[messaging] Summary of discussion session at USENIX HotSec

Joseph Bonneau jbonneau at gmail.com
Wed Aug 20 16:54:38 PDT 2014


On Wed, Aug 20, 2014 at 1:01 PM, Wasa Bee <wasabee18 at gmail.com> wrote:

> >*Perhaps work in this space should focus on security against a passive
> adversary first, which can be done with ~0 changes to the UI (examples
> include >Apple iMessage and BBM Protected). In practice, this covers 90-99%
> of threat models depending on who you ask. Others in the room were
> uncomfortable >both philosophically and practically (post-Snowden) with
> accepting the ability for a central party to perform MITM attacks. The room
> generally agreed it is a >worthwhile goal for the EFF and others to push
> large providers not providing any E2E encryption to do so, even with
> centralized public key servers to start >with
>
> I like this idea, but have 2 questions:
>

To be clear, Apple iMessage and BBM Protected are both E2E encrypted (with
public keys distributed by centralized servers). So this is already
happening at some large services.


> - E2E support does not necessarily mean user awareness of the feature.
>

That's kind of the whole point. If you can turn on E2E encryption with
users not needing to know about it at all, that's the ultimate level of
usability.


> - more importantly, is there a successful business model one can build
> when not having access to user data? What shall it look like? Having
> plug-ins available and good UI is important, but to reach a large audience,
> someone has to make a living out of it somewhere.... was there any
> discussion on that?
>

Fortunately, for messaging apps it's (hopefully) now established in user's
minds that they shouldn't have to see ads. With WhatsApp this has been a
clearly-stated policy and I believe most of its competitors don't show ads.
Maybe the "get big and hope somebody buys you out" model isn't sustainable,
but ad-free messaging seems to be the norm.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140820/2c36bb63/attachment.html>


More information about the Messaging mailing list