Whoa! Just got back from the 30c3, the biggest hacker conference in Europe. A lot of interesting talks, people and that great feeling that we're all fighting the same battle. It has been really exciting, but also overwhelming, so, now that everything is quiet, I wanted to try to take a out a message from the whole conference.

I've seen the amazing talk by Daniel J. Bernstein, The year in crypto, which gave an interesting overview on what has been going on in the crypto world lately, what has been broken, what is doable and what is not. I've been shocked by Jacob Appelbaum's talk, To protect and infect (Part Two), about specific and scaring details of how the NSA surveillance works. I've also liked the keynote by Gleen Greenwald, it illuminated me from a certain point of view. The Sysadmins of the world, unite! talk, featuring Julian Assange, was also quite inspiring, even if I think the parallel with the communist motto was not fitting really well. Finally I'd like to mention Through a PRISM, Darkly, by the EFF attorney Kurt Opsahl, offering an overview of the NSA's surveillance programs.

While these talks were about different topics, all of them, at a certain point, reiterated the fact that cryptography usage should be more widespread, in particular in personal communications. And all of the speakers, recognized that to make this happen there is a fundamental issue we have to face: usability. Journalists are having an hard time in learning to use PGP and similar tools, do make mistakes and this put their lives at risk. And they are determined to learn to use it, they understand the risks they are going to face if they don't use the right tools appropriately. If we think about ordinary people, the situation becomes even worse.

The problem is that to make crypto effective, it should be the default, not the exception, and we should work on a solution that requires no training for being used. It should just work out of the box and be as simple as current social networks. At the #youbroketheinternet assembly we discussed about this, and I've reached the conclusion that if we take current tools, in particular PGP, and try to improve them to make them usable by the average Internet user, we will fail badly. PGP can be a starting point from a technological point of view, but for usability we have to start from what people is used to, such as Facebook or Twitter, and then add to the UI what is strictly necessary to keep the system secure.

And this is exactly the point of Snake, keeping everything as simple as possible and still offer the strongest possible security guarantees. Using Snake is just like visiting a standard website, subscribe and have everything encrypted right away without the necessity of installing anything, it's not even required an e-mail address. Other projects, such as MailPile are dealing with the exact same issue, but we wanted to work on simplicity not only from the user interface, but also from a more structural point of view. We put a big effort in making crypto unobtrusive, for instance handling public key authentication implicitly whenever possible (through the Web of Trust), or when not possible, without requiring to meet the other user in person as PGP mandates (the famous key signing parties).

The main objective of Snake is making end-to-end encryption usable for everyone without sacrificing security and privacy. This poses a long list of challanges, but we already defeated the hardest ones, help us defeat them all.

P.S. I gave three talks about Snake at 30c3, a lightning talk (slides) and two longer presentations, one at the YBTI Usability session on how we handle friendship establishment (slides) and more high level overview at the YBTI In Depth session (slides). We'll put the videos here as soon as they are available, stay tuned!

Posted by Alessandro Di Federico on Wed, 1 Jan 2014