LeastAuthority / leastauthority.com

Least Authority S4
https://leastauthority.com/
Other
14 stars 18 forks source link

Allow deleting ciphertexts #297

Open defuse opened 10 years ago

defuse commented 10 years ago

Customers should be able to selectively delete ciphertexts that they've uploaded. This is important for psychological reasons (see #296), and if I recall correctly, at least one customer has asked for it as a defense-in-depth measure in case a capability is leaked.

zookoatleastauthoritycom commented 10 years ago

Multiple customers (or potential customers) have asked for this. Here's the letter I wrote to the most recent one:

You are right that we currently have garbage collection disabled on S4, so there is no way to remove the ciphertexts of your files from Amazon S3. We're doing it this way for now because we have no way to be sure that some malefactor doesn't keep copies of ciphertexts that we uploaded to S3 anyway! If we upload your ciphertexts to S3, then how do we know the NSA doesn't make a copy of those ciphertexts and store them in its giant data vaults in Utah (or where-ever)?

So it seems like a bad trade-off to turn on timeout-based garbage collection, thus risking possibly accidentally deleting valuable ciphertexts that our customers want to save, but not guaranteeing that we can actually delete the ciphertexts that our customers want to delete.

On the other hand, it is possible that by deleting ciphertexts we keep them out of the hands of some lesser enemy, who doesn't make a copy as soon as we upload the ciphertext in the first place, but who instead infiltrates Amazon S3 at some point in the future. If we had successfully deleted the ciphertexts before that enemy arrived, then deleting the ciphertexts would have successfully stymied him.

(Of course, the first line of defense is keeping the encryption key out of his hands! But if he is that specific sort of enemy who did get a copy of your encryption key, but who did not already get a copy of your ciphertext, and then he infiltrates Amazon in order to get a copy of your ciphertext, that guy would be stymied by ciphertext-deletion.)

So, we have a plan for improving the Tahoe-LAFS protocol in the future to have an affirmative deletion operation, where the storage server never deletes anything due to timeout (because that seems dangerous to us), but can delete things when the client specifically tells them "These things I am now willing to lose forever.".

Here's the trac ticket about that: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1832

But for now, yeah, we just have garbage collection turned off. Hopefully this is good enough for your purposes for now. :-)