8.0 KiB
title, author, slug, date, published
| title | author | slug | date | published |
|---|---|---|---|---|
| Online impersonation | Yarmo Mackenbach | online-impersonation | 2020-06-12 16:47:21 | false |
…or What is stopping you from becoming me?
Let me get this straight first: I'm not talking about me being famous and/or rich; I'm not. I'm talking about online impersonation, the act of claiming to be another person in the digital world. Every once in a while, I think about and get scared how easy it is.
This post does sadly not propose solutions. It looks at current products that inspire "trust" and "confidence" in knowing if the online person you are talking to is actually the person you wish to be talking to.
Why it matters
Imagine I was someone involved with cryptocurrency or other forms of monetary transactions, or someone involved in politics, or someone who made an important scientific discovery. I'm not any of these things. Also, there's much more to life than money, but I hopes it gets the point across.
Any of these examples above are potential targets of impersonation: there are many reasons for a bad actor to try convince a third-party that they are in fact talking to the person of interest. The simplest: a monetary transaction. Convince
What makes me me
In the offline world? First, there's me. A physical being that you may met before or have known for any period of time. When you see me, you know it's me. If we have never met, I could show my passport. In that case, we trust governments around the world to provide truthful documents so you now who is front of you. If you are meaning to meet X and the passport shows this is person Y, you have the wrong person in front of you.
I'm skipping the case of forged passports, that would just complicate this story even more.
What makes me me online
This is where it gets more complicated. Who am I online? I don't have an "internet account" or any other single way of proving my digital identity. I don't have a digital identity. If I make an account on one website, that doesn't mean I have an account on another website. And even if I do, those accounts are not linked so I cannot prove to you that the same physical being made those two accounts.
I have a website! You are there right now! I am https://yarmo.eu and no one can take that away from me. No one will ever be able to claim their identity using this website.
But, what if someone registered yarmo.something, claims it is me and that I simply "changed my website"? It is their word against mine. One could visit both sites and say are both equally valid, nothing distinguishes the original from the fake.
Is there truly no way of identifying myself on the internet?
Keybase and why it is not the ultimate solution
Keybase proposes an interesting solution to the problem. It aims to be a central authority on who is who on the internet by linking and verifying accounts on different websites. It does this well: to verify an account on any social media, you need to post a specific message with a code. Since only you can do that, Keybase knows this account belongs to you. In itself, that does not mean much. Where it gets interesting is when you link and verify a second account on a different website.
Now, you can talk to someone on a chat service and refer them to your Keybase account. They can check that indeed, your account on that chat service and your account on Keybase are linked. But your Keybase account is also linked to perhaps a cryptocurrency account. Now, the other person can safely transfer cryptocurrency to you: they know the same person owns the chat service account and the cryptocurrency account.
But there is an easy counter: a bad actor could make a fake chat service account, cryptocurrency account and Keybase account. All will be perfectly linked, luring you into a false sense of trust. If you are expecting to talk to a "Johny", the bad actor will just make a "Johnny" account. Perfectly valid and difficult to discern.
Keybase has a trick up its sleeve: the social graph. When enough people have accounts, they can verify each other, usually by meeting in person and performing some data exchange using the Keybase app. All of a sudden, if you know and trust some account and they trust another account, you indirectly trust that third account. Problem solved.
Of course not. It could happen that you and the person you want to trust have no trusted person in common and that still wouldn't necessarily mean the person you want to trust isn't genuine. You also wouldn't want to rely on the number of persons a person of interest is verified by. They could all be made by the same bad actor.
This, combined with the fact their server is not open source meaning we do not know what happens behind the curtains and the recent news the team was acquired by Zoom to work on other projects instead of Keybase, tells me that this is not the way forward.
Something that only I possess: a private key
In the physical world, I can prove my identity by being me. No one else is me. My physical being, my DNA, is me. I don't have that in the digital world. But we can come close in terms of uniqueness: keypairs.
I won't enter too much into details, that would be the subject for another post. But a keypair is, as the name suggests, a pair of keys. A key is nothing more than a long piece of code; here's one of my two keys. I am only giving you one key because a keypair always consists of a public key and a private key. They are linked together in a very interesting way: if you have the private key, you can compute the public key. But if you only have the public key, you cannot compute the private key.
This means that I have identity: no one else in the world has my private key. It is my digital DNA. How does one use a keypair? Well, I could write a message confirming, for example, my bank details or cryptocurrency account and signing it with my private key. You could then download my public key and verify that it was indeed signed by my private key which, again, no one else has, therefore, this physical being that is me wrote that message.
The oldest trick in the book
Sadly, this system is defeated once again in the same way. A bad actor could generate a different keypair, sign a message confirming a cryptocurrency account owned by the bad actor and simply tell you it was me who wrote it and who has that keypair.
We need a way of trusting private keys. If 1) only I can use a specific private key and 2) it can be demonstrated that my physical being owns that private key, the problem is solved. Any message signed by that private key was written by my physical being.
Step 1) is easy: generate a keypair and never ever share your private key which you store either on a USB drive that never leaves your home or on a PC not connected to the internet. There are lots of best (and better) practices; topic for another day.
Step 2) is yet unsolved. But there is a way. Or rather, a concept.
The Web Of Trust
It's Keybase's social graph all over again but not owned by a single entity. The Web Of Trust describes a concept where keypair owners can trust and endorse each other's keypairs. If you trust Person A's keypair and Person A trusts Person B's keypair, you indirectly trust Person B's keypair without ever meeting (or needing to meet) this Person B. It's a digital identification method that can only be trusted and verified by physical, human interactions.
Unfortunately, keypairs are difficult to handle and their adoption outside of the tech-savvy world is still limited.
Final words
It was a messy post. There was no point to work towards, it's simply a collection of ramblings on different subjects that all relate to the abstract concept of digital identity. I'm not an expert on this subject, I only read about it and talk about it with people more knowledgeable than I am.
If you have more information or wisdom, please let me know (this links to a page containing my account details on various websites; it's on my website so you know it's me because you can trust me, right?).