neglects general sad state of host security
You mean user host (client endpoint security, for most people nonexistent) or server host? Because at least with the latter, a clever design or threat-model can make server-client pretty secure by simply making the server zero-knowledge. I used to be a total P2P hippie, and P2P is still my preference aesthetically and for reasons of simple resilience, but I no longer regard server-client as an automatic fail, provided the server is zero-knowledge. So, encrypted XMPP/Jingle (Jitsi) is good, whereas lol-not-really-encrypted-server-sees-all Mumble is not. On 23/07/14 22:59, stef wrote:
On Wed, Jul 23, 2014 at 05:24:22PM -0400, grarpamp wrote:
To quote OP... not open source.. not audited.. central servers.. webrtc.. 'no' logs.. and a shiny link for grins... and then claims it 'looks very interesting and promising'. WTF, really? I appreciate innocent questions, but the answer (or at least our response) should be obvious, from those parameters alone, to someone who's been around for a while.
exactly this prompted me to come up with the seven rules of thumb to detect snakeoil:
not free software runs in a browser runs on a smartphone the user doesn't generate, or exclusively own the private encryption keys there is no threat model uses marketing-terminology like "cyber", "military-grade" neglects general sad state of host security
-- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com