Notably still no web standards for end to end encryption. We can crytopgraphically authenticate our identity with cloudservers, but the web has no way to cryptographically secure our data.
Nitrokey at least understood how biased & half assed this lopsided half-assed standardizing is. Made a first ignored apaa at doing better. Yubico doesnt seem to notice or care, they're happy pushing better ways to uniquely identify ourselves.
The way you're using "end to end encryption" is confusing: many applications of TLS are end-to-end, since they involve a user communicating with a server (rather than a server brokering communications between multiple users).
It doesn't make a lot of sense to standardize E2EE outside of a specific use case, since the "end" is subject to semantic squabbling. That being said, there's an IETF working group (do they count as a web standards group?) actively developing a standard E2EE messaging protocol[1].
A thing running on my computer should be able to communicate on a way no intermediary can decrypt with your computer.
This is not nearly so fuzzy as you imply. Signal gets it. Plenty of online systems can advertise & do end to end encryption. Your softened down incorrect definition is a mis-example: end to server to end is not e2e encryption.
Security keys should be useful on the web for end encryption. They are not. There is nothing to debate about this situation, itcs well defined & clear. The web is missing a huge gap.
Signal is a chat app (a very good one!), not a generic application layer like HTTP. When we're talking about the breadth of the services available on the web, there are plenty of contexts in which TLS is an E2E scheme. Not every use of TLS is E2E, but I didn't claim that.
I dont know what case you are trying to make? Should we not create cryptographic storage on the web? Is that not ok? Do you think there's anything that would keep us from using secure keys for encrypting storage? Is there some barrier you perceieve to why the web couldnt make use of such a capability?
I have no clue why you are building a case out for the web being something special & different & weird & hard to expect basic common sense secure cryptography from. Nitrokey had a pretty basic simple sensible early draft spec. Having some storage & a key that alone cam decrypt it seems trivially obvious. Not sure what kind of smoke you are attempting to blow on this idea.
TLS has absolutely nothing to do with this. The idea of e2e messaging usually is that you could send the message over untrusted links just fine. The other party could validate & decrypt it. Discussion on TLS seems wildly off topic/tangenti to the kind of e2e storage that messaging apps do, and that secure end to end storage entails.
Edit: to your credit, the MLS link you have above is indeed relevant.
A lot of very wrong immoral & silent downvoters: you are degrading the web & attacking society. Explain your downvotes & leave somrthing contestable & arguable. Why all the cheapass anti-security dowvotes? Why sign up to degrade security like this? What the frag?
I downvoted because your posts are vague complaints containing little details, and when people engage in good faith you respond with scorn because those poor idiots haven't understood you properly. I'd argue this is because you haven't explained your point very well. And this kind of attitude is specifically the type of thing that's not appreciated on HN.
I suspect many people are down voting your tone. Regardless of the merit of your arguments, and I make no claim about them, incivility and petulance will always undermine them.
> Notably still no web standards for end to end encryption
TLS is end to end encryption.
Maybe you are wanting something like Noise[0]? It's already a standard in many respects and nacl's crypto_box[1] stuff also exists.
Why should it be a "web standard"? Browsers are already stupidly complicated(arguably as complicated as operating systems). I'd argue they don't need more complexity.
> Nitrokey at least understood how biased & half assed this lopsided half-assed standardizing is
Well webauthn is specific to one thing only. It doesn't want to get into all the other things, there are good solutions for almost all of that stuff already.
> Yubico doesnt seem to notice or care, they're happy pushing better ways to uniquely identify ourselves.
For E2E encryption, you have to uniquely prove your identity or it's pointless. Thankfully webauthn just specifies the crypto part and doesn't mandate personal identification.
this feels like yet more inordinately & vastly incorrect obvious hogwash. how is tls end to end? it's literally you to your immediate service: it will never ever be end to end by definition. could it be any more obvious? why does such an obviously irrelevamt non-sequitor keep showing up? if the server you are talking with can decrypt it, it means it's not a secure channel. definitional, inarguable, basic.
how can are all the replies so wrong? what is this conspiracy against reason? what definition of e2e encryption are you using, when i communicate with my friend, and how does it accomodate this twisted ass warped "google can so read my messages" flagrantly incorrect viciously wrong misinformation view that merely having singleink tls security that you & other dude argue for? why is everyone so up on being immoral & misleading & wrong here about end-to-end encryptiom?
it secures a connection. but data going from party to party traverses multiple parties. end to end encryption, by definition, is not encryption between you & the service: it's between you & the other party.
intensely fantastically stupidly wrong & insistent argumentation keeps happening. i keep getting downvoted, ya'll keep making wrong posts with way off base claims. so sad. hopeless universe. again, folks lole nitrokey saw exactly this weakness, this inability for current web crypto standards tk ever help secure user data from the services they connected to, something tls cannot ever help with. but ya'll keep focusing.on the tiniestost irrelevant hop of data, keep insisting one leg of encrytion is equal to end to end. no.
Sorry, it's you misunderstanding. TLS doesn't require that it's a client to a server, TLS doesn't care, TLS says this connection from A <-> B is secure, that's it. 99% of deployed TLS is client to server, but it doesn't have to be. TLS IS however limited to 1 connection A <-> B.
I think what you are trying to talk about is: You want A to talk THROUGH B to get to C and have the connection secure between A and C. This is generally a terrible idea, if you can at all avoid it, but sadly for many reasons, we can't. And you are right TLS can't do this. Noise totally does this, which I linked to in my first comment.
So We are just talking about different meanings behind E2E. E2E == End To End, i.e. both ends are secure from eavesdroppers, TLS 100% fits this bill, as each end of the connection is secure. You seem to imply E2E is ONLY defined as encryption through some other connection, i.e. A <-> B <-> C, where B can't inspect/understand the contents.
It's important to know that, even with E2E as you seem to be defining it, there is still a LOT of data leakage, B knows that A is talking to C, they maybe can't uniquely identify who A and C are directly, but they probably can indirectly. There is 100% a reason that NSA and friends care a lot about metadata and learn a ton from it. Hence why P2P (i.e. talk directly to the person you want to talk to, nothing in the middle) is way better from a security perspective, less metadata to exploit.
If the Internet was better, Signal wouldn't have to use Noise and shunt traffic through their servers, and we could just use TLS directly between you and I for instance.
Anyways, I hope this helps further your education and you learned something.
It still is wildly off target from what I see as a core weakness with the web, which is that security keys cant be used to help a client create secure data. We can only authenticate ourselves with keys, not protect ourselves. The server we are talking to has more favor than us.
Introducing the term e2e was a mistake, & mislead everything. TLS isnt really a factor. It was frustrating being so very very far off course from the relevant problem. But I certainly didnt handle this drift well at all & was frustrated at being so off topic from such a vital & core web weakness.
WebAuthn is about presenting credentials to the server from the security key. The server gets to check our private keys, but the end client (the page) doesn't have any validation or tools at it's own disposal.
NitroKey & myself want the web to have a standard way to encrypt & secure data, ideally that allows for security keys to help do (sign) the encryption. https://github.com/Nitrokey/nitrokey-webcrypt
> WebAuthn is about presenting credentials to the server from the security key. The server gets to check our private keys, but the end client (the page) doesn't have any validation or tools at it's own disposal.
Clients get to check the servers TLS certs & DNS entries for proof that they are who they say they are.
> NitroKey & myself want the web to have a standard way to encrypt & secure data, ideally that allows for security keys to help do (sign) the encryption. https://github.com/Nitrokey/nitrokey-webcrypt
OH, so you want a way for the server to encrypt data just for a given client, that they can't read. This doesn't really make a ton of sense. The server has to have the plaintext version to encrypt, which means they have the data un-encrypted before they encrypt it for you. Hence you MUST trust the server with your plaintext data. Since you have to trust them anyway, this doesn't really buy you much. But sure, fine whatever. If people want to play with that, it's fine. Not hugely practical though.
> OH, so you want a way for the server to encrypt data just for a given client, that they can't read.
No, we want a way for the client to encrypt data in such a way that the server can't read. Ideally also with MLS capabilities, so we can encrypt data in a way that other people can read, but not any intermediaries. But let's just ignore that for now, because it threatens to inject only more insane chaotic out of control mayhem.
Please, make this pain stop. Why does this thread never go anywhere clear & always goes to misinformation?
I really don't think Nitrokey made everything crystal clear, but it's far far less confusing than where we are right now after this brand new vast massive tragic & sorrowful retrogression in the discussion, so,
> While FIDO is supported by web browsers, using Nitrokey as a secure key store for email and (arbitrary) data encryption requires native software. Therefore email encryption in webmail has not been possible with the Nitrokey until now. At the same time strong end-to-end encryption in web applications all share the same challenge: To store users' private keys securely and conveniently. Therefore secure end-to-end encryption usually requires native software as well (e.g. instant messenger app) or – less secure – store the user keys password-encrypted on servers. Nitrokey aims to solve these issues by developing a way to use Nitrokey with web applications.
100% of my premise is that we should not need to always trust the server we connect to. We should be able to secure data on the client, in a way the server cannot access. Because we should not have to trust all data we access to the servers we connect to. It cannot be more basic & simple than that. But this voice & this perspective has been run off the site by confusion & bedlam that obfuscates & distracts from this simple point. I am so sorry.
> No, we want a way for the client to encrypt data in such a way that the server can't read. Ideally also with MLS capabilities, so we can encrypt data in a way that other people can read, but not any intermediaries. But let's just ignore that for now, because it threatens to inject only more insane chaotic out of control mayhem.
This is 100% a solved problem already, I have no idea why you are having such a hard time with this.
See PGP/GPG and friends, age[1], magic wormhole[2], etc. Not to mention Noise[0], which I've already mentioned many times, as a protocol that does this. Even MS Exchange supports this for email(S/MIME, OME, etc). Webmail could implement PGP or S/MIME or something similar(and some do last I checked).
> MLS capabilities
Look up Macaroons(for the web) and capability based security. This is also a solved problem.
> 100% of my premise is that we should not need to always trust the server we connect to.
Essentially you are trying to achieve the un-achievable, for various definitions of security and trust, it's just not possible. In the modern web, servers can run arbitrary code on your device AND run arbitrary 3rd party programs on your device, with you having little to no say about it. This isn't limited to the Web, it just makes it ridiculously over the top. Web security is mostly an illusion, it's not going to change anytime soon(arguably never).
Anyways, there is basically zero demand for any of this stuff, and no incentive for companies or organizations to care. We know how to make secure operating systems and software, but nobody bothers.
Nitrokey at least understood how biased & half assed this lopsided half-assed standardizing is. Made a first ignored apaa at doing better. Yubico doesnt seem to notice or care, they're happy pushing better ways to uniquely identify ourselves.