after years of building a reputation for themselves.
You must first decide what sort of reputation they have built for themselves. You cannot trust what you do not know. And if you know it, and you don’t like it, you should not use the service.
Your freedom is at risk if you do not “think before doing” on the Internet.
The Zero Knowledge Web Application as-is, is a theory. This is not to say that there couldn’t be a future where it might become a credible solution for privacy, but until that happens, it is inappropriate to ask people to trust a theory with just too many inconsistencies.
Analysis of the Zero Knowledge Web Application
I am sorry for the long post, but I’d like to explain point by point what I mean by “inconsistencies”. The heading numbers refer to the headings in this post.
1. Host-Proof Hosting — Obviously, I agree.
2. Hide Nothing — I disagree
2.2. Code Integrity
As of date, the only application which defines itself as a “Zero Knowledge Web Application” is Clipperz, so I apologize in advance if I seem to be isolating them in my critique of Zero Knowledge Web Application, but it is impossible to avoid.
Clipperz themselves recognize the “less than ideal solution” of declaring its own checksum. A user downloads all the code and runs a MD5 checker and verifies that the checksum is (obviously) correct. But who’s to say my IP hasn’t been read, the code changed on-the-fly for my benefit, a different checksum given to me, etc?
Would we not (and do we not) trust it, if a reputable site could check the web application and host the checksum? Would a third party not guarantee its validity?
Let’s put it this way – suppose that you ask me for a valid ID, and I provide you with a passport that I printed myself. Would you accept it? Is the Us government stamp/seal really that important as a third party verification?
I know Marco and Giulio Cesare personally and I can vouch for their absolute transparency, as I hope they would mine, but that does not mean that people do not need to arrive to such a conclusion on their own. People have to understand that it is their right to make an informed decision and decide to trust. And what to trust. Whether you trust a provider or an application itself you must always be aware that the two are connected.
3. Prevent code changes — I can’t see why.
As a possible solution to the code integrity issue, Clipperz wrote:
“Ideally we envision a solution that is completely browser based and relies on a redundant and distributed network of servers not associated with the application provider. Each third party server hosts the fingerprint of the Zero-Knowledge Web Application, i.e. the checksum of its source code.”
I will indeed be very happy when this happens. Let us suppose that a similar network exists, surely if my browser can check the code at the first loading, it can check every subsequent loading as well. If any of the libraries’ checksums are incorrect, the browser can stop loading.
4. Learn Nothing — I have some doubts.
Passpack knows a little bit about its users. Specifically, Passpack knows the User ID, necessary to authenticate the user, the IP of the user when he connects to Passpack.com and optionally, if the user wants to receive emergency support, a working email. This can be (and in big percentage is) an anonymous email service. Passpack doesn’t care who you are in the real world, but if someone requests an emergency account suspension, we need to make sure the request is coming from the rightful owner of the account. Users who choose not to provide an email can remain completely anonymous, knowing that we cannot give them the same level of support. They are free to choose.
Clipperz is a self-defined Zero-Knowledge Web Application so I must suppose that they know nothing about me. But… I connect to Clipperz and am greeted with a box that tells me I am connected from Rome, and a week ago I connected from Milan, etc. This is a nice security feature… but it is in direct contrast with the Zero-Knowledge Web Application definition. Can not even the Clipperz application fully adhere to its own definition?
Personally, I am convinced that my privacy (as that of everyone) is sacred and I go to great lengths to protect it. But (on a more practical level) I want a certain amount of support if ever I do encounter an emergency situation. I want to be free to choose.
For example, suppose I remember my Packing Key but I have forgotten my Pass (users do this frequently). If I chose to provide an email for emergency support, Passpack can verify that I am the rightful account owner and reset the Pass for me and my data is still confidential thanks to the Packing Key. With a simple email, I have avoided a situation where with Zero-Knowledge, would have lead to a permanent loss of availability of all my data.
The three pillars of information security are confidentiality, integrity, and availability.
Standards are born in two ways: 1) because a plethora of people using the same technique make it a de-facto standard; or 2) because it goes through a proposal process, is analyzed by the international community, becomes a release candidate, and when everyone is convinced of the validity, it is finally granted the status of standard.
The definition of the “Zero-Knowledge Web Application” has done neither. It’s being helped along by the enthusiasm of people who, in good faith, applaud the intentions without digging into how to make it work properly. I hope my observations can spark a discussion to put things back on the right path.