Hello everybody! We have some news about Snake!
Last weekend we have been at hackmeeting in Bologna, the yearly meeting of the "Italian digital countercultures". It was the first time for us in such a place, but it has been exciting. A lot of fun and a couple of intersting talks. We also got the chance to talk about Snake a bit, there has been quite a lot of interest and some food for thought. We also hit the local news.
Towards the end of August we'll be discussing about Snake again in Paris, at the 6th International Symposium on Cyberspace Safety and Security (CSS 2014), where our paper has been accepted. Our submission covers a good part of the Snake design, except for group handling and the Web of Trust, which we plan to detail better in another paper. We'll publish the paper here right after the conference. Let us know if you're in Paris around August the 20th!
We also want to ensure you that Snake's development is advancing, we're currently focused on making our prototype implementation up to date with the latest changes in the design.
If you are interested in contributing there's a couple of things you can do:
If you want to get involved in the core development, there's still a lot to do. Probably the best starting point is the design document.
We'd be very happy to have a native implementation, in particular in Chromium. Some steps have been done, but they're mostly lead by Netflix, which uses different primitives compared to Snake. Therefore, what we need is someone willing to implement ECDSA, PBKDF2 and ECDH in Chromium. It's less work than you can expect, in fact it's just some sugar between the WebCrypto API and the underlying cryptographic library (NSS or OpenSSL). If you want to get an idea of the amount of work take a look at the code review page for the implementation of the sign and verify methods for RSASSA-PKCS1-v1_5.
We need to improve our testing framework and automate it to detect regressions while developing. There's also a bit of decoupling between the model and the view, but it's something definetely manageable.
While we carefully designed how the Web of Trust in Snake should work, we still have to implement it. The task basically consists in checking friends of friends' lists looking for confirmation of the public key of the user we're authenticating.
Don't forget to contact us for any further question!
Final note: all the perks have been delivered, let us know if you didn't receive yours!
The Indiegogo campaign has ended a couple of days ago and, unfortunately, we do not have raised enough money to keep working full time on Snake.
Right now we have a couple of opportunities that would enable us to further develop the project, so keep following us.
Thanks to those who have contributed!
Whoa! Just got back from the 30c3, the biggest hacker conference in Europe. A lot of interesting talks, people and that great feeling that we're all fighting the same battle. It has been really exciting, but also overwhelming, so, now that everything is quiet, I wanted to try to take a out a message from the whole conference.
I've seen the amazing talk by Daniel J. Bernstein, The year in crypto, which gave an interesting overview on what has been going on in the crypto world lately, what has been broken, what is doable and what is not. I've been shocked by Jacob Appelbaum's talk, To protect and infect (Part Two), about specific and scaring details of how the NSA surveillance works. I've also liked the keynote by Gleen Greenwald, it illuminated me from a certain point of view. The Sysadmins of the world, unite! talk, featuring Julian Assange, was also quite inspiring, even if I think the parallel with the communist motto was not fitting really well. Finally I'd like to mention Through a PRISM, Darkly, by the EFF attorney Kurt Opsahl, offering an overview of the NSA's surveillance programs.
While these talks were about different topics, all of them, at a certain point, reiterated the fact that cryptography usage should be more widespread, in particular in personal communications. And all of the speakers, recognized that to make this happen there is a fundamental issue we have to face: usability. Journalists are having an hard time in learning to use PGP and similar tools, do make mistakes and this put their lives at risk. And they are determined to learn to use it, they understand the risks they are going to face if they don't use the right tools appropriately. If we think about ordinary people, the situation becomes even worse.
The problem is that to make crypto effective, it should be the default, not the exception, and we should work on a solution that requires no training for being used. It should just work out of the box and be as simple as current social networks. At the #youbroketheinternet assembly we discussed about this, and I've reached the conclusion that if we take current tools, in particular PGP, and try to improve them to make them usable by the average Internet user, we will fail badly. PGP can be a starting point from a technological point of view, but for usability we have to start from what people is used to, such as Facebook or Twitter, and then add to the UI what is strictly necessary to keep the system secure.
And this is exactly the point of Snake, keeping everything as simple as possible and still offer the strongest possible security guarantees. Using Snake is just like visiting a standard website, subscribe and have everything encrypted right away without the necessity of installing anything, it's not even required an e-mail address. Other projects, such as MailPile are dealing with the exact same issue, but we wanted to work on simplicity not only from the user interface, but also from a more structural point of view. We put a big effort in making crypto unobtrusive, for instance handling public key authentication implicitly whenever possible (through the Web of Trust), or when not possible, without requiring to meet the other user in person as PGP mandates (the famous key signing parties).
The main objective of Snake is making end-to-end encryption usable for everyone without sacrificing security and privacy. This poses a long list of challanges, but we already defeated the hardest ones, help us defeat them all.
P.S. I gave three talks about Snake at 30c3, a lightning talk (slides) and two longer presentations, one at the YBTI Usability session on how we handle friendship establishment (slides) and more high level overview at the YBTI In Depth session (slides). We'll put the videos here as soon as they are available, stay tuned!