RedPhone Removed from Google Play Store

Ted Smith tedks at riseup.net
Fri Nov 14 11:29:45 PST 2014


On Thu, 2014-11-13 at 18:06 -0500, Eric Mill wrote:
> This isn't accurate, in practice. In theory, Google could replace any
> certificate they want for first use. But they clearly don't do that
> for everyone (Moxie or someone would notice), and if they did it in a
> targeted way, it could only be on the first use. That's a threat
> vector, but only viable under both targeted and specific
> circumstances.
> 
> 
> So "what's to stop Google pushing a malicious TextSecure? Nothing.
> Nothing, at all, ever." isn't accurate -- you can trust that you're
> highly likely to get the real TS binary on first install, and then
> guarantee that you're getting a binary signed by the same person for
> updates.

But Google can silently update their services providing this "guarantee"
and remove it. 

Could they do this without anyone noticing? Probably not on a wide
scale. But it's still not a guarantee. 

There's essentially no way to get around this on Android, which is I
think why Moxie has abandoned that goal. If a solution exists, the
people detracting TextSecure for using Google infrastructure should
build that solution, fork TextSecure, and add it. Code speaks louder
than words. 

-- 
Sent from Ubuntu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20141114/244c729e/attachment-0001.sig>


More information about the cypherpunks mailing list