Good observation Nadim, I'm also curious about the GPL question. Maybe some EFF folks can answer that?
On Mike Hearn's point re key verification problem: > Cracking the usable key verification problem. This move brings WhatsApp to > the same level of security as iMessage (or better, given the forward > security), but WhatsApp/Facebook could still do a switcheroo on people's > keys. TextSecure never really figured this out IMO - it still expects people > to manually compare long strings of hex. I will, as seems to be my role here, recommend the blockchain and a system like DNSChain for solving this problem. :-) The Onename folks are subsidizing registrations in Namecoin btw. If you want to completely get rid of the possibility of an untrustworthy third-party doing a "switcheroo", then this is the only way to do it (as far as I can tell). You can also, with the risk of third-party switcheroo, do a provider-based blockchain approach that I've talked about in previous emails here, which is where, for example, a provider registers gmail.bit (or migrates the .com to the blockchain), and then you query the user's public key from them over a MITM-proof channel that's secured by the public key for the service itself (which is stored in the blockchain). Provider based systems, whether they're doing with a blockchain or not, however, will always (I think), have the switcheroo problem. > Either way, this is historic. I think Moxie's team deserve immense > respect for accomplishing this. This is an accomplishment I will look > up to for many years to come. Truly inspiring. Hear hear! Congrats to everyone who was involved with this at Open Whisper Systems! Cheers, Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Nov 18, 2014, at 10:54 AM, Nadim Kobeissi <[email protected]> wrote: > Mike Hearn hits the nail on the head! My only questions were in fact > regarding how to handle identity authentication and how to deal with > the closed-source nature of WhatsApp damaging potential security > guarantees. > > Although, I just noticed something: TextSecure is GPL, and Moxie says > that WhatsApp is using the same code as TextSecure. Doesn't that mean > that WhatsApp is now obligated to send a copy of its source code to > whoever demands it? :-) That would be amazing if true. > > Either way, this is historic. I think Moxie's team deserve immense > respect for accomplishing this. This is an accomplishment I will look > up to for many years to come. Truly inspiring. > > NK > > -----Original Message----- > From: Messaging [mailto:[email protected]] On Behalf > Of Joseph Bonneau > Sent: November 18, 2014 1:16 PM > To: Mike Hearn > Cc: messaging > Subject: Re: [messaging] WhatsApp & OWS team up > > > On Tue, Nov 18, 2014 at 11:23 AM, Mike Hearn <[email protected] > <mailto:[email protected]> > wrote: > > > https://whispersystems.org/blog/whatsapp/ > > Huge, massive congratulations to Moxie and the team - this sort of > mainstream success is inspiring. I'd been hoping for a long time that > once TextSecure showed you could build a secure messenger with > production quality usability, Facebook / WhatsApp might pick it up, > and today my dream came true :) > > > I echo the major congratulations! One of our main goals with the EFF > Scorecard was to push big providers to take steps like this, hopefully > many more will follow suit. > > > I can see a couple of directions to go now: > > > I would add > > 3) Design an efficient, auditable, privacy-friendly public key > directory. WhatsApp/TextSecure still largely rely on a centralized > public key directory. Cracking usable key verification would be great, > but I'd also like these key directories to be able to convincingly > prove to me that they've only signed for a certain set of keys for my > username over a given time period. Some work is underway on this at > Princeton and hopefully elsewhere... > > > It will be interesting to see what the political ramifications of > this are. WhatsApp should now be pretty close to intercept-proof for > all governments bar the USA. Given its ubiquity and complete > centralisation inside California, I suspect this will result in all > kinds of interesting jockying as different countries try to get lawful > intercept capabilities to it (by switching keys, I guess). > > > Presumably Apple has already been in this position for over a year > with iMessage, although it might be more interesting because WhatsApp > doesn't have the political clout > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
