The title topic comes up here and there, and I’m often asked about it on the air, so I thought I’d take the opportunity to detail, once and for all, why I have zero interest in ARRL’s Logbook of the World.
To be fair, it does what it does and based on the number of users, it does it reasonably well – you install their software, jump through their hoops, and you can submit your logs in a way that ARRL will accept for award credit. At that level, I have no complaint with the system.
However, Logbook of the World has a number of shortcomings that are sufficiently off-putting that cause me to lose all interest in the system.
1. It’s great for one or two callsigns, but becomes an ever increasing gluteal pain if you operate lots of special event and other callsigns.
Yes, if you have multiple callsigns, you need a separate cryptographic certificate for each additional callsign. That’s extra files you have to keep track of, extra things to check that you have properly configured before you submit logs, extra things to get deleted/munged if you have a computer failure. It’s also wholly unnecessary – with a database that’s even half-decently designed, one should be able to register once with a primary call and use that cryptographic signature with other calls associated with that particular user. In fact, that’s pretty much the way public key cryptography was DESIGNED to be used, but the ARRL chose not to do it that way.
2. It’s “pretend” security, making a proverbial mountain out of a molehill. What security it provides is unnecessary.
Public Key cryptography – the driving engine behind LotW security is intended to provide two levels of security. First, the radio amateur identifies himself to the certificate issuer satisfactorily. A digital certificate is issued and through the magic of mathematics, whenever the amateur uses the certificate to sign a message, it can be verified that that specific certificate was used. In order to say that an identity is verified, however, one must have assurance that the certificate has not been shared. So although I might jump through ARRL’s identity hoops, I could share my certificate around deliberately… or because it sits as a file on my computer, a malicious person could steal it from my hard drive. Unless the certificate is protected at some level, it offers little or no assurance that it is being used by the intended person. That is why serious systems that use public key cryptography store the certificate in a smart card or similar device – something the proper owner can carry with them and can’t be easily hacked. Yes, the owner could share it around, still but when it’s used he can’t say “well someone hacked it.”
Additionally, it is important that the issuance of certificates cannot be subverted in some way. In particular, for non-US operators, you need only send a real-looking copy of a licence, and a copy of some other official-looking document to verify your identiy. If we assume that ARRL awards are something important enough to try and get by undeserving individuals, it’s probably fair to assume that faking these two simple documents would require only a few minutes of time on the internet and with a program like MSPaint of Photoshop. Therefore, the identity value of the cryptographic certificate is precisely zero by any measure. In fact, ARRL’s identification system is no better than eQSL, and arguably worse (eQSL can at least verify you have access to the mailing address you provide).
But… the certificate is also used to protect the submission in transit. Yes, the traffic is encrypted, but all that does is prevent it from being read by an interceptor (no value, not sensitive info), or modified by an interceptor (theoretically possible, but there would be MUCH easier ways to generate fake QSO records). I might accept this as a valid security measure if the ARRL could produce documentation indicating that they have done a Threat and Risk Assessment and determined that log information is at risk from this kind of attack. These are amateur radio QSO records, not government secrets.
In short, encrypting the records with public key cryptography is like swatting a mosquito by exploding an atomic bomb.
Looking at it another way: why don’t you put a 10 meter fence, a moat and a minefield around your house? You’d probably almost never get broken into, that would be certain. Odds are you don’t go to this extreme because the level of security isn’t justified by the level of risk. And even if you did put a 10 meter fence with a moat and minefield, you wouldn’t put a bridge over the whole thing right to your door. Public key cryptography is that fence/moat/minefield, and the slack authentication and identification process to get a certificate is that bridge.
Use of certificates also costs money. The certificates have to be maintained, they expire, people lose their passwords, they get compromised, they get lost, and all these problems are dumped on the certificate issuer to sort out. That costs time, and time is money. Having considerable experience in the specific field of PKI management, it would not be unreasonable for about 15-25% of certificates to be turned over in any given year just due to lost passwords and compromised certificates – not counting expired certificates and new issues. ARRL pays for that, which means that somewhere, users pay for it.
3. I have to install software on my machine.
Ok, this one is nit-picky, but there is no reason that anyone should have to install software to do these submissions. Even the certificates could be used through a java applet. The whole system is so old-tech. I’m not interested in installing and maintaining a piece of software so I can use pretend security to submit my logs when they can already be submitted automatically from my logging software to eQSL, HRDLog and other places.
4. ARRL charges LotW users for using LotW contacts in award applications.
Users of LotW are charged 25 cents (US) per LotW contact submitted for an award. This is probably related to the costs I mentioned in point 2. And even though that’s not much, it does add $25.00 to the cost of a DXCC if you do it all through LotW. Think about it – you’re paying ARRL for the privilege of saving THEM from sorting through your cards and proof. YOU ARE PAYING TO MAKE THEIR JOB EASIER – not yours, theirs. If anything, they should be reducing the charges for the award, but as noted above, operating a public key infrastructure costs money and they have to get it back somewhere.
More to the point, I like paper cards anyway, and I use paper cards, so why would I want to sink effort into a system that only matters for ARRL awards when I meet their award requirements for free with no extra work on my part?
I think I have laid out, in sufficient detail, why I don’t have interest in participating in the Logbook of the World. I hope it’s clear enough for everyone to understand. Please understand that I harbour no ill-will toward the ARRL or LotW users… If LotW works for you, that’s awesome – enjoy it.
However, since I am regularly asked why I am not interested in LotW, I felt it would be worthwhile to post the reasons here and then refer to them later so I don’t have to type the same thing over and over.
[edit 2014: I did finally sign up for LotW on my primary callsign late last year. I upload about twice a month. My return rate appears to be less than eQSL or paper, so despite all the bleating about how awesome LotW is, it’s actually not as good as eQSL or paper, at least for me. I’ll guess that maybe CW or phone people get more hits through this method.]
[edit 2017: In 2017, an interesting technology is arising – Quantum Computing. If the purpose of certificates in LotW is security, then be warned… in a decade, give or take, maybe less, quantum computers will destroy public key cryptography, and the “security” of LotW will be truly non-existent.]