C’est en allemand, mais c’est valable sans égard de la langue que vous utilisez pour votre communication.
– La communication sécurisée en ligne doit obligatoirement passer par une app et un prootocole open source.
– Il vous faut un système qui exclue ou rend très difficile la collection de métatdonnées par des tiers.
– Votre système de communication « voice » et « chat » doit fonctionner avec des clients
si vous voulez entretenir un fil de commmunication indépendamment du type d’appareil à votre disposition.
Roland Schilling (33) und Frieder Steinmetz (28) haben vor sechs Jahren begonnen, an der TU Hamburg unter anderem zu dieser Frage zu forschen. In einer Zeit, als noch niemand den Namen Edward Snowden auch nur gehört hatte, brüteten Schilling und Steinmetz bereits über die Vor- und Nachteile verschiedener Verschlüsselungsprotokolle und Messenger-Apps. So haben sie beispielsweise im vergangenen Jahr geschafft, die Verschlüsselung von Threema per Reverse Engineering nachzuvollziehen.
Ihre Forschung ist mittlerweile zu einer Art Aktivismus und Hobby geworden, sagen die beiden: Sie wollen Menschen außerhalb von Fachkreisen vermitteln, wie elementar die Privatsphäre in einer Demokratie ist. Im Interview erklären sie, auf was man bei der Wahl des Messengers achten soll, welche App in punkto Sicherheit nicht unbedingt hält, was sie verspricht und warum Kreditinstitute sich über datenhungrige Messenger freuen.
...
Roland Schilling: Bei mir ist es anders. Ich bringe die Leute einfach dazu, die Apps zu benutzen, die ich auch nutze. Das sind ausschließlich Threema, Signal und Wire. Wenn Leute mit mir reden wollen, dann klappt das eigentlich immer auf einer von den Dreien.
...
Frieder: ... Signal und WhatsApp etwa setzen auf die gleiche technische Grundlage, das Signal-Protokoll, unterscheiden sich aber in Nuancen. Threema hat ein eigenes, nicht ganz schlechtes Protokoll, das aber beispielsweise keine ‘Perfect Forward Secrecy’ garantiert. Die Technik verhindert, dass jemand mir in der Zukunft meinen geheimen Schlüssel vom Handy klaut und damit meine gesamte verschlüsselte Kommunikation entschlüsseln kann, die ich über das Handy geführt habe. Signal und WhatsApp haben das.
...
Roland: Ein gutes Messenger-Protokoll ist Open Source und ermöglicht damit Forschern und der Öffentlichkeit, eventuell bestehende Schwachstellen zu entdecken und das Protokoll zu verbessern. Leider gibt es auf dem Messenger-Markt auch viele Angebote, die ihre vorgebliche „Verschlüsselung“ diesem Prozess entziehen und geheim halten, oder das Protokoll zwar veröffentlichen, aber auf Kritik nicht eingehen.
WhatsApp Exploited by NSA and US Secret Services?
Go to the profile of Vadim An
Vadim An
Mar 7, 2018
This is the end of era centralized communication!
The 2017/2018 years are hot and saturated with cybersecurity challenges. Almost every week, a major media source reported hacking incidents or backdoor exploits in popular communication and messaging services. Some of which granted government agents unauthorized access to private and confidential information from within the communications industry.
According to mass-media reports, one of the most popular Swiss secure messaging apps Threema moved under the control of the Russian government and has been listed in the official registry with a view to controlling user communications.
This can be seen on regulatory public website ▻https://97-fz.rkn.gov.ru/organizer-dissemination/viewregistry/#searchform
This knockout news was commented by Crypviser — innovative German developer of the most secure instant communication platform based on Blockchain technologies, of the point of view, what does it mean for millions of Threema users?
To answer this question, let’s understand the requirements for getting listed in this registry as an “information-dissemination organizers” according to a new Russian federal law, beginning from 01 June 2018.
The law requires that all companies listed in internet regulator’s registry must store all users’ metadata (“information about the arrival, transmission, delivery, and processing of voice data, written text, images, sounds, or other kinds of action”), along with content of correspondence, voice call records and make it accessible to the Russian authorities. Websites can avoid the hassle of setting aside this information by granting Russian officials unfettered, constant access to their entire data stream.
This is very bad news for Threema users. Threema officials have reported that they are not aware of any requirements to store, collect, or provide information. Maybe not yet though since there is still some time until 01 June 2018 when the new law kicks in and Threema will be obligated to provide direct access to sensitive user’s data.
It’s possible that Threema is fully aware of this despite claiming otherwise. They may realize that the most popular messenger in Russia, Telegram, has been under pressure since refusing to officially cooperate with Russian secret services. If Russia takes steps to block Telegram as a result, then Threema would become the next best alternative service. That is assuming they’re willing to violating the security and privacy rights of its users by giving in to the new law’s requirements.
Based on the reports of Financial Time magazine, the Telegram founder agreed to register their app with Russian censors by the end of June 2017. This, however; is not a big loss for Telegram community because of the lack of security in Telegram to date. During the last 2 years, its security protocol has been criticized many times and many security issues were found by researchers. Although there is no direct evidence showing that Telegram has already cooperated with the Russian government or other governments, these exploitable bugs and poor security models make Telegram users vulnerable victims to hackers and secret services of different countries.
The same security benchmark issues have been explored in the biggest communication app WhatsApp. The security model of WhatsApp has been recognized as vulnerable by the most reputed cryptographic experts and researchers worldwide. According to the Guardian, a serious “backdoor” was found in encryption. More specifically, the key exchange algorithm.
A common security practice in encrypted messaging services involves the generation and store of a private encryption key offline on the user’s device. And only the public key gets broadcasted to other users through the company’s server. In the case of WhatsApp, we have to trust the company that it will not alter public key exchange mechanism between the sender and receiver to perform man-in-the-middle attack for snooping of users encrypted private communication.
Tobias Boelter, security researcher from the University of California, has reported that WhatsApp’s end-to-end encryption, based on Signal protocol, has been implemented in a way that if WhatsApp or any hacker intercepts your chats, by exploiting trust-based key exchange mechanism, you will never come to know if any change in encryption key has occurred in the background.
The Guardian reports, “WhatsApp has implemented a backdoor into the Signal protocol, giving itself the ability to force the generation of new encryption keys for offline users and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. The recipient is not made aware of this change in encryption.”
But on the other hand, the developer of Signal messaging app Open Whisper Systems says, ”There is no WhatsApp backdoor”, “it is how cryptography works,” and the MITM attack “is endemic to public key cryptography, not just WhatsApp.”
It’s worth noting that none of the security experts or the company itself have denied the fact that, if required by the government, WhatsApp can intercept your chats. They do say; however, WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed. With this statement, agrees on a cybersecurity expert and CTO of Crypviser, Vadim Andryan.
“The Man-in-the-Middle attack threat is the biggest and historical challenge of asymmetric cryptography, which is the base of end-to-end encryption model. It’s hard to say, is this “backdoor” admitted intentionally or its became on front due lack of reliable public — key authentication model. But it definitely one of the huge disadvantages of current cryptographic models used for secure instant communication networks, and one of the main advantage of Crypviser platform.”
Crypviser has introduced a new era of cryptography based on Blockchain technologies. It utilizes Blockchain to eliminate all threats of Man-in-the-Middle attack and solves the historical public key encryption issue by using decentralized encryption keys, exchanges, and authorization algorithms. The authentication model of Crypviser provides public key distribution and authorization in peer-to-peer or automated mode through Blockchain.
After commercial launch of Crypviser unified app, ”messenger” for secure social communication will be available on the market in free and premium plans. The free plan in peer-to-peer authentication mode requires user interaction to check security codes for every new chat and call. The full-featured premium plan offers Blockchain based automated encryption model and powerful professional security features on all levels.
You can see the comperisation table of Crypviser with centralized alternatives in the below table
