Torproject disease infects WhatsApp - User experience trumps(sic) security

Shawn K. Quinn skquinn at rushpost.com
Sun Jan 15 19:16:54 PST 2017


On 01/15/2017 08:58 PM, James A. Donald wrote:
> At present three hundred million people communicate by Viber.
> 
> When you install Viber, it generates a secret key and a public key and
> sends the public key to Viber headquarters.
> 
> When Ann wants to message Bob, Viber headquarters sends Ann's client
> Bob's public key, and Bob's client Ann's public key.
> 
> And then they can message each other, no one on the network, not even
> Viber headquarters, can know what they are saying to each other.
> 
> Unfortunately Viber could send Ann a public key belonging to the CIA as
> Bob's key and Bob another key belonging to the CIA as Ann's key, and
> then the CIA can be in the middle as Ann and Bob send messages to each
> other.  Ann thinks she is sending a message to Bob, but actually she is
> sending it to the CIA, which then resends it to Bob.
[...]

Alternatively, how about Viber redesigning their software such that
Alice and Bob can give each other their public keys without Viber
headquarters even having to get involved, if that's what they want? Or,
alternatively, use some other mutually trusted (by both Alice and Bob)
third party server to negotiate the key exchange.

This was poor design by Viber, especially if there's no way for Bob to
verify Alice's key is the same one he has in his Viber client and vice
versa. One has to wonder if it was designed this way by Viber on purpose.

I guess the lesson here is "don't use Viber, use something else".

-- 
Shawn K. Quinn <skquinn at rushpost.com>
http://www.rantroulette.com
http://www.skqrecordquest.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20170115/99104c47/attachment-0002.sig>


More information about the cypherpunks mailing list