[messaging] EFF Secure Messaging Scorecard
infinity0 at pwned.gg
Tue Nov 4 15:28:21 PST 2014
On 04/11/14 19:50, Robert Obryk wrote:
> On Tue, Nov 4, 2014 at 5:43 PM, Joseph Bonneau <jbonneau at gmail.com> wrote:
>> First version launched today: https://www.eff.org/secure-messaging-scorecard
>> This was a collaboration between tech advisers (primarily Peter Eckersley
>> and myself) and a good team of people with experience in journalism and
>> activism and there were necessarily some compromises made. The primary goals
>> here were:
>> (a) simplicity for users (and journalists) to draw some conclusions about
>> what's out there right now and we had to make a lot of compromises to keep
>> things simple for end-users to understand.
>> (b) reasonable carrots for some of the traditional messaging apps to add
>> security features, get audits, and publish source code.
> In order to get an "audit" checkmark one has to cause an audit to be
> done and nothing more (one can keep the results secret and ignore
> them). If someone tried to maximize their app's rating in the
> scorecard with minimum effort, that's a (from their point of view)
> reasonable thing to do, but it doesn't improve security at all. I do
> not see a way of preventing such gaming while keeping the feature and
> not requiring the audit results to be at least somewhat publicly
So, the justification given is, "Recognizing that unpublished audits can be valuable, we do not require that the results of the audit have been made public, only that a named party is willing to verify that the audit took place."
Unpublished audits can be valuable *to the developer* to further improve their product, but how are they useful to us, the public users? (Why don't I just go upload all my plaintext to a trusted third party?)
Are there applications in the list which got a tick due to an unreleased audit? If so, which ones are those? Perhaps you can visually distinguish it from the publicly-released ones?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Messaging