[messaging] EFF Secure Messaging Scorecard

Mike Hearn mike at plan99.net
Tue Nov 4 11:31:37 PST 2014


I echo the confusion around GChat/FB being marked as audited. I assume this
is because the code has been audited by company internal security staff,
i.e. the presumed goal of the audit is to find bugs and not subterfuge? It
might be good to explain this if so, in a tooltip for example.

It seems a bit unfair to say FB Chat doesn't let you verify contacts.
Facebook is arguably one of the hardest environments to forge user
identities in because any long term Facebook user has built up a repository
of photos, life updates, and other human data that an imposter would find
impossible to forge, hard to steal and hard to reuse (Facebook has systems
that look for cloned profiles, I believe). Whilst the socialist
millionaires protocol is very cool it boils down to a secret question and
answer. We know from bitter experience that people find it hard to select
secret questions and answers where the answer is known only to themselves,
let alone one where the answer must be known by a contact but not any
attackers. For real world usage I'd place my faith in a correct looking
Facebook profile over a likely quickly guessable Q&A.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141104/9814ed18/attachment.html>

More information about the Messaging mailing list