company:open whisper systems

  • Why Signal and not Threema ? : signal
    https://www.reddit.com/r/signal/comments/852qor/why_signal_and_not_threema

    Signal is open source, Threema is not, so that disqualifies Threema as a secure app in my opinion. You could as well continue using WhatsApp since it’s also end to end encrypted but closed source. Wire is another great alternative, and it’s German.

    Hacker erklären, welche Messenger-App am sichersten ist - Motherboard
    https://motherboard.vice.com/de/article/7xea4z/hacker-erklaren-welche-messenger-app-am-sichersten-ist


    C’est en allemand, mais c’est valable sans égard de la langue que vous utilisez pour votre communication.
    – La communication sécurisée en ligne doit obligatoirement passer par une app et un prootocole open source.
    – Il vous faut un système qui exclue ou rend très difficile la collection de métatdonnées par des tiers.
    – Votre système de communication « voice » et « chat » doit fonctionner avec des clients smartphome et desktop si vous voulez entretenir un fil de commmunication indépendamment du type d’appareil à votre disposition.

    Passons sur les exigences plus poussées, je ne vois que Signal qui satisfait tous ces besoins. Après on peut toujours utiliser plusieurs « messenger apps » afin de rester au courant des « updates » de tout le monde - à l’exception des apps de Facebook (Whatsapp), Wechat et Google parce que leur utilistion constitue une menace de votre vie privée simplement par l’installation sur votre portable.

    Roland Schilling (33) und Frieder Steinmetz (28) haben vor sechs Jahren begonnen, an der TU Hamburg unter anderem zu dieser Frage zu forschen. In einer Zeit, als noch niemand den Namen Edward Snowden auch nur gehört hatte, brüteten Schilling und Steinmetz bereits über die Vor- und Nachteile verschiedener Verschlüsselungsprotokolle und Messenger-Apps. So haben sie beispielsweise im vergangenen Jahr geschafft, die Verschlüsselung von Threema per Reverse Engineering nachzuvollziehen.

    Ihre Forschung ist mittlerweile zu einer Art Aktivismus und Hobby geworden, sagen die beiden: Sie wollen Menschen außerhalb von Fachkreisen vermitteln, wie elementar die Privatsphäre in einer Demokratie ist. Im Interview erklären sie, auf was man bei der Wahl des Messengers achten soll, welche App in punkto Sicherheit nicht unbedingt hält, was sie verspricht und warum Kreditinstitute sich über datenhungrige Messenger freuen.
    ...
    Roland Schilling: Bei mir ist es anders. Ich bringe die Leute einfach dazu, die Apps zu benutzen, die ich auch nutze. Das sind ausschließlich Threema, Signal und Wire. Wenn Leute mit mir reden wollen, dann klappt das eigentlich immer auf einer von den Dreien.
    ...
    Frieder: ... Signal und WhatsApp etwa setzen auf die gleiche technische Grundlage, das Signal-Protokoll, unterscheiden sich aber in Nuancen. Threema hat ein eigenes, nicht ganz schlechtes Protokoll, das aber beispielsweise keine ‘Perfect Forward Secrecy’ garantiert. Die Technik verhindert, dass jemand mir in der Zukunft meinen geheimen Schlüssel vom Handy klaut und damit meine gesamte verschlüsselte Kommunikation entschlüsseln kann, die ich über das Handy geführt habe. Signal und WhatsApp haben das.
    ...
    Roland: Ein gutes Messenger-Protokoll ist Open Source und ermöglicht damit Forschern und der Öffentlichkeit, eventuell bestehende Schwachstellen zu entdecken und das Protokoll zu verbessern. Leider gibt es auf dem Messenger-Markt auch viele Angebote, die ihre vorgebliche „Verschlüsselung“ diesem Prozess entziehen und geheim halten, oder das Protokoll zwar veröffentlichen, aber auf Kritik nicht eingehen.

    Secure WhatsApp Alternatives – Messenger Comparison
    https://www.boxcryptor.com/en/blog/post/encryption-comparison-secure-messaging-apps

    Threema and Telegram under Control of Russia’s Government ?
    https://medium.com/@vadiman/threema-and-telegram-under-control-of-russias-government-f81f8e28714b

    WhatsApp Exploited by NSA and US Secret Services?
    Go to the profile of Vadim An
    Vadim An
    Mar 7, 2018
    This is the end of era centralized communication!

    The 2017/2018 years are hot and saturated with cybersecurity challenges. Almost every week, a major media source reported hacking incidents or backdoor exploits in popular communication and messaging services. Some of which granted government agents unauthorized access to private and confidential information from within the communications industry.

    According to mass-media reports, one of the most popular Swiss secure messaging apps Threema moved under the control of the Russian government and has been listed in the official registry with a view to controlling user communications.

    This can be seen on regulatory public website https://97-fz.rkn.gov.ru/organizer-dissemination/viewregistry/#searchform

    This knockout news was commented by Crypviser — innovative German developer of the most secure instant communication platform based on Blockchain technologies, of the point of view, what does it mean for millions of Threema users?

    To answer this question, let’s understand the requirements for getting listed in this registry as an “information-dissemination organizers” according to a new Russian federal law, beginning from 01 June 2018.

    The law requires that all companies listed in internet regulator’s registry must store all users’ metadata (“information about the arrival, transmission, delivery, and processing of voice data, written text, images, sounds, or other kinds of action”), along with content of correspondence, voice call records and make it accessible to the Russian authorities. Websites can avoid the hassle of setting aside this information by granting Russian officials unfettered, constant access to their entire data stream.

    This is very bad news for Threema users. Threema officials have reported that they are not aware of any requirements to store, collect, or provide information. Maybe not yet though since there is still some time until 01 June 2018 when the new law kicks in and Threema will be obligated to provide direct access to sensitive user’s data.

    It’s possible that Threema is fully aware of this despite claiming otherwise. They may realize that the most popular messenger in Russia, Telegram, has been under pressure since refusing to officially cooperate with Russian secret services. If Russia takes steps to block Telegram as a result, then Threema would become the next best alternative service. That is assuming they’re willing to violating the security and privacy rights of its users by giving in to the new law’s requirements.

    Based on the reports of Financial Time magazine, the Telegram founder agreed to register their app with Russian censors by the end of June 2017. This, however; is not a big loss for Telegram community because of the lack of security in Telegram to date. During the last 2 years, its security protocol has been criticized many times and many security issues were found by researchers. Although there is no direct evidence showing that Telegram has already cooperated with the Russian government or other governments, these exploitable bugs and poor security models make Telegram users vulnerable victims to hackers and secret services of different countries.

    The same security benchmark issues have been explored in the biggest communication app WhatsApp. The security model of WhatsApp has been recognized as vulnerable by the most reputed cryptographic experts and researchers worldwide. According to the Guardian, a serious “backdoor” was found in encryption. More specifically, the key exchange algorithm.

    A common security practice in encrypted messaging services involves the generation and store of a private encryption key offline on the user’s device. And only the public key gets broadcasted to other users through the company’s server. In the case of WhatsApp, we have to trust the company that it will not alter public key exchange mechanism between the sender and receiver to perform man-in-the-middle attack for snooping of users encrypted private communication.

    Tobias Boelter, security researcher from the University of California, has reported that WhatsApp’s end-to-end encryption, based on Signal protocol, has been implemented in a way that if WhatsApp or any hacker intercepts your chats, by exploiting trust-based key exchange mechanism, you will never come to know if any change in encryption key has occurred in the background.

    The Guardian reports, “WhatsApp has implemented a backdoor into the Signal protocol, giving itself the ability to force the generation of new encryption keys for offline users and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. The recipient is not made aware of this change in encryption.”

    But on the other hand, the developer of Signal messaging app Open Whisper Systems says, ”There is no WhatsApp backdoor”, “it is how cryptography works,” and the MITM attack “is endemic to public key cryptography, not just WhatsApp.”

    It’s worth noting that none of the security experts or the company itself have denied the fact that, if required by the government, WhatsApp can intercept your chats. They do say; however, WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed. With this statement, agrees on a cybersecurity expert and CTO of Crypviser, Vadim Andryan.

    “The Man-in-the-Middle attack threat is the biggest and historical challenge of asymmetric cryptography, which is the base of end-to-end encryption model. It’s hard to say, is this “backdoor” admitted intentionally or its became on front due lack of reliable public — key authentication model. But it definitely one of the huge disadvantages of current cryptographic models used for secure instant communication networks, and one of the main advantage of Crypviser platform.”

    Crypviser has introduced a new era of cryptography based on Blockchain technologies. It utilizes Blockchain to eliminate all threats of Man-in-the-Middle attack and solves the historical public key encryption issue by using decentralized encryption keys, exchanges, and authorization algorithms. The authentication model of Crypviser provides public key distribution and authorization in peer-to-peer or automated mode through Blockchain.

    After commercial launch of Crypviser unified app, ”messenger” for secure social communication will be available on the market in free and premium plans. The free plan in peer-to-peer authentication mode requires user interaction to check security codes for every new chat and call. The full-featured premium plan offers Blockchain based automated encryption model and powerful professional security features on all levels.

    You can see the comperisation table of Crypviser with centralized alternatives in the below table

    #internet #communication #sécurité #vie_privée

  • Binance’s $1bn fund and its first step into institutional investing
    https://hackernoon.com/binances-1bn-fund-and-its-foray-into-institutional-funds-98b02f9d2e19?so

    Today, Binance, one of the largest cryptocurrency exchanges, announced plans to establish a US$1 billion fund. Ella Zhang, head of Binance Lab, announced in an online conference. Per Techcrunch’s report about the fund,“[The] ‘Community Influence’ fund, which will be denominated in Binance’s BNB coin, will be aimed at nascent startups and also funds themselves…Binance is looking to back funds with at least $100 million in capital and, of course, a focus on blockchain and crypto. The firm will also launch a Binance Ecosystem Fund which it said will include 20 partners. [Previously], it led a $30 million investment in MobileCoin — a startup that’s advised by Moxie Marlinspike, the founder of encrypted messaging app Signal and Open Whisper Systems — and it is establishing an incubator that will (...)

  • Amazon refuse que Signal se cache dans son trafic pour éviter la censure
    https://www.numerama.com/tech/364702-amazon-refuse-que-signal-se-cache-dans-son-trafic-pour-eviter-la-ce

    Amazon a averti Open Whisper Systems, l’organisation qui développe Signal, de bien respecter les conditions d’utilisation de son infrastructure dans le cloud. En effet, la société américaine a appris que Signal envisage de cacher son trafic pour esquiver la censure dans certains pays. Il n’y a pas que Telegram qui rencontre quelques problèmes avec le stratagème anti-censure appelé « domain fronting ». L’application de messagerie Signal pourrait aussi avoir des ennuis si elle ne change pas très vite de (...)

    #Google #OWS #Amazon #Signal #censure #cloud

    • “WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.

      The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.”

    • Mais surtout:

      “[the researcher] reported the vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on.”

    • La dénégation de Moxie Marlinspike au nom de son entreprise Open Whisper Systems qui a travaillée sur le logiciel WhatsApp.

      Je ne sais pas trop quoi en penser...

      There is no WhatsApp ’backdoor’
      moxie0 on 13 Jan 2017
      https://whispersystems.org/blog/there-is-no-whatsapp-backdoor

      The WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered. Once the sending client displays a “double check mark,” it can no longer be asked to re-send that message. This prevents anyone who compromises the server from being able to selectively target previously delivered messages for re-encryption.

      The fact that WhatsApp handles key changes is not a “backdoor,” it is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.

      The only question it might be reasonable to ask is whether these safety number change notifications should be “blocking” or “non-blocking.” In other words, when a contact’s key changes, should WhatsApp require the user to manually verify the new key before continuing, or should WhatsApp display an advisory notification and continue without blocking the user.

      Given the size and scope of WhatsApp’s user base, we feel that their choice to display a non-blocking notification is appropriate. It provides transparent and cryptographically guaranteed confidence in the privacy of a user’s communication, along with a simple user experience. The choice to make these notifications “blocking” would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn’t, effectively telling the server who it could MITM transparently and who it couldn’t; something that WhatsApp considered very carefully.

    • Et une réponses aux réponses :

      WhatsApp vulnerability explained : by the man who discovered it - Tobias Boelter https://www.theguardian.com/technology/2017/jan/16/whatsapp-vulnerability-facebook?CMP=share_btn_tw

      Il pointe notamment une évidence qui semble « échapper » à l’Electronic Frontier Foundation : WhatsApp n’étant pas un logiciel libre et le réseau WhatsApp n’étant pas accessible à des logiciels clients tiers : il n’est pas possible de vérifier le comportement réel de WhatsApp. Bref il n’est pas possible d’affirmer que WhatsApp est sécurisé.

  • Vie privée : l’application Signal reçoit sa première réquisition judiciaire
    http://www.lemonde.fr/pixels/article/2016/10/04/vie-privee-l-application-signal-recoit-sa-premiere-requisition-judiciaire_50

    Open Whisper Systems, la société qui édite l’application sécurisée de messagerie Signal, a reçu cette année sa première réquisition judiciaire lui enjoignant de fournir des informations sur un utilisateur, révèle Associated Press. L’entreprise a refusé, « non pas parce qu’elle ne le voulait pas, mais parce qu’elle ne le pouvait techniquement pas », explique l’association ACLU, qui représente juridiquement Open Whisper Systems. Signal utilise en effet une technologie dite de « chiffrement de bout en bout » – (...)

    #écoutes #Open_Whisper_Systems #Signal

  • The perils of federated protocols
    https://lwn.net/SubscriberLink/687294/3fe484e7cd23f719

    The lure of “federation” for internet services is potent, since it allows disparate providers to interoperate and users to choose the provider that (most) meets their needs—or to become their own provider. Many of the longtime services, such as email, web serving, DNS, and others, are federated, but many of the newest services decidedly are not. That tension is playing out right now for the Signal open-source encrypted messaging and voice application from Open Whisper Systems (OWS) and others who would like to be able to federate with it.

  • “I no longer believe that it is possible to build a competitive federated messenger at all” - Moxie’s conclusion makes me sad: his lack of utopia is disappointing.... But it is a lucid analysis of the contemporary landscape, though one may take into account his service provider bias considering his interest in Open Whisper Systems. The notification panel as federation locus - yuck... But it is the current reality and it works.

    https://whispersystems.org/blog/the-ecosystem-is-moving #Moxie_Marlinspike #Open_Whisper_Sytems #Signal #messageing #messagerie #xmpp

  • A very interesting paper (I said “interesting”, I didn’t say I agree!) on open networks where independant nodes with independently developed programs interoperate thanks to standards. The author claims closed and centralized systemes are better, because they allow faster evolution (he uses security and privacy as an example).

    https://whispersystems.org/blog/the-ecosystem-is-moving

    #Internet #privacy #federated_systems #centralized #decentralized

    • Like any federated protocol, extensions don’t mean much unless everyone applies them, and that’s an almost impossible task in a truly federated landscape. What we have instead is a complicated morass of XEPs that aren’t consistently applied anywhere. The implications of that are severe, because someone’s choice to use an XMPP client or server that doesn’t support video or some other arbitrary feature doesn’t only effect them, it effects everyone who tries to communicate with them. It creates a climate of uncertainty, never knowing whether things will work or not. In the consumer space, fractured client support is often worse than no client support at all, because consistency is incredibly important for creating a compelling user experience.

      #XMPP

    • “I no longer believe that it is possible to build a competitive federated messenger at all” - Moxie’s conclusion makes me sad: his lack of utopia is disappointing.... But it is a lucid analysis of the contemporary landscape, though one may take into account his service provider bias considering his interest in Open Whisper Systems. The notification panel as federation locus - yuck... But it is the current reality and it works.

    • Troll put aside (« it’s undeniable that XMPP still largely resembles a synchronous protocol with limited support for rich media, which can’t realistically be deployed on mobile devices. If XMPP is so extensible, why haven’t those extensions quickly brought it up to speed with the modern world? » is pure ignorance or, worst, deliberate misleading), this is not a technical problem, but a pretty old political one.

      It’s not new that some people think or declare that a monarchy or dictatorship (with a « enlightened leader ») is more efficient than a system involving cooperation and discussion. History has proven it wrong many times.

      I really don’t understand why free software (talking about free software, not open source) community is even paying attention and sometime giving credit to this kind of text, this is in total oposition of what free software are made for.

    • @Goffi : I’m paying attention because acquisition of users is critical where network-effect is the main usage driver. Centralization has a huge advantage in contact discovery - currently big enough to make decentralized systems seem incapable in comparison. Everything else is moot if a new user can’t instantly fill his contacts list. Decentralized will still work best for closed groups or in privacy-critical environments, but the mass market is now centralized - I have recently decided that this battle is lost... But I’m still wondering about the holy grail of privacy-preserving contact discovery in decentralized systems - maybe some cryptographic wizardry will make that possible one day and change the whole game. Until them I’ll go where my girlfriends are.

      PS: I still run an ejabberd but the number of people I reach through it can now be counted on the fingers of one hand - on a good day. The girlfriends used to be there... That era is gone.

    • Also, this made me think about a short discussion I had with Dean Bubley a couple of weeks ago : https://twitter.com/liotier/status/727848142994018304 - he argues that the comparative benefit of freedom of service provider choice inherent to decentralized networks is made irrelevant when users can setup and populate a new centralized network in 30 seconds. Still proprietary, still a trust SPOF - but those are minor factors in mass market user choice.

    • @liotier : centralisation allows contact discovery *in the network*, you wont find my contact on Twitter for instance because I’m not there. In addition, the biggest network to date in term of user (before FB) is a decentralised one: email.

      Anyway the network effect is a bad usage driver, I wish that this notion doesn’t exist anymore in the future. Network effect exists because people are not able to talk to each other between networks. If interoperability exists, you can have a network with 10 or even 1 person, if you can talk to all the others there is no more notion of network effect. Again email is a good exemple, I’m the only one on my server and I’m not isolated because of network effect.

      @stephane : thank for the ping, I’ve already seen this text on XSF muc room. I’m really not fond of the certification thing by the way.

    • Network effect exists because people are not able to talk to each other between networks. If interoperability exists, you can have a network with 10 or even 1 person, if you can talk to all the others there is no more notion of network effect.

      Other example of this kind: the phone networks. There is a large number of companies, that manage different networks, but all interoperate. And in many countries, there are also regulatory norms that mandate “portability” to allow users to switch from one network to another without cost.

      Maybe part of the solution is regulatory, no technological.

    • > Maybe part of the solution is regulatory, no technological

      Hampering interoperability might be interpreted as abuse of dominance as defined by Article 102 of the Treaty on the Functioning of the European Union (http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:12008E102)... But you’ll have a hard time building a convincing case when the “product market” (as defined by same article) arguably encompasses all equivalent services between which users switch easily (see Signal’s signup spike when Whatsapp became temporarily banned in Brazil). POTS was heavily regulated because no such market diversity existed, so the dominance and abuse thereof were obvious.

      Email is driven by standards-based interoperability because it grew up at a time where no one was seeing value in owning users... That era is past, even though we enjoy its legacy.

      Service/standard adoption are investment driven:
      – Investment in development
      – Investment in usage (yes, for a user, setting up a system and learning its use is an investment)

      Now, think about why the developer (in the business sense, not the technical one) and the user would invest ?

      For the user, it is all about innovation: given acceptable levels of service, the user will switch to where the exciting new functionality is (see Simon Wardley’s works for this line of argumentation). Decentralized loses because innovation requires consensus - working with standards body is a long tedious slog... So time to market will be unacceptable or at least it will be to late for any competitive advantage. So it follows that businesses will only standardize if they have no choice but delivering an interoperable solution because they don’t have a strong market position - otherwise, fuck standards: either the customers will eat whatever the dominant provider feeds them or the provider better deliver exciting functionality before anyone else if they want to keep growing.

      Even merely opening an API to third-party clients is a threat to that model: it freezes the service in its current form, thus slowing functional change... Businesses don’t want that - except when the customers put interoperability before other functionality, which seldom happens.

      As for some hope for the free world ? As I said - and as David Cridland explains, it lies in a revolution in contact discovery. Who knows if a cryptographic protocol could let users expose chosen bits to chosen interlocutors in a distributed way (did anyone say “blockchain” ?)... I have no idea and it is a hard problem - seen Moxie’s take on this (notably the mention of encrypted bloom filters): https://whispersystems.org/blog/contact-discovery - posted by @stephane a couple of years ago. David Cridland offers the less utopian idea of a centralized directory for the open world... It could surely work and it might even be sufficiently cheap to be fundable - but what a SPOF in every dimension !

  • WhatsApp : Technical White paper on their end-to-end encryption protocol

    Since April 2016 all WhatsApp communication (messages, group chats, images, videos, voice messages and files) are being encrypted end-to-end, including metadata which is specifically mentioned in the paper :
    • “Encrypts metadata to hide it from unauthorized network observers"
    • “No information about the connecting user’s identity is revealed.”
    • "WhatsApp servers do not have access to the private keys of WhatsApp users”
    • "WhatsApp users have the option to verify keys in order to ensure the integrity of their communication.”

    Messages are protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication.
    The encryption is based on the Signal Protocol from Open Whisper Systems.

    https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf

    Message Key – An 80-byte value that is used to encrypt message contents. 32 bytes are used for an AES-256 key, 32 bytes for a HMAC-SHA256 key, and 16 bytes for an IV.

    Key verification:

    WhatsApp users additionally have the option to verify the keys of the other users with whom they are communicating so that they are able to confirm that an unauthorized third party (or WhatsApp) has not initiated a man-in-the-middle attack. This can be done by scanning a QR code, or by comparing a 60-digit number.

    Note: right after the news there were some rumours and quite some discussions about the perception that WhatsApp still had access to the metadata cf. http://seenthis.net/messages/477257

    This is probably because of the privacy terms & conditions not having updated accordingly:
    https://www.whatsapp.com/legal/#Privacy

    Notwithstanding the above, WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect.

    #WhatsApp
    #encryption
    #privacy

  • “App maker Open Whisper Systems took an important step in this direction today with the release of a major new version of its Signal encrypted calling app for iPhones and iPads. The new version, Signal 2.0, folds in support for encrypted text messages using a protocol called TextSecure, meaning users can communicate using voice and text while remaining confident nothing can be intercepted in transit over the internet.”

    https://firstlook.org/theintercept/2015/03/02/signal-iphones-encrypted-messaging-app-now-supports-text

    En gros, c’est #TextSecure pour les joujous Apple comme l’iPhone.

    #cryptographie #vie_privée (poke @MmeMichu)

    • Cool, bonne nouvelle ! Seulement, j’arrive pas à avoir la confirmation, mais il me semble que Signal n’a pas de fonction SMS. C’est uniquement over internet . Ce qui n’est pas un problème en soi, mais rompt la compatibilité avec TextSecure si TextSecure n’est pas utilisé avec Google Play Service. Et comme TextSecure bascule sur du SMS automatiquement s’il n’y a pas d’accès internet ou si GCM n’est pas disponible, ça risque éventuellement de mettre un peu le bazar. Je sais pas comment tout ça est géré. Enfin, peu importe, Signal est une excellente nouvelle et se pose en une véritable alternative à WhatsApp.

      Et je crois avoir lu quelque part qu’à terme, OpenWhisper System proposera Signal aussi sur Android (en regroupant donc TextSecure et RedPhone sous une même application et au même nom que sous iOS).

      Prochaine étape : se libérer des solutions push de Google et d’Apple. Et enfin, mettre en place un « repository » F-Droid.

    • On peut aussi aller lire http://seenthis.net/messages/345498 où Frederic Jacobs d’OpenWhisper System explique sa vision des choses :

      “Demander aux utilisateurs de choisir entre l’effort de la sécurité et la facilité d’utilisation n’est pas un choix. Le monde de la sécurité a besoin de belles applications utilisables. Or, le chiffrement en soi n’est pas un futur ni une caractéristique”.

      Jacobs veut mettre au point un prototype qui montre que cet idéal est néanmoins possible. Qu’on peut concevoir des outils qui soient pensés pour l’utilisateur tout en leur offrant une sécurité maximum.

    • Ah ben voilà, pour éviter le problème de compatibilité avec TextSecure, il suffit de supprimer le support des SMS/MMS chiffrés de TextSecure :
      Saying goodbye to encrypted SMS/MMS
      https://whispersystems.org/blog/goodbye-encrypted-sms

      Avec d’autres bons arguments quand même. Je retiens en particulier :

      SMS and MMS are a security disaster. They leak all possible metadata 100% of the time to thousands of cellular carriers worldwide. It’s common to think of SMS/MMS as being “offline” or “peer to peer,” but the truth is that SMS/MMS messages are still processed by servers–the servers are just controlled by the telcos. We don’t want the state-run telcos in Saudi, Iran, Bahrain, Belarus, China, Egypt, Cuba, USA, etc… to have direct access to the metadata of TextSecure users in those countries or anywhere else.

      Ainsi que :

      It’s common for people in the US and Europe to assume that SMS is the accessible option for people in the global south, but the truth is just the opposite. It’s primarily just the US and parts of Europe that have affordable/unlimited SMS plans. For the most part, the global south is hungry for overlay services that they can use instead of SMS, precisely because SMS is so expensive in those places. Just look at the places where market penetration of overlay services like Viber, Line, and WhatsApp have been the highest. The phrase “WhatsApp number” has even replaced the phrase “phone number” in many parts of south america.

      Et pour finir :

      [I]n conjunction with removing support for encrypted SMS/MMS, we’ll simultaneously move to a model of handling message delivery ourselves – relying on GCM only for a wakeup event.

  • Open Whisper Systems partners with WhatsApp to provide end-to-end encryption
    https://whispersystems.org/blog/whatsapp

    OWS a bossé avec la célèbre application de messagerie mobile WhatsApp pour y utiliser leur protocole TextSecure.

    Pourquoi c’est une bonne nouvelle ? Parce que WhatsApp a déjà des millions d’utilisateurs qui, du coup, voient la protection de leur vie privée faire un bond en avant.

    Mais en même temps, WhatsApp reste une appli propriétaire et même si OWS les a aider à implémenter leur protocole et les valident, on ne peut pas savoir si ils vont pas rajouter un truc pourri dedans.(Permalink)

    #informatique