If they do this for many users, then those who don't have a secure environment (including the browser extension) are vulnerable, but it would be easy to detect that this is happening on a large scale -- those running the extension would be notified. If they don't do this for every user, then it wouldn't be effective dragnet surveillance, and Scramble would have a made a dent in dragnet ability.
Let's stipulate that your detection system, which does not currently exist even as a design document, actually works. By your own admission, only a small minority of users will actually install it. Now: a whistleblower in the USG, who is much more likely not to be a "power user" (if they were clueful they wouldn't be using this system to begin with) leaks a document from your service to a journalist and begins a conversation.
The FBI decides they'd like to read that conversation. They issue a court order requiring you to hand over your TLS private key, and use it to MITM your users to feed them corrupted JS code that discloses PGP private keys.
The small minority of users "detect" this change. But not quickly enough: the whistleblower has already logged in to check their mail, and has now disclosed their private key to the FBI.
What now? What's the feature you're going to build to keep that from happening?
Not only are you using Javascript crypto to provide this "service" to users, but you're not even forward secure.
Tptacek, whistle blowers level security should not be a use case for this extension , and should be advertised as part of it.
But decreasing the amount of dragnet surveillance by some extent sounds like a good thing to me. For example, many people wouldn't like the government to know mundane stuff about them, like having an abortion.This could help.
* BTW haven't moxie written about an asynchronous diffie hellman key exchange ? it could at least give PFS to this , so the private key would be much less useful ?
I think the disconnect here is, many of us can't imagine offering something with known technical security issues such as browser side JS encryption, and branding that "secure". Much less with all the unknown legal, operational, and techical security issues that may arise later in a project like this. As well, from what I read this project transfers your (encrypted with only a passphrase) private key over the internet, where it will be caught in the dragnet for decryption later.
I find it far more dangerous for someone to think they're secure against government level threats, than to know they're not. And if you're not worried about government level threats, gmail with MFA and pinned chrome certs is likely safer than this project. Of course, this is all just my humble opinion...
Its not a personal insult. This system just doesn't provide serious protection from "dragnet surveillance". Distributing keys and allowing the client to encrypt a message to another user ala GPG is a great idea...you just can't use server delivered code to do it in the traditional web server/browser way. The JavaScript is modifiable in transit.
Could you be more specific? I don't know who "everyone" is, or what a large scale is, or who is detecting what by whom. In any case, I don't see how anyone could detect real HTTPS MITM.
If the Scramble.io people ship ALL OF THE PROGRAM LOGIC IN THE EXTENSION, it could be secure. But if any program logic (javascript) they interpret is delivered to the user via HTTPS, it will not be secure.
In general, dragnet security will always be possible as long as you can do statistical analysis over both targets in the network (or the whole network), which the NSA has proven it can do.
We assume that the server is compromised, so the extension wouldn't interpret just any JS from the server, whether or not it was delivered by HTTPS. Our idea is to require a committee to review and sign the code, and the extension would only execute code signed by the committee in consensus. This is just as secure as shipping all of the program logic in the extension, except in the case where all the signing committee member keys get compromised, which is unlikely.
My point in the previous comment was that dragnet surveillance wouldn't work at all unless the client's code was compromised, but there isn't a good way for the NSA to compromise ALL OR MOST of the clients' code without it being detected by those users who use the extension. Remember the TorMail episode where malicious javascript was injected in the response? If some users had a Firefox extension that checked to make sure that all the JS code was signed by a committee, then they would have raised the flag and alerted everyone not to use TorMail.
So far, i've failed to see a reliable committee-signing trust system. Moxie's Convergence blows chunks all over my network connections in practice.
Committee depends on things like number of nodes in the network and integrity of the nodes, not to mention you can still do analysis on who was sending or receiving something at a particular time (which may not be enough to stand up in court, but it's enough for the NSA to know that Mike is talking to Jeff, or whomever).
At the end of the day, the best method currently available for clandestine activity on the internet is one-time anonymous drop boxes, and luck.
