[messaging] Summary of discussion session at USENIX HotSec

Wasa Bee wasabee18 at gmail.com
Fri Aug 22 02:56:59 PDT 2014


On 21/08/14 00:54, Joseph Bonneau wrote:


On Wed, Aug 20, 2014 at 1:01 PM, Wasa Bee <wasabee18 at gmail.com> wrote:

> >*Perhaps work in this space should focus on security against a passive
> adversary first, which can be done with ~0 changes to the UI (examples
> include >Apple iMessage and BBM Protected). In practice, this covers 90-99%
> of threat models depending on who you ask. Others in the room were
> uncomfortable >both philosophically and practically (post-Snowden) with
> accepting the ability for a central party to perform MITM attacks. The room
> generally agreed it is a >worthwhile goal for the EFF and others to push
> large providers not providing any E2E encryption to do so, even with
> centralized public key servers to start >with
>
> I like this idea, but have 2 questions:
>

To be clear, Apple iMessage and BBM Protected are both E2E encrypted (with
public keys distributed by centralized servers). So this is already
happening at some large services.


> - E2E support does not necessarily mean user awareness of the feature.
>

That's kind of the whole point. If you can turn on E2E encryption with
users not needing to know about it at all, that's the ultimate level of
usability.


my bad. I misunderstood the original idea. Makes sense.



> - more importantly, is there a successful business model one can build
> when not having access to user data? What shall it look like? Having
> plug-ins available and good UI is important, but to reach a large audience,
> someone has to make a living out of it somewhere.... was there any
> discussion on that?
>

Fortunately, for messaging apps it's (hopefully) now established in user's
minds that they shouldn't have to see ads. With WhatsApp this has been a
clearly-stated policy and I believe most of its competitors don't show ads.
Maybe the "get big and hope somebody buys you out" model isn't sustainable,
but ad-free messaging seems to be the norm.


Because we don't see ads does not mean these companies' business model is
not based on mining personal data... and selling it to someone else... We
don't see ads in whatsapps, yet facebook presumably acquired it so it could
mine users' data and put ads in their corresponding facebook page.
If the idea is to get UI experts to enhance the UI on top of OTR, I surely
like the idea. But I am not convinced that a good UI would be enough to
push private messaging to the mass without a proper business model that
does not rely on mining data. Any idea?





On Thu, Aug 21, 2014 at 12:54 AM, Joseph Bonneau <jbonneau at gmail.com> wrote:

>
> On Wed, Aug 20, 2014 at 1:01 PM, Wasa Bee <wasabee18 at gmail.com> wrote:
>
>> >*Perhaps work in this space should focus on security against a passive
>> adversary first, which can be done with ~0 changes to the UI (examples
>> include >Apple iMessage and BBM Protected). In practice, this covers 90-99%
>> of threat models depending on who you ask. Others in the room were
>> uncomfortable >both philosophically and practically (post-Snowden) with
>> accepting the ability for a central party to perform MITM attacks. The room
>> generally agreed it is a >worthwhile goal for the EFF and others to push
>> large providers not providing any E2E encryption to do so, even with
>> centralized public key servers to start >with
>>
>> I like this idea, but have 2 questions:
>>
>
> To be clear, Apple iMessage and BBM Protected are both E2E encrypted (with
> public keys distributed by centralized servers). So this is already
> happening at some large services.
>
>
>> - E2E support does not necessarily mean user awareness of the feature.
>>
>
> That's kind of the whole point. If you can turn on E2E encryption with
> users not needing to know about it at all, that's the ultimate level of
> usability.
>
>
>> - more importantly, is there a successful business model one can build
>> when not having access to user data? What shall it look like? Having
>> plug-ins available and good UI is important, but to reach a large audience,
>> someone has to make a living out of it somewhere.... was there any
>> discussion on that?
>>
>
> Fortunately, for messaging apps it's (hopefully) now established in user's
> minds that they shouldn't have to see ads. With WhatsApp this has been a
> clearly-stated policy and I believe most of its competitors don't show ads.
> Maybe the "get big and hope somebody buys you out" model isn't sustainable,
> but ad-free messaging seems to be the norm.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140822/a259dfd9/attachment.html>


More information about the Messaging mailing list