[messaging] Spam-resistance of different systems
Joseph Bonneau
jbonneau at gmail.com
Tue Sep 23 14:35:38 PDT 2014
On Tue, Sep 23, 2014 at 4:15 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> "Apple iMessage, Wickr and BBM Protected can all be described as
> opportunistic encryption messaging systems that have been very
> successful deployment-wise." - Joe Bonneau, [2
>
To that list we can apparently add Kik and its 150 million users.
Interestingly, they don't seem to make any claims publicly about their
security, but in their advice to law enforcement they say "The text of Kik
conversations is ONLY stored on the phones of the Kik users involved in the
conversation. Kik doesn’t see or store chat message text in our systems,
and we don’t ever have access to this information." [1] It's not P2P, so
this seems to imply that E2E encryption is happening. This is highly
unusual of course-most apps make bold security claims publicly and
undermine them in the fine print but the opposite appears to be going on
here.
[1]
http://kik.com/wp-content/uploads/2014/01/Kiks-Guide-for-Law-Enforcement_July-17-2014.pdf
Some other thoughts:
1) Size of target population: Email has a huge userbase, and email
> addresses are widely shared, so spammers are able to harvest huge
> target lists.
>
If you scale by people interested in/susceptible to spam, these populations
may remain low. I think they lean young and tech-savvy. Also there is very
little commercial use of these channels which makes spam stick out more.
> 2) Cost per communication: Sending a single email is very cheap,
> compared to (say) postal mail
>
This may be non-zero for messaging apps because all benefit currently from
only being accessible via proprietary apps. I'm not sure which have been
reverse engineered successfully-I believe WhatsApp and SnapChat have been
at least partially reverse engineered but I'm not sure for the above.
Surely a motivated spammer could create a compatible app to send spam for
free, but that's a non-zero barrier to entry.
> 4) Ability to attribute and penalize the sending user: Free email
> accounts and easy signup make it hard to impose a cost on abusive
> users.
>
Certainly these are all centralized systems with the ability to ban sending
users. The key question is, how hard is it to create accounts? It would be
interesting to survey what info each requires-which verify phone numbers,
etc. Phone numbers are definitely a non-free resource. iMessage and BBM
Protected may also utilize some sort of unique device identifiers which are
even less free.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140923/6055a4de/attachment.html>
More information about the Messaging
mailing list