[messaging] Opportunistic encryption and authentication methods

Tom Ritter tom at ritter.vg
Sat Sep 13 13:33:34 PDT 2014


On 13 September 2014 15:13, zaki at manian.org <zaki at manian.org> wrote:
> I can't find any Wickr UI to access a key fingerprint.

Interesting.  I don't have Wickr, so I cannot look.

I guess I'll put this out there:
https://www.wickr.com/wp-content/uploads/2014/08/iSEC-iSR-July2014.pdf

I have never handled any proprietary Wickr information, precisely
because of the potential for conflict of interest.  I did review this
document to help the authors convey the correct information they
wanted to.  (I basically read it, and then said "I can't figure out if
X or Y." and they would go back and edit based off what they knew.)

Somehow or another, people I trust claim that they can use Wickr such
that they have confidence that Wickr can't MITM them.  In particular
I'll excerpt:

-------

While some weaknesses in this architecture revolve around a trusted
central server, which could undermine the strong end-to-end encryption
in some low likelihood scenarios, Wickr has recently added several
features which allow users to avoid these weaknesses. In the case of
long term keys, this is provided if they opt-in to use the ``Advanced
Key Verification'' feature.

1. The Wickr client utilizes Trust on First Use (TOFU) for initial
communication with peers, and allow users to examine this long term
key associated with their identity. Peers can then verify this key via
video, SMS or email when using the ``Advanced Key Verification'' mode.
When long term keys are changed, the new keys must be validated. The
``Advanced Key Verification'' was code reviewed during the July
retest.

-------

If you cannot find this feature, that's very interesting.

-tom


More information about the Messaging mailing list