[messaging] EFF Secure Messaging Scorecard

Joseph Bonneau jbonneau at gmail.com
Tue Nov 4 20:21:26 PST 2014


Thanks to all for the feedback (and please keep it coming).

Seems like a few points that have been raised:

*Audits-Initially I wrote the requirements to include a public audit. I was
convinced that there is value in non-public audits as well (take away the
incentive for companies to hide information from the auditors or hire
unscrupulous auditors to ensure that they get a positive report to
publish). The goal here was to incentivize smaller projects and startups to
think about outside audits and having a formal process to look for bugs, so
allowing large companies with independent internal audit teams to pass this
was reasonable. I think that's a reasonable choice-I can only speak
directly to Google and Yahoo! where I have worked but they both have
serious internal audits. No audit will find all bugs and most audits have
limited scope anyways.

To Jacob's point, Google's auditors are likely only tasked with verifying
that Google Hangouts as implemented meets the security goals it's aiming
for. Impossibility for any high-level insider at Google or any agency able
to compromise a Google data center from collecting user data is not in that
spec and they're not claiming its an E2E encrypted tool. This weakness is
reflected elsewhere on the scorecard, not as a sign of bad auditing.

*Skype-this was pointed out this morning and we're on it. In general this
was not an adversarial process, we communicated with most of the tools on
here and took them at their word if they claimed to have implemented
features (or done audits, etc.). I think this was actually our mistake, but
we've gotten back in touch with Microsoft and will update unless they're
willing to publicly state that Skype data is end-to-end encrypted as we
defined it.

*Others-Subrosa has an audit published here (
https://subrosa.io/files/cure53-audit-may2014.pdf). Note that this audit
was not particularly favorable for Subrosa but it happened in the last year
so it counts. Telegram did not dispute with us that they haven't been
formally audited yet. If there are other tools with an audit please point
that out and I will update the scorecard. Sadly we emailed a number of
open-source projects asking for clarifications on things and many didn't
write back. I'm sure we missed a few audits.

*"Featured" tools. This was a launch mistake. Our goal was to have a
version that could be embedded in smaller sites, the main page is updated
now so that everything is expanded by default.

*Tools we didn't evaluate: Obviously some editorial choices had to be made.
I'm hoping we can keep expanding the list though because there are some
other great tools not on here yet.

*Extra features-I'm hoping to have a v2 next year with more like 20-30
columns. The thinking here was we just wanted a quick visual check that
non-techies could enjoy. We're definitely missing the whole space of
anonymity and painting with a pretty broad brush on some security features.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141104/e895e4dc/attachment.html>


More information about the Messaging mailing list