[messaging] EFF Secure Messaging Scorecard

Ximin Luo infinity0 at pwned.gg
Tue Nov 4 15:28:21 PST 2014

On 04/11/14 19:50, Robert Obryk wrote:
> On Tue, Nov 4, 2014 at 5:43 PM, Joseph Bonneau <jbonneau at gmail.com> wrote:
>> First version launched today: https://www.eff.org/secure-messaging-scorecard
>> This was a collaboration between tech advisers (primarily Peter Eckersley
>> and myself) and a good team of people with experience in journalism and
>> activism and there were necessarily some compromises made. The primary goals
>> here were:
>> (a) simplicity for users (and journalists) to draw some conclusions about
>> what's out there right now and we had to make a lot of compromises to keep
>> things simple for end-users to understand.
>> (b) reasonable carrots for some of the traditional messaging apps to add
>> security features, get audits, and publish source code.
> In order to get an "audit" checkmark one has to cause an audit to be
> done and nothing more (one can keep the results secret and ignore
> them). If someone tried to maximize their app's rating in the
> scorecard with minimum effort, that's a (from their point of view)
> reasonable thing to do, but it doesn't improve security at all. I do
> not see a way of preventing such gaming while keeping the feature and
> not requiring the audit results to be at least somewhat publicly
> disclosed.

So, the justification given is, "Recognizing that unpublished audits can be valuable, we do not require that the results of the audit have been made public, only that a named party is willing to verify that the audit took place."

Unpublished audits can be valuable *to the developer* to further improve their product, but how are they useful to us, the public users? (Why don't I just go upload all my plaintext to a trusted third party?)

Are there applications in the list which got a tick due to an unreleased audit? If so, which ones are those? Perhaps you can visually distinguish it from the publicly-released ones?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141104/3e822522/attachment.sig>

More information about the Messaging mailing list