Encrypted Sky ECC

[David Barrett]

On Sun, Mar 14, 2021 at 3:55 PM Peter Fairbrother <peter at tsto.co.uk> wrote:

> Afaik no direct cryptanalytic attack against the PGP Blackberries has
> ever succeeded, though several hardware-, phishing-, software-,
> security- and law- based attacks have.
>

Given that every real world example finds a weaker place to attack than the
encryption, is there anything about the Signal app that is more inherently
secure than any of these?

It would seem that there's no real protection against someone in control of
the network deploying a back door onto your device that siphons off the
messages after they are decrypted (or the decryption keys themselves), and
it seems like that's a way easier way to get the messages than actually
bothering to talk with the app developer.

Furthermore, unless everyone involved is willing to go to jail, it seems
there's no real protection against compelling the software developers to
ship a backdoor.  Even being open source with verified builds only confirms
that a specific update has a specific version -- the next update, or your
friend's update, might have a different build.  Indeed, being open source
makes it easier for an attacker to craft a build with a back door, and then
convince Google to deploy it to their target.

Ultimately e2e seems like a real way to force lawyers to bring any
discovery requests straight to you for civil suits (because no civil suit
could realistically convince Google or Verizon to ship a back door to your
phone, whether by a custom build or a fake OS update).  But it feels like
security theater to assume e2e provides really any protection at all
against serious criminal suits, and certainly nothing approaching national
security.

-david
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2117 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20210314/378d70b2/attachment.txt>