On Sun, 01 Feb 2015 18:57:01 -0800, Seth <[email protected]> wrote:
Searched the cpunk archives and was surprised to find no mention of
wickr yet.
I thought I'd run it through stef's seven rules of thumb to detect
snakeoil so here goes:
Yikes, just found this excellent video review of Wickr and it's not
flattering:
https://www.youtube.com/watch?v=GDq7GJWKyqc.
The presenter sums it up as "this is really a classic example of what can
happen when you try to do your security in secret, and nobody really looks
too closely at what you're doing."
Main flaws claimed to be found by reviewer:
Password stored on servers
hardware binding is a joke
caught using static AES key
Were not signing their messages
TOFU (Trust On First Use) architecture
Crappy TLS implementation
Wickr servers using PHP scripts
I'd say the verdict leans towards snake-oil so far.
