On Thu, Jul 24, 2014 at 10:54:16PM +0200, stef wrote:
On Thu, Jul 24, 2014 at 10:41:35PM +0200, Stephan Neuhaus wrote:
On 2014-07-24, 18:16, stef wrote:
On Thu, Jul 24, 2014 at 04:06:03PM +0200, Stephan Neuhaus wrote:
So if I mention to you that a certain app just happens to run on a smartphone, your Spidey-sense would be tingling, no matter if the app has had excellent threat modelling, code audit etc?
it's rule of thumb. right? there might be exceptions (i know of exactly one), which strengthen the rule ;)
Sorry to insist, but I gave you a concrete app, namely safeslinger: https://www.cylab.cmu.edu/safeslinger/ Do you think that it is snake oil?
unless it is being deployed for confidentiality defending against only low level adversaries (but by stating this i already narrowed down the threat-model significantly). i believe so. it is an app, nothing more.
not saying that the research and the protocols might be sound. but even much more mature algos that are yet unbroken on a scientific level do not pass the rule of thumb when they're implemented on smartphones. all of matejs concerns apply. the phone is basically a huge side channel. not saying you can't build castles on sand, but their threat model is quite limited. just a few days ago i believe eugen posted a nice list of ios bugdoors. no insult to the product in question, its the underlying platform that's broken. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt