emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed

* org-mobile-use-encryption
@ 2010-10-13  0:23 Greg Troxel
  2010-10-13  8:59 ` org-mobile-use-encryption Carsten Dominik
  0 siblings, 1 reply; 7+ messages in thread
From: Greg Troxel @ 2010-10-13  0:23 UTC (permalink / raw)
  To: emacs-orgmode


[-- Attachment #1.1: Type: text/plain, Size: 1077 bytes --]


I am trying to test encryption for MobileOrg via a beta from Richard.
(We're still playing the 'convince itunes to let you run code on your
own phone game', so this report is preliminary about what Org itself is
doing.)

I have in .emacs-local.el:

(setq org-mobile-use-encryption t)
(setq org-mobile-encryption-password "mypasswd")

and I did org-mobile-push.  I found that there was an old agendas.org
that was not encrypted, and it seems that org-mobile-push omits
agendas.org if org-mobile-use-encryption is t, but still creates it when
nil.

checksums.dat is in cleartext.  This seems ok, but could be a missed
opportunity for some integrity protection.

index.org is in cleartext.  The list of file names is of course in the
webdav area, and that seems not a big deal, but it also contains the
TODO keyword plan, priority tag list, etc.


I'm not sure this level of paranoia is warranted, but typical encrypting
filesystems also encrypt the filenames.  It probably suffices to just
warn the user that the filenames of org files will still be exposed in
the DAV area.




[-- Attachment #1.2: Type: application/pgp-signature, Size: 194 bytes --]

[-- Attachment #2: Type: text/plain, Size: 201 bytes --]

_______________________________________________
Emacs-orgmode mailing list
Please use `Reply All' to send replies to the list.
Emacs-orgmode@gnu.org
http://lists.gnu.org/mailman/listinfo/emacs-orgmode

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: org-mobile-use-encryption
  2010-10-13  0:23 org-mobile-use-encryption Greg Troxel
@ 2010-10-13  8:59 ` Carsten Dominik
  2010-10-13 12:48   ` org-mobile-use-encryption Greg Troxel
  2010-10-13 14:02   ` org-mobile-use-encryption Andreas Röhler
  0 siblings, 2 replies; 7+ messages in thread
From: Carsten Dominik @ 2010-10-13  8:59 UTC (permalink / raw)
  To: Greg Troxel; +Cc: emacs-orgmode


On Oct 13, 2010, at 2:23 AM, Greg Troxel wrote:

>
> I am trying to test encryption for MobileOrg via a beta from Richard.
> (We're still playing the 'convince itunes to let you run code on your
> own phone game', so this report is preliminary about what Org itself  
> is
> doing.)
>
> I have in .emacs-local.el:
>
> (setq org-mobile-use-encryption t)
> (setq org-mobile-encryption-password "mypasswd")
>
> and I did org-mobile-push.  I found that there was an old agendas.org
> that was not encrypted, and it seems that org-mobile-push omits
> agendas.org if org-mobile-use-encryption is t, but still creates it  
> when
> nil.

I have not been able to reproduce this.

>
> checksums.dat is in cleartext.  This seems ok, but could be a missed
> opportunity for some integrity protection.

I have a technical reason to not encrypt it - so unless there is  
someone who really needs it encrypted, I want to keep it like this.

> index.org is in cleartext.  The list of file names is of course in the
> webdav area, and that seems not a big deal, but it also contains the
> TODO keyword plan, priority tag list, etc.

This is a good observation.  And who knows what other information we  
will eventually put into that file.  So I am switching to encrypting  
this file as well.

>
> I'm not sure this level of paranoia is warranted, but typical  
> encrypting
> filesystems also encrypt the filenames.  It probably suffices to just
> warn the user that the filenames of org files will still be exposed in
> the DAV area.

I have just put this information into the manual.

Thanks

- Carsten


>
>
>
> _______________________________________________
> Emacs-orgmode mailing list
> Please use `Reply All' to send replies to the list.
> Emacs-orgmode@gnu.org
> http://lists.gnu.org/mailman/listinfo/emacs-orgmode

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: org-mobile-use-encryption
  2010-10-13  8:59 ` org-mobile-use-encryption Carsten Dominik
@ 2010-10-13 12:48   ` Greg Troxel
  2010-10-14  6:31     ` org-mobile-use-encryption Carsten Dominik
  2010-10-13 14:02   ` org-mobile-use-encryption Andreas Röhler
  1 sibling, 1 reply; 7+ messages in thread
From: Greg Troxel @ 2010-10-13 12:48 UTC (permalink / raw)
  To: Carsten Dominik; +Cc: emacs-orgmode


[-- Attachment #1.1: Type: text/plain, Size: 3309 bytes --]


Carsten Dominik <carsten.dominik@gmail.com> writes:

> On Oct 13, 2010, at 2:23 AM, Greg Troxel wrote:
>
>> I am trying to test encryption for MobileOrg via a beta from Richard.
>> (We're still playing the 'convince itunes to let you run code on your
>> own phone game', so this report is preliminary about what Org itself
>> is doing.)

I have successfully viewed my org files and retrieved a captured note
From the phone into emacs.

This note is about release_7.01h-672-g7e29685, so I have
your commit 9755e09bbcd630b6d0e20dbf6342bf1c1e66c819.

>> I have in .emacs-local.el:
>>
>> (setq org-mobile-use-encryption t)
>> (setq org-mobile-encryption-password "mypasswd")
>>
>> and I did org-mobile-push.  I found that there was an old agendas.org
>> that was not encrypted, and it seems that org-mobile-push omits
>> agendas.org if org-mobile-use-encryption is t, but still creates it
>> when
>> nil.
>
> I have not been able to reproduce this.

Apparently when in encryption mode the copy of the encrypted version
agendas.org fails because it's trying to go to a file named by the tramp
syntax instead of interpreting it as remote:

Agenda written to Org file /home/gdt/orgtmpcrypt
/ssh:foo.example.com:/usr/home/gdt/ORG/agendas.org: No such file or directory
3148034372:error:02001002:system library:fopen:No such file or directory:/n0/gdt/NetBSD-5/src/crypto/dist/openssl/crypto/bio/bss_file.c:355:fopen('/ssh:foo.example.com:/usr/home/gdt/ORG/agendas.org','w')

I read the code and I don't follow how the invocation of copy-file is
different in the encrypted case.

>> checksums.dat is in cleartext.  This seems ok, but could be a missed
>> opportunity for some integrity protection.
>
> I have a technical reason to not encrypt it - so unless there is
> someone who really needs it encrypted, I want to keep it like this.

That seems fine - the filenames are staying cleartext.  My point, not
well made, was that encryption does not give you integrity protection.
It seems the concern motivating this work is confidentiality, but in
cryptography it's considered good practice to also provide integrity,
via HMAC-SHA1 or a combined confidentiality/integrity mode.  But for org
files on servers we believe are not messing with them, this is probably
in the 'best is the enemy of the good' category.  And if we want
integrity (I know, ENOPATCH), then it's probably best to do it outright,
so I withdraw my complaint about checksums.dat being in cleartext.

>> I'm not sure this level of paranoia is warranted, but typical
>> encrypting filesystems also encrypt the filenames.  It probably
>> suffices to just warn the user that the filenames of org files will
>> still be exposed in the DAV area.
>
> I have just put this information into the manual.

Thanks.

minor issues:

~/orgtmpcrypt seems to not always get cleaned up when I push/pull.
After a push, I found it to contain my index.org, unencrypted and 644 in
my homedir.  Probably this should go in org-directory instead which
presumably would be protected as the user wants.

During a pull that got a note, emacs asked me about visiting a buffer
whose file (orgcrypttmp) had changed contents.  I'll see if I can
reproduce that.


Thanks for working on org-mobile-crypt.

[-- Attachment #1.2: Type: application/pgp-signature, Size: 194 bytes --]

[-- Attachment #2: Type: text/plain, Size: 201 bytes --]

_______________________________________________
Emacs-orgmode mailing list
Please use `Reply All' to send replies to the list.
Emacs-orgmode@gnu.org
http://lists.gnu.org/mailman/listinfo/emacs-orgmode

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: org-mobile-use-encryption
  2010-10-13  8:59 ` org-mobile-use-encryption Carsten Dominik
  2010-10-13 12:48   ` org-mobile-use-encryption Greg Troxel
@ 2010-10-13 14:02   ` Andreas Röhler
  2010-10-14  6:40     ` org-mobile-use-encryption Carsten Dominik
  1 sibling, 1 reply; 7+ messages in thread
From: Andreas Röhler @ 2010-10-13 14:02 UTC (permalink / raw)
  To: emacs-orgmode; +Cc: Greg Troxel, Carsten Dominik

Am 13.10.2010 10:59, schrieb Carsten Dominik:
>
> On Oct 13, 2010, at 2:23 AM, Greg Troxel wrote:
>
>>
>> I am trying to test encryption for MobileOrg via a beta from Richard.
>> (We're still playing the 'convince itunes to let you run code on your
>> own phone game', so this report is preliminary about what Org itself is
>> doing.)
>>
>> I have in .emacs-local.el:
>>
>> (setq org-mobile-use-encryption t)
>> (setq org-mobile-encryption-password "mypasswd")
>>
>> and I did org-mobile-push. I found that there was an old agendas.org
>> that was not encrypted, and it seems that org-mobile-push omits
>> agendas.org if org-mobile-use-encryption is t, but still creates it when
>> nil.
>
> I have not been able to reproduce this.
>
>>
>> checksums.dat is in cleartext. This seems ok, but could be a missed
>> opportunity for some integrity protection.
>
> I have a technical reason to not encrypt it - so unless there is someone
> who really needs it encrypted, I want to keep it like this.
>
>> index.org is in cleartext. The list of file names is of course in the
>> webdav area, and that seems not a big deal, but it also contains the
>> TODO keyword plan, priority tag list, etc.
>
> This is a good observation. And who knows what other information we will
> eventually put into that file. So I am switching to encrypting this file
> as well.


Hi,

suggest to encrypt these kind of files by default. I.e. when org-mode 
starts action, user should be prompted for a password,
be warned and informed about encryption, get a choice though.

Maybe a non-encrypted test-mode may be added, so user may try it, but be 
warned not to store real data that way.


Andreas

--
https://code.launchpad.net/~a-roehler/python-mode/python-mode-components
https://code.launchpad.net/s-x-emacs-werkstatt/




>
>>
>> I'm not sure this level of paranoia is warranted, but typical encrypting
>> filesystems also encrypt the filenames. It probably suffices to just
>> warn the user that the filenames of org files will still be exposed in
>> the DAV area.
>
> I have just put this information into the manual.
>
> Thanks
>
> - Carsten
>
>
>>
>>
>>
>> _______________________________________________
>> Emacs-orgmode mailing list
>> Please use `Reply All' to send replies to the list.
>> Emacs-orgmode@gnu.org
>> http://lists.gnu.org/mailman/listinfo/emacs-orgmode
>
>
> _______________________________________________
> Emacs-orgmode mailing list
> Please use `Reply All' to send replies to the list.
> Emacs-orgmode@gnu.org
> http://lists.gnu.org/mailman/listinfo/emacs-orgmode
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: org-mobile-use-encryption
  2010-10-13 12:48   ` org-mobile-use-encryption Greg Troxel
@ 2010-10-14  6:31     ` Carsten Dominik
  2010-10-15  0:07       ` org-mobile-use-encryption Greg Troxel
  0 siblings, 1 reply; 7+ messages in thread
From: Carsten Dominik @ 2010-10-14  6:31 UTC (permalink / raw)
  To: Greg Troxel; +Cc: emacs-orgmode

Hi Greg,

thank you very much vor putting in the time to test the encryption
for MobileOrg.

On Oct 13, 2010, at 2:48 PM, Greg Troxel wrote:

>
> Carsten Dominik <carsten.dominik@gmail.com> writes:
>
>> On Oct 13, 2010, at 2:23 AM, Greg Troxel wrote:
>>
>>> I am trying to test encryption for MobileOrg via a beta from  
>>> Richard.
>>> (We're still playing the 'convince itunes to let you run code on  
>>> your
>>> own phone game', so this report is preliminary about what Org itself
>>> is doing.)
>
> I have successfully viewed my org files and retrieved a captured note
> From the phone into emacs.
>
> This note is about release_7.01h-672-g7e29685, so I have
> your commit 9755e09bbcd630b6d0e20dbf6342bf1c1e66c819.
>
>>> I have in .emacs-local.el:
>>>
>>> (setq org-mobile-use-encryption t)
>>> (setq org-mobile-encryption-password "mypasswd")
>>>
>>> and I did org-mobile-push.  I found that there was an old  
>>> agendas.org
>>> that was not encrypted, and it seems that org-mobile-push omits
>>> agendas.org if org-mobile-use-encryption is t, but still creates it
>>> when
>>> nil.
>>
>> I have not been able to reproduce this.
>
> Apparently when in encryption mode the copy of the encrypted version
> agendas.org fails because it's trying to go to a file named by the  
> tramp
> syntax instead of interpreting it as remote:
>
> Agenda written to Org file /home/gdt/orgtmpcrypt
> /ssh:foo.example.com:/usr/home/gdt/ORG/agendas.org: No such file or  
> directory
> 3148034372:error:02001002:system library:fopen:No such file or  
> directory:/n0/gdt/NetBSD-5/src/crypto/dist/openssl/crypto/bio/ 
> bss_file.c:355:fopen('/ssh:foo.example.com:/usr/home/gdt/ORG/agendas.org','w')

Ah, you are using a tramp path?  OK, I see from your
other message that you have actually solved this
issue.  Thanks!

> I read the code and I don't follow how the invocation of copy-file is
> different in the encrypted case.
>
>>> checksums.dat is in cleartext.  This seems ok, but could be a missed
>>> opportunity for some integrity protection.
>>
>> I have a technical reason to not encrypt it - so unless there is
>> someone who really needs it encrypted, I want to keep it like this.
>
> That seems fine - the filenames are staying cleartext.

OK.

>  My point, not
> well made, was that encryption does not give you integrity protection.
> It seems the concern motivating this work is confidentiality, but in
> cryptography it's considered good practice to also provide integrity,
> via HMAC-SHA1 or a combined confidentiality/integrity mode.

Ah, I see what you mean now.

>  But for org
> files on servers we believe are not messing with them, this is  
> probably
> in the 'best is the enemy of the good' category.  And if we want
> integrity (I know, ENOPATCH), then it's probably best to do it  
> outright,
> so I withdraw my complaint about checksums.dat being in cleartext.

Is is also so that the file transfer is happening in two one-way street.
agendas.org and the agenda files and index.org are uploaded,
mobileorg.org is downloaded, and its contents are then applied locally.
Seems to be little room for problems here.

>
>>> I'm not sure this level of paranoia is warranted, but typical
>>> encrypting filesystems also encrypt the filenames.  It probably
>>> suffices to just warn the user that the filenames of org files will
>>> still be exposed in the DAV area.
>>
>> I have just put this information into the manual.
>
> Thanks.
>
> minor issues:
>
> ~/orgtmpcrypt seems to not always get cleaned up when I push/pull.
> After a push, I found it to contain my index.org, unencrypted and  
> 644 in
> my homedir.  Probably this should go in org-directory instead which
> presumably would be protected as the user wants.

I did not put it into org-directory because I don't know if users have
this set to an accessible place, and I don't want the push
to fail because of that.

I have modified the code and hope that it does now in all cases
clean up the temporary file.  Please let me know if you still
find a case where this is not so.

>
> During a pull that got a note, emacs asked me about visiting a buffer
> whose file (orgcrypttmp) had changed contents.  I'll see if I can
> reproduce that.

This should hopefully go away with the changes I have now made.

Thanks again.

- Carsten

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: org-mobile-use-encryption
  2010-10-13 14:02   ` org-mobile-use-encryption Andreas Röhler
@ 2010-10-14  6:40     ` Carsten Dominik
  0 siblings, 0 replies; 7+ messages in thread
From: Carsten Dominik @ 2010-10-14  6:40 UTC (permalink / raw)
  To: Andreas Röhler; +Cc: emacs-orgmode, Greg Troxel


On Oct 13, 2010, at 4:02 PM, Andreas Röhler wrote:
>
>
> Hi,
>
> suggest to encrypt these kind of files by default. I.e. when org- 
> mode starts action, user should be prompted for a password,
> be warned and informed about encryption, get a choice though.
>
> Maybe a non-encrypted test-mode may be added, so user may try it,  
> but be warned not to store real data that way.

No, we are not going to do this.  We use openssl to do the encryption,
which may not be available on a system.  And the Android Version of
MobileOrg doe not yet support encryption.

I will be more verbal about security issues in the manual.

- Carsten

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: org-mobile-use-encryption
  2010-10-14  6:31     ` org-mobile-use-encryption Carsten Dominik
@ 2010-10-15  0:07       ` Greg Troxel
  0 siblings, 0 replies; 7+ messages in thread
From: Greg Troxel @ 2010-10-15  0:07 UTC (permalink / raw)
  To: Carsten Dominik; +Cc: emacs-orgmode


[-- Attachment #1.1: Type: text/plain, Size: 2810 bytes --]


Carsten Dominik <carsten.dominik@gmail.com> writes:

> thank you very much vor putting in the time to test the encryption
> for MobileOrg.

No problem - thank you for writing and sheparding Org.

>> But for org files on servers we believe are not messing with them,
>> this is probably in the 'best is the enemy of the good' category.
>> And if we want integrity (I know, ENOPATCH), then it's probably best
>> to do it outright, so I withdraw my complaint about checksums.dat
>> being in cleartext.
>
> Is is also so that the file transfer is happening in two one-way
> street.  agendas.org and the agenda files and index.org are uploaded,
> mobileorg.org is downloaded, and its contents are then applied
> locally.  Seems to be little room for problems here.

The issue is that the whole point of encryption is to use a webdav
server not under one's control, such as dropbox, or perhaps one accessed
not over SSL.  Encryption prevents the server admin from reading the
bits, and that's the most important thing.  But if the server admin
changes the ciphertext, they can cause the wrong plaintext to appear.
This is generally tricky, but it's a principle of cryptographic protocol
design that one can't assume that encryption provides integrity
(meaning, that just because the bits are encrypted doesn't mean it
prevents an adversary from manipulating the plaintext).

That said, the above is probably overly paranoid for most people.

>> ~/orgtmpcrypt seems to not always get cleaned up when I push/pull.
>> After a push, I found it to contain my index.org, unencrypted and 644
>> in my homedir.  Probably this should go in org-directory instead
>> which presumably would be protected as the user wants.
>
> I did not put it into org-directory because I don't know if users have
> this set to an accessible place, and I don't want the push
> to fail because of that.

I think this is the classic security/convenience tradeoff.  On a
multiuser system, I think Org now puts the orgtmpcrypt file with normal
umask, and that can be read by other users (albeit briefly).  I
suggested org-directory because someone who wants to keep other users
From seeing his org bits will protect that approriately - mine is 0700.

I suppose there could be someone who turns on encryption and has org
files in random places but no directory matching org-directory.  Getting
an error seems fair enough and better than risking exposing private bits.

(Again, I realize I'm on the paranoid side, but I do security
professionally so it comes naturally.)

> I have modified the code and hope that it does now in all cases
> clean up the temporary file.  Please let me know if you still
> find a case where this is not so.

Thanks - will do.  Right now all is working well.


[-- Attachment #1.2: Type: application/pgp-signature, Size: 194 bytes --]

[-- Attachment #2: Type: text/plain, Size: 201 bytes --]

_______________________________________________
Emacs-orgmode mailing list
Please use `Reply All' to send replies to the list.
Emacs-orgmode@gnu.org
http://lists.gnu.org/mailman/listinfo/emacs-orgmode

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2010-10-15  0:08 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-10-13  0:23 org-mobile-use-encryption Greg Troxel
2010-10-13  8:59 ` org-mobile-use-encryption Carsten Dominik
2010-10-13 12:48   ` org-mobile-use-encryption Greg Troxel
2010-10-14  6:31     ` org-mobile-use-encryption Carsten Dominik
2010-10-15  0:07       ` org-mobile-use-encryption Greg Troxel
2010-10-13 14:02   ` org-mobile-use-encryption Andreas Röhler
2010-10-14  6:40     ` org-mobile-use-encryption Carsten Dominik

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).