peerio.com

Mirimir mirimir at riseup.net
Wed Jan 14 13:52:00 PST 2015 

On 01/14/2015 01:01 PM, Cathal Garvey wrote:
>> Has Cloudflare made any statements about whether they log traffic
>> and/or hand over data to governments?
> 
> Well, anyone with a brain knows they do, and that statements from a US
> company are meaningless because nobody wants to go to jail over an NSL.

:)

> What a top-level observer can see (AFAIK) is who's logged in, probably
> what their username/keyID is, and how much they're talking to the server.
> 
> Because peerio uses miniLock formatted messages, the potential exists
> for minimal-knowledge service, but from the github docs it seems the
> server maintains an entry for which user is allowed to access which
> encrypted files, and therefore reveals to an observer who's the recipient.
> 
> So, it's a metadata-rich service, little better in that regard than
> email.. although the encryption is pretty well designed and unless you
> set up a "PIN" there's no permanent storage of private keys even on your
> computer, so it's also quite secure when crossing borders.

So it would be prudent to use pseudonyms, and to access via some mix of
VPN(s), JonDonym and Tor (according to ones need for anonymity vs
speed). And using devices with removable local storage, there would be
no traces to be inspected by adversaries.

Cool. But still, how is peerio more secure spideroak, for example?

> Also, there is a feature that clearly relies on compliant clients, where
> you can delete files from the server including copies sent to clients.
> Obviously if the attached files are downloaded from the system, this
> can't reach them, but it will destroy any "authenticated" copies of the
> messages from the server, if it works (you're trusting the server).
> OPSEC wise, this is a nice feature because it means you can clean up
> after yourself and keep the authenticated-data-at-rest on either end of
> a conversation to a minimum.
> 
> On 14/01/15 19:49, aestetix wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> It's also worth noting that they are using Cloudflare. Has Cloudflare
>> made any statements about whether they log traffic and/or hand over
>> data to governments?
>

More information about the cypherpunks mailing list