[messaging] Summary of discussion session at USENIX HotSec
jbonneau at gmail.com
Wed Aug 20 16:54:38 PDT 2014
On Wed, Aug 20, 2014 at 1:01 PM, Wasa Bee <wasabee18 at gmail.com> wrote:
> >*Perhaps work in this space should focus on security against a passive
> adversary first, which can be done with ~0 changes to the UI (examples
> include >Apple iMessage and BBM Protected). In practice, this covers 90-99%
> of threat models depending on who you ask. Others in the room were
> uncomfortable >both philosophically and practically (post-Snowden) with
> accepting the ability for a central party to perform MITM attacks. The room
> generally agreed it is a >worthwhile goal for the EFF and others to push
> large providers not providing any E2E encryption to do so, even with
> centralized public key servers to start >with
> I like this idea, but have 2 questions:
To be clear, Apple iMessage and BBM Protected are both E2E encrypted (with
public keys distributed by centralized servers). So this is already
happening at some large services.
> - E2E support does not necessarily mean user awareness of the feature.
That's kind of the whole point. If you can turn on E2E encryption with
users not needing to know about it at all, that's the ultimate level of
> - more importantly, is there a successful business model one can build
> when not having access to user data? What shall it look like? Having
> plug-ins available and good UI is important, but to reach a large audience,
> someone has to make a living out of it somewhere.... was there any
> discussion on that?
Fortunately, for messaging apps it's (hopefully) now established in user's
minds that they shouldn't have to see ads. With WhatsApp this has been a
clearly-stated policy and I believe most of its competitors don't show ads.
Maybe the "get big and hope somebody buys you out" model isn't sustainable,
but ad-free messaging seems to be the norm.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging