Why does Google use the term "Off the record" when there is a product called Off the record[1] that has been used for end-to-end encryption of IM that pre-dates Google Talk?
Google does many good things, but it would be unreasonable for anyone to expect that they wouldn't store all your chat messages. "Chats that have been taken off the record aren't stored in your Gmail chat history, or in the Gmail chat history of the person you're chatting with. "[2]
Why does Google use the term "Off the record" when there is a product called Off the record[1] that has been used for end-to-end encryption of IM that pre-dates Google Talk?
Because "Off the record" was a common term way before either was created?
Yes, but in the IM context it is creating confusion, and Google's IM team must surely be aware of this, so it stands to reason that this is intentional confusion.
Sorry, I don't agree. "Off the record" is a term that is obviously and simply applicable to an IM context. It's the fault of the people who made an app called Off The Record that someone else has used the same term.
The simple and obvious meaning is encryption with PFS, right? It's not as though you can prevent the person you're speaking to from logging, and given that he or she could be using an XMPP client not written by Google, neither can anyone else. The "Disable logging on my end" feature should probably just be called "Disable logging on my end."
No, "off the record" is the commonly used phrase that implies that the conversation isn't for redistribution, but also that such a guarantee is based on your trust of your counterparty and not on any technical barriers to logging.
I was on the Google Talk team at the time when we introduced this feature and I can confirm we had no knowledge of other products called 'Off The Record'.
Oh sure, it 'stands to reason' that anyone someone must surely be aware of was also intentional, noone is ever surely aware of anything that was not planned that way. What?
> Why does Google use the term "Off the record" when there is a product called Off the record that has been used for end-to-end encryption of IM that pre-dates Google Talk?
Google seems to have a habit of picking names that conflict with already-existing products [1].
I don't think this is a problem. In the email vs OTR debate, signed emails are not forgeable because you are not supposed to give away your private signing key - to claim that someone forged a signed email, you must convince that your private signing key was compromised at that time.
However, in this case you don't hold the private signing key, so Google can make whatever signatures it wants, even of things you didn't say, and there is no cryptography that links it back to you - because as a Google chat user, you don't have a private signing key.
That makes sense if there is a dispute between you and Google. But if the dispute is between you and one of your contacts instead, to claim that the signature is forged would be to claim that your contact has Google's cooperation. That bar might not be as high as claiming your private key was compromised, but it is still quite high.
Ah now careful there. Its a secret algorithm so we have no idea how crypto-secure it is. It appears to have a constant salt and not too many inputs, because his testing showed the same output with similar inputs, so I wouldn't expect much. Even a dumb cryptographer would include a random 8 bit salt so you'd require an average of 128 cycles before noticing a duplicate, so I don't think its intentional crypto, although they'd know that I/we'd know so they'd know to ... this turns into annoying paranoia.
Possibly the contact has formal written GOOG corporate cooperation. But the theoretical minimum to know the cruddy secret algo is extremely low, like someone who knows someone who used to work there, or obtained the disk image of a stolen or improperly disposed of GOOG laptop or server hard disk, or someone who was bribed or was acting as the agent of a national government while being employed without GOOGs knowledge. Shoulder surfing an employee at the coffee shop, overheard something, etc.
Thats the problem with a cruddy crypto algo. Its a cruddy crypto algo.
Now what it probably is, is some kind of verification toy to prove internally some translator / load balancer thingy didn't mess up, or something probably very innocent like that. Of course if they were actually rolling out something evil thats exactly the right way to present it. Hmm.
Thanks for the heads up regarding the undocumented XMPP extension!
I'm sure Google chat already maintains plenty of additional signatures, checksums, etc. that stay entirely server-side; any of which would be more than sufficient to 'prove[...] cryptographically that your account sent that message' should law enforcement need to 'verify the signature is correct'.
The point here is that those stay server-side and are thrown away together with the messages when they get deleted. Whatever's sent to the client can be stored by him/her indefinitely.
BTW. There is probably a time limit: if this is really a MAC, then the key used to generate it is most likely rotated once in a while.
How does signing a message make it any less (or more) ephemeral? You either store the copy or you don't (and Google does). I don't see how a signature could influence that.
There's a difference between Google "knowing" you sent a message and third parties being able to verify that you sent a specific message.
Whether Google stores your message when you turn on "Off-the-Record" is of course something we can never know. But if your contact says you said "X", and you say you never said "X", Google could still prove you said "X" at some point. That does not fit the idea of "Off-the-Record".
How is it any more possible to prove a chatlog wasn't forged, given that third-parties cannot verify these signatures (only Google can, if TFA is correct) and Google already keeps unlimited retention of their chat logs and thus could do the verification without any signature field? Plus, not all clients cause a signature to be inserted, so even the lack of a signature wouldn't imply forgery.
The article and/or its interpretation is wrong about that because the algo is unknown.
Even worse, human beings both currently and formerly employed by GOOG know the secret-ish algo, and those humans are not necessarily still employed there, nor are they incapable of communication. So its very unclear who knows how that algo works other than GOOG as an absolute minimum.
A correct statement would be, at the minimum at least GOOG knows how to make those hashes, and at this instant who knows how many other people or orgs who may or may not be in support or opposition to you.
I suspect this is a HMAC-SHA1 similar to what the blog author surmised. It's possibly a response to the recent fiasco where they misrouted IMs.
I think they use this signature in their backend as a last defense when routing a message to a recipient. Being meant for the backend explains why messages with corrupt signatures are accepted (the backend notices that incoming signature is bad, so it doesn't use the signature to check the message when routing).
2) I'm curious about what people who say "crytpo in the browser/JS is bad" think about this. This seems to be a pretty good application of crypto to achieve a very narrow goal.
It is possible this is to stop misrouted messages, however, they didn't add it in response to the recent problems. There are some Google hits from 2007-2008 where the field was present, for example https://developer.pidgin.im/ticket/3360#comment:15. Before ~2009-2010 the field seems to have been 8 hex encoded bytes (half a MD5 hash?), after that they switched to the base64 format.
Maybe I'm missing the point here, but why is giving each message a signature worse than just hanging onto the message itself? Unless I'm missing something, each of these messages is sent to Google's servers, and presumably stored (forever).
In that sense, even without the signature, the record itself still exists. I'm thinking maybe they're trying to say that in the case of an end-user having a signature, they could look the message up? In that case, if they have a copy of that message in their inbox anyway, again, what is the difference?
Not trying to discredit the article, I think I must be overlooking something.
Here's a hash of your post plus some salty stuff that only I know about, or at least thats what you think:
96ac1d2c0cdbc05e1ff1e40fe8a43f64e013e232
(its actually a SHA1 of GNU date output, but whatever)
Now lets say your post starts appearing on reddit except it begins "I am like so totally getting the point here" and includes the hash 96ac1d2c0cdbc05e1ff1e40fe8a43f64e013e232
I can act as oracle and verify that someone messed with the post I signed.
Sometimes having a little notary follow you around notarizing everything you type is no big deal. Sometimes of course it is.
The irony is that this whole debate relies on the theory that no one can generate those salty hashes but the almighty GOOG. I only glanced at the code in the post and I didn't see any charset translation games in his little permutation gadget. It might be something totally innocent like he needs to convert to UTF-8 or UCS-16 or UTF-32 or some bonkers thing like EBCDIC before the hash and that's it. In which case its not much of a big deal, mostly.
Assuming honest and truthful actors on both sides, there's not much harm an oracle can do other than verifying an out of context quote, I guess. Of course honest and truthful actors are not universal, and the oracle itself might be a crook or partially crook partially honest.
The worst case is a partially crooked or partially secret oracle. "I VLM solemnly swear I shot JFK back in 1963" (and heres a correct hash using the GOOG algorithm of the statement). Well, superficially that proves I shot JFK, I mean a 3rd party properly notarized it and everything. The reality is all it proves is someone in the universe knows the signing algorithm and this is a properly signed message using that algorithm, which is not so impressive. The legal outcome can be a lot different between the superficial interpretation and reality. Even though JFK died more than a decade before I was born. If someone, like, say, a court, is dumb enough to trust the sig, then anyone who knows the algorithm is God over everyone else. Hope the smart guys aren't the bad guys...
The article is really interesting, but I start rolling my eyes when the author jumps to the implication that this is some sort of plot to make government intrusion easier. I doubt that -- the police and litigants already have a myriad of ways to obtain and get chat transcripts admitted in court.
Perhaps this is a way to ensure message integrity when people are traversing networks that inspect TLS sessions?
Many enterprise environments, for example, use proxy servers that terminate SSL sessions at the network boundary, inspect the content, and then re-encrypt using a self-signed key. Perhaps Google has observed some malicious or obnoxious use of that technology in public or institutional wifi environments. (ie. inserting ads, filtering "naughty" words, etc)
The article implies that this is some sort of plot to make government intrusion easier. I doubt that -- the police and litigants already have a myriad of ways to obtain and get chat transcripts admitted in court.
Where do I claim Google is doing it intentionally to help government intrusion? The paragraph about law enforcement is only meant as an example of how signing can be used against you. The point there is that it doesn't even need to be Google's intention and requires no direct assistance from them.
I'm sure Google has a valid legitimate use of this data somewhere, but why it ends up in end-user XMPP clients is a mystery to me. If Google's aim is to avoid enterprise networks messing with the message, then Google should document somewhere how to verify the signature.
"If the recipient stores that message and signature, they have cryptographically verified blackmail material: they could later turn both message and signature over to law enforcement."
Google does many good things, but it would be unreasonable for anyone to expect that they wouldn't store all your chat messages. "Chats that have been taken off the record aren't stored in your Gmail chat history, or in the Gmail chat history of the person you're chatting with. "[2]
[1] https://otr.cypherpunks.ca/ [2] https://support.google.com/talk/answer/29291?hl=en