Encrypted Sky ECC

Ivan J. parazyd at dyne.org
Mon Mar 15 03:25:17 PDT 2021 

On Sun, Mar 14, 2021 at 05:04:57PM -0400, David Barrett wrote:
>    On Sun, Mar 14, 2021 at 3:55 PM Peter Fairbrother <[1]peter at tsto.co.uk>
>    wrote:
> 
>      Afaik no direct cryptanalytic attack against the PGP Blackberries
>      has
>      ever succeeded, though several hardware-, phishing-, software-,
>      security- and law- based attacks have.
> 
>    Given that every real world example finds a weaker place to attack than
>    the encryption, is there anything about the Signal app that is more
>    inherently secure than any of these?
>    It would seem that there's no real protection against someone in
>    control of the network deploying a back door onto your device that
>    siphons off the messages after they are decrypted (or the decryption
>    keys themselves), and it seems like that's a way easier way to get the
>    messages than actually bothering to talk with the app developer.
>    Furthermore, unless everyone involved is willing to go to jail, it
>    seems there's no real protection against compelling the software
>    developers to ship a backdoor.  Even being open source with verified
>    builds only confirms that a specific update has a specific version --
>    the next update, or your friend's update, might have a different
>    build.  Indeed, being open source makes it easier for an attacker to
>    craft a build with a back door, and then convince Google to deploy it
>    to their target.
>    Ultimately e2e seems like a real way to force lawyers to bring any
>    discovery requests straight to you for civil suits (because no civil
>    suit could realistically convince Google or Verizon to ship a back door
>    to your phone, whether by a custom build or a fake OS update).  But it
>    feels like security theater to assume e2e provides really any
>    protection at all against serious criminal suits, and certainly nothing
>    approaching national security.
>    -david

Unfortunately I'm yet to see some "mainstream" messaging app that is
both convenient and _very_ secure to use. But perhaps this should be
mitigated with other things, like full disk encryption and this sort of
stuff, not placing trust in random app developers.

Best regards,
Ivan

More information about the cypherpunks mailing list