Wickr vs stef's seven rules of thumb to detect snakeoil
Seth
list at sysfu.com
Sun Feb 1 22:03:13 PST 2015
On Sun, 01 Feb 2015 18:57:01 -0800, Seth <list at sysfu.com> wrote:
> Searched the cpunk archives and was surprised to find no mention of
> wickr yet.
>
> I thought I'd run it through stef's seven rules of thumb to detect
> snakeoil so here goes:
Yikes, just found this excellent video review of Wickr and it's not
flattering:
https://www.youtube.com/watch?v=GDq7GJWKyqc.
The presenter sums it up as "this is really a classic example of what can
happen when you try to do your security in secret, and nobody really looks
too closely at what you're doing."
Main flaws claimed to be found by reviewer:
Password stored on servers
hardware binding is a joke
caught using static AES key
Were not signing their messages
TOFU (Trust On First Use) architecture
Crappy TLS implementation
Wickr servers using PHP scripts
I'd say the verdict leans towards snake-oil so far.
More information about the cypherpunks
mailing list