[messaging] Forward secrecy and multiple devices

Moxie Marlinspike moxie at thoughtcrime.org
Fri Oct 31 09:36:25 PDT 2014

On 10/31/2014 09:10 AM, Ximin Luo wrote:
> "axolotl is forward-secret" doesn't mean "the entire application is
> forward-secret".
> The fact that the device stores message history, reduces the
> effectiveness of having sent the message through a forward-secret
> scheme like axolotl - an attacker who can compromise the long-term
> key can just compromise the history itself.

Protocols are different from the applications that use them.  I said
"can use," because it depends on the application.  Maybe the application
stores nothing, so there's nothing to transmit, but all future messages
will ephemerally appear synchronized.

Or maybe the application does store something, but at some point the
user decides to delete a message.  If you didn't use a PFS transmission
mechanism, a network attacker still has a copy.  Right now I can delete
a GPG encrypted email that I receive, but I have to be aware that I need
to simultaneously delete my key.

The protocols that we design should do the best that they can within
their domain.  What an application decides to do with the protocol is up
to the application, but at least the best possible properties are
available should the application require them.

- moxie


More information about the Messaging mailing list