Wickr vs stef's seven rules of thumb to detect snakeoil
Seth
list@sysfu.com
Sun Feb 1 18:57:01 PST 2015
Searched the cpunk archives and was surprised to find no mention of wickr
yet.
I thought I'd run it through stef's seven rules of thumb to detect
snakeoil so here goes:
* not free software
- Closed source (although audited by Veracode)
* runs in a browser
- no
* runs on a smartphone
- yes
* the user doesn't generate, or exclusively own the private encryption keys
- unsure (displays a message about 'securing your phone using military
grade encryption' during first app launch/sign-in, believe local keys are
generated during this step.)
* there is no threat model
- (claims to be 'last messaging app standing with no 0days to date',
claims nation threat attacks were expected from day one, claims zero
knowledge company infrastructure server configuration)
* uses marketing-terminology like "cyber", "military-grade"
- displays message 'securing your phone using military grade encryption'
during app setup
* neglects general sad state of host security
- unsure
Additional notes:
- Offers desktop app for Win/OSX/Linux since 2014/12
- https://wickr.com/ appears to require javascript to view
- Founder Nico Sell is long time Def-Con organizer, founded Def-Con for
kids (now called Rootz Asylum) in 2010
- Wickr company infrastructure security audited by iSecPartners
More information about the cypherpunks
mailing list