Did you know The Moms of Furries will be hosting their Young Furry Chill Space at CFF this year? Carrie and Joelle are so excited to bring their expertise and fun to the con! You’ll be able to find their minor focused space in our Meadow and you’ll see them hosting special events over the weekend!
A friendly reminder from our Safety team: we do not allow attendees wearing tactical or tactical-style gear, or any accessories that may be perceived as real. Props brought into the convention space must also be inspected and peace-bonded.
After a long day of exhausting conversations about Hybrid Post-Quantum Cryptography, random jackasses trying to play gotcha with endpoint attacks against end-to-end encrypted messaging apps, and message board discussions in the wake of dumb politicians pushing more “age verification” bullshit on us all, it’s become abundantly clear to me that the phrase “threat model” is a foreign concept to most people.
For context, this was commissioned during the era of anti-vaccine losers claiming to “do their own research” briefly co-opting the word “threat model” as a buzz word.
I just still find it kind of funny even without this context.
To be up front: If you’re here looking for an academic resource with over 100 citations on how to write a formal threat model document for your new startup which involves multiple blockchains, this probably isn’t the gay furry blog for you. Maybe start with STRIDE and system theory.
But if you’re looking to build an intuition for what questions a good threat model should answer, and you’re starting from zero, you’re probably in the right place.
So let’s talk about threat modeling.
Threat Modeling For Neophytes
Their name is Neophyte, if you didn’t get the joke.
While a threat model is a formal cybersecurity process that some infosec folks actually specialize in, you can run informal threat models in the design and architecture phases of developing a new product or service and no one can stop you. You might just end up with a better result.
A threat model should, at minimum, answer these basic questions:
What are we even protecting to begin with?
If you can’t answer this, you have a lot of ground work to do.
Who/what wants to harm what we’re protecting?
Hackers, activists, cyber-stalkers, social media harassment networks
Natural disasters / bad karma
Underpaid and overworked employees who get fed up
Idiotic legislatures paid by large corporate lobbyists to pass stupid laws that hurt everyone
Nation State Adversaries!!!!1oneon
How might (2) attack (1)?
Attack scenarios go here
Murphy’s Law goes here
What will we do to prevent (3) from happening?
Murphy’s Law also goes here!
And, like, okay. If you can check those off, you can call your document a threat model in some sense.
However, this is often useless in practice because some crucial details are omitted.
What assumptions are we making, especially with (4) and (5)?
I’ll say more about this below.
What threats are we deliberately not addressing?
You literally cannot address every possible attack that any person will ever imagine in the unforeseeable future, so don’t pretend to.
Too many people take assumptions (6) for granted, ironically, but it’s incredibly important to be as clear about what your assumptions are.
If one of your assumptions is wrong, then your model is incomplete (at best), or your list of accepted risks (7) needs to be reconsidered.
For example: The Invisible Salamanders attack breaks abuse reporting in some end-to-end encrypted messaging designs, but only if you introduce abuse reporting.
The attack is possible because one of the assumptions that went into the AEAD schemes in question (AES-GCM, ChaCha20-Poly1305) is that there is only one valid key for a given message. The second you introduce multiple valid keys for a given message (or confused deputies for that matter), you’ve gone outside the security guarantees of your algorithm–which, as an attacker, makes for a fun trick.
Being clear about your assumptions allows you to identify your own unknown unknowns. You don’t have to be perfect.
In fact: Threat models are supposed to be living documents, not point-in-time snapshots. Update them whenever you deem appropriate.
The threat model is organized into the following sections:
Assumptions (stated up front)
Assets
Actors (both attackers and people we want to protect), given role names
The risks, which have one of four statuses attached
Prevented by design: Attack simply won’t work lol
Mitigated: Attacks shouldn’t succeed, unless an assumption is wrong. Most interesting for researchers to focus on.
Addressable: There’s a way to mitigate the risk, but it requires effort or care. Operators should be aware of this.
Open: This is a risk we cannot or will not mitigate. These are the attacks that will succeed.
This threat model isn’t perfect, of course. I didn’t perfectly relate the assets and actors to each other in a human-readable graph. There might be blind spots in the risks section I never considered. I might have forgotten to write down some assumption that matters for the security of the system.
If you can look at my project’s threat model and see its shortcomings, you probably understand the assignment well enough to write your own.
But enough thinly-veiled shameless self-promotion. You won’t learn much only looking at my example of fur-in-the game. We also need an example of a bad threat model doc, and boy howdy do I have one ready.
An attacker could send messages which created an unrecoverable “split-brain” state in the cluster such that the victim’s servers could no longer derive a consistent view of the chatroom state.
9.1.3 Threat: Bad History
An attacker could convince the victim to accept invalid messages which the victim would then include in their view of the chatroom history. Other servers in the chatroom would reject the invalid messages and potentially reject the victims messages as well since they depended on the invalid messages.
9.1.4 Threat: Block Network Traffic
An attacker could try to firewall traffic between the victim’s server and some or all of the other servers in the chatroom.
9.1.5 Threat: High Volume of Messages
An attacker could send large volumes of messages to a chatroom with the victim making the chatroom unusable.
9.1.6 Threat: Banning users without necessary authorisation
An attacker could attempt to ban a user from a chatroom without the necessary authorisation.
9.2 Spoofing
An attacker could try to send a message claiming to be from the victim without the victim having sent the message in order to:
Impersonate the victim while performing illicit activity.
Obtain privileges of the victim.
9.2.1 Threat: Altering Message Contents
An attacker could try to alter the contents of an existing message from the victim.
9.2.2 Threat: Fake Message “origin” Field
An attacker could try to send a new message purporting to be from the victim with a phony “origin” field.
9.3 Spamming
The attacker could try to send a high volume of solicited or unsolicited messages to the victim in order to:
Find victims for scams.
Market unwanted products.
9.3.1 Threat: Unsolicited Messages
An attacker could try to send messages to victims who do not wish to receive them.
9.3.2 Threat: Abusive Messages
An attacker could send abusive or threatening messages to the victim
9.4 Spying
The attacker could try to access message contents or metadata for messages sent by the victim or to the victim that were not intended to reach the attacker in order to:
Gain sensitive personal or commercial information.
Impersonate the victim using credentials contained in the messages. (e.g. password reset messages)
Discover who the victim was talking to and when.
9.4.1 Threat: Disclosure during Transmission
An attacker could try to expose the message contents or metadata during transmission between the servers.
9.4.2 Threat: Disclosure to Servers Outside Chatroom
An attacker could try to convince servers within a chatroom to send messages to a server it controls that was not authorised to be within the chatroom.
9.4.3 Threat: Disclosure to Servers Within Chatroom
An attacker could take control of a server within a chatroom to expose message contents or metadata for messages in that room.
(Yes, I excerpted the whole section in the scrolling box above.)
A few things you might notice, scrolling through this:
This is just a list of different attack types.
There is no list of assumptions.
There is no list of assets, nor their relationships to other assets.
Bonus observation for anyone that read it live from the Matrix website: It has largely remained unchanged since v1.1 (published in 2021), despite both my vulnerability disclosures and twoadditional cryptographic attacks by Lotte.
As annoying as this is, and as tempting as it might be to fail Matrix entirely, at least they have a threat model.
Signal, by contrast, gives you a bunch of technical specifications and expects you to figure the threat model out for yourself. This is one of the many things about Signal that annoys me.
So to Matrix’s threat model author, I award the following:
Matrix’s Threat Model? I give it a C-.
A shitty threat model beats not having a threat model.
How Threat Models Help You Build Better Stuff
There are a lot of infosec truisms that you’ll hear early in your career. Things like, “Defenders have to get it right all the time, attackers only need to get it right once.”
Yeah, but well-equipped defenders can decide the terrain. Put that in your Art of War pipe and smoke it.
Every security practitioner from here to seclists preaches defense-in-depth, but doing actual defense in depth means understanding your threat model well enough to force attackers into predictable dead ends.
Let me give you a practical example, then a more interesting one.
Preventing Credential Stuffing
Credential stuffing is a stupid simple attack that’s unreasonably effective in most real world scenarios.
Why? Because people reuse passwords.
Why do people reuse passwords? Because they can only be assed to remember so many passwords, and asking them to create a unique, secure password for your app is laughable.
To mitigate this risk, there was a long period of time when password managers were the right answer to this problem. These days, they’re still okay (but not Lastpass), but passkeys are better.
Why? Because passkeys are a more user-friendly (note: not totally user friendly) way to get users to use asymmetric cryptography for authentication. In the best case, they’re using hardware security tokens (e.g., SoloKeys or YubiKeys). In the average case, their OS or password manager is providing this for them.
Following a chain of “why?” questions like this is one way to get a feel for the threats inherent to a (deeply flawed) security control. But it does come with the inherent risk of falling into rabbit holes, so be careful with that.
If you want to avoid credential stuffing and related trivial attacks:
Design your application to require passkeys.
Require users to enroll multiple passkeys (or at least one for backup purposes).
Give administrators a way to break glass add a new passkey for another user if they lose all their credentials. Log these actions in a way the administrators cannot censor.
Do not support passwords for authentication at all if you can avoid them.
Passwords for deriving encryption keys is fine, as I wrote here.
As an added bonus, passkeys are not phishable either–due to the protocol cryptographically binding each credential to a domain name during registration.
Whatever it costs you to onboard your users to passkeys, you’ll save loads more on the support burden caused by credential stuffing and phishing (and completely avoid the ill-advised “phishing tests” that don’t measurably improve outcomes).
By removing the unreasonable expectation of humans to memorize, and also never reuse, a high-entropy secret for your service, you kill off multiple classes of attack and improve usability. A good threat modelling exercise can lead to this discovery independent of my blog post.
Security at the expense of usability comes at the expense of security.
There are currently two proposals for end-to-end encryption for direct messages that are being discussed by cryptography experts and decentralization nerds:
Message ordering is important for the security of ratcheting trees, which underpin the epochs in MLS.
For ActivityPub, if they adopt key transparency for the first caveat, they just need to be explicit how to handle races from multiple proposed KeyUpdate messages, especially across different servers. Not trivial, but solvable.
But the situation is trickier for ATProto / BlueSky.
Why ATProto Makes This More Difficult
ATProto doesn’t have instances like the Fediverse does. This is partly because ATProto was designed by Bitcoin-pilled developers on Jack Dorsey’s payroll who decided that having “global state” was a good service design choice. And blockchain is the worst kind of global state to stabilize because you have many writers.
Instead of just building a thing that clients use to encrypt messages they pass to their instance (like with ActivityPub), you basically have to treat everything as peer-to-peer (or damn close to p2p, anyway) when making your security analysis.
This means you need to figure out another complex protocol to guarantee message ordering in a distributed system (e.g., something like the Raft consensus algorithm), or you skip MLS in favor of pairwise E2EE and forego the group abstraction entirely.
If you consider the confidentiality of messages passed between users to be a security goal of your project, and you want your hosting to be decentralized, the blockchain-inspired design of ATProto is actually an impediment towards using the most efficient group key agreement protocol standardized today.
Yes, it is an impediment that several excellent engineers are currently cleverly working around today, but you could have avoided their mistakes when you were still at the drawing board.
Aside from the obviously unreasonable people (and unwelcome sex pests like Jacob Appelbaum who I refuse to communicate with), I did ask many of the folks DJB summoned to the thread to elaborate on what specific security concerns they had.
Unsurprisingly, they were following the same black-and-white thinking (“hybrids good! pure PQ bad!”) that I suspected, but you always got to probe in case there’s an unexpected reason!
To apply our understanding of threat modelling to this situation, we need to establish some facts.
ML-KEM is not a NSA design.
Its principal submitter was Peter Schwabe, who collaborated with Daniel J. Bernstein on the NaCl cryptography library and lives in Germany.
NIST / FIPS / NSA demands non-hybrid ML-KEM / ML-DSA in classified systems.
If there was a NOBUS backdoor in these algorithms, it would be patently fucking stupid for them to be in a hurry to move everything over to those algorithms.
Anyone who disagrees with these facts is simply rejecting reality. To that avenue of discourse, I say simply, PoC || GTFO.
The IETF discussion in question is about publishing an RFC that establishes a code point for non-hybrid ML-KEM.
The non-hybrid RFC draft is marked Recommend=N, while the hybrid KEM RFC will be marked Recommend=Y. This is because hybrid KEMs are preferred over non-hybrid KEMs. If the IETF produces an RFC that specifies ML-KEM, there will be no reduction in security to system configured to always use hybrid KEMs.
Google Chrome already supports non-hybrid ML-KEM. If the IETF effort fails to produce an RFC, there will be no real benefit.
So you might be wondering, “What’s the point of an RFC if it seemingly doesn’t do anything?”
Well, it does do something, just not for most of us: If you’re an organization whose engineers are being told by lawyers that a) you must adhere to CNSA 2.0 and/or FIPS 140-3 (or possibly other weird rules), and b) any designs you specify must have a stable IETF RFC number rather than merely be an Internet Draft, then this unblocks you from a lot of bullshit red tape.
Is that a stupid problem to have? Absolutely.
Is that a common problem for some business verticals, especially who sell to government customers? Certainly.
Objecting to the RFC for ideological reasons effectively only leaves those people out in the rain without an umbrella. This is the exact opposite of harm reduction.
But what about technical objections? Isn’t Hybrid PQ+T better than pure PQ?
Well, this is where your threat modelling skills need to come in. If we use Q-Day as the short-hand for “once a cryptography-relevant quantum computer is built by an adversary”, we can think through the risks clearly.
Reminder: The risk we face for KEMs is Harvest Now, Decrypt Later rather than “wait for Q-Day to happen then break crypto”.
Pure ECDH (no PQ) is broken retroactively at Q-Day, regardless of whether other attacks materialize.
Pure PQ is not broken at Q-Day, assuming the PQ algorithms are not broken first.
Hybrid PQ+ECDH is a hedged bet against an algorithm break before Q-Day, but is utterly fucking useless over Pure PQ once Q-Day occurs.
DJB has been whipping up people who haven’t participated in any of the background discussion to object to Pure PQ in favor of Hybrid PQ+ECDH, and his call to action is full of NSA FUD and other fearmongering.
But here’s the rub: If you’re actually worried about the security of ML-KEM, why would ECDH + ML-KEM help if, on Q-Day, the ECDH contribution is effectively zero security?
Arguing for ECDH + ML-KEM today is acknowledging that ML-KEM is actually a secure algorithm to choose in the long run, modulo rare implementation flaws (most which are catchable by robust test vectors).
If you really chew on this problem, it should be clear that PQ+PQ hybrids are the only way to hedge your bets in a way that will remain resilient to a cryptography relevant quantum computer. Optional: Throw ECDH in there to ensure the status quo security is perserved.
None of the people opposing the RFC have, to my knowledge, advocated for ML-KEM + HQC + ECDH three-way hybrids, when that would be the most intellectually honest thing to argue for.
ML-KEM is a lattice-based KEM, and is believed by world-class cryptography experts to be impervious to quantum attacks.
HQC is a code-based KEM, and is believed by world-class cryptography experts to be impervious to quantum attacks.
ECDH is what we already use today, but is susceptible to quantum attacks.
But, really, the objections to this RFC are often silly and generally poorly thought out… which makes these threads a great opportunity to exercise your bullshit detector.
There are many guides on the Internet that will give you a formal treatment of threat models and the methodologies that are useful to approaching them. But where’s the fun in that?
Hopefully, you will walk away from this blog post with a vague smoke test for the quality and efficacy of a threat model document, and maybe even feel inspired to tackle this topic more seriously.
Our mysterious stranger introduced himself to Yuri, claiming his name to be Benito McFish, who had traveled a long road to bring us confidential information.
Stay tuned, because Benito is getting ready to announce something important tomorrow!
Got this bit of news from Animation World Network: “Academy Award nominee and Golden Globe winner Michael J. Fox will voice Dougie, the scrappy, big-hearted lead character in ICON Creative Studio’s upcoming CG animated family feature, Dragoons. The film follows Dougie, an overlooked, ordinary worker at WizCorp, until a freak accident awakens something extraordinary within his new apprentice, Dart. Transformed into mighty dragons, Dougie and Dart uncover an impossible truth: Their kind were once legendary rulers of the skies, until the ruthless wizard-CEO Hex shrank them, erased their memories, and stole their power to build his empire. With the truth in front of their eyes and in their hearts, Dougie and Dart must find the courage to rise, awaken their kind, and prove that even the smallest spark can light up the sky.” No word on a release date yet, but the film is directed by Shea Wageman. ICON Creative Studio are the folks who recently gave us this year’s Charlie the Wonderdog.