On Sun, 01 Feb 2015 18:57:01 -0800, Seth <list@sysfu.com> wrote:
Searched the cpunk archives and was surprised to find no mention of wickr yet.
I thought I'd run it through stef's seven rules of thumb to detect snakeoil so here goes:
Yikes, just found this excellent video review of Wickr and it's not flattering: https://www.youtube.com/watch?v=GDq7GJWKyqc. The presenter sums it up as "this is really a classic example of what can happen when you try to do your security in secret, and nobody really looks too closely at what you're doing." Main flaws claimed to be found by reviewer: Password stored on servers hardware binding is a joke caught using static AES key Were not signing their messages TOFU (Trust On First Use) architecture Crappy TLS implementation Wickr servers using PHP scripts I'd say the verdict leans towards snake-oil so far.