[messaging] EFF Secure Messaging Scorecard

zaki at manian.org zaki at manian.org
Wed Nov 5 07:07:18 PST 2014

EFF has produced some evidence that attaching an integer to good practices
and updating that integer every year seems to motivate progress at big
organizations. This has mostly been about the year on year progress in the
"Who has your back reports."

You chose good metrics because Apple's iMessage is clearly positioned ahead
of Snapchat,What's App & Hangouts. This is a competitive tension that must
be exploited. As much as I want everyone to use TextSecure and Pond, it
will probably produce greater good if mainstream brands are pressured to
adopt more robust cryptographic design.

It will be very informative to see where 10+ million user apps are next
year when this gets updated.

Great work! Let me know if I can help next year.

On Tue, Nov 4, 2014 at 8:21 PM, Joseph Bonneau <jbonneau at gmail.com> wrote:

> Thanks to all for the feedback (and please keep it coming).
> Seems like a few points that have been raised:
> *Audits-Initially I wrote the requirements to include a public audit. I
> was convinced that there is value in non-public audits as well (take away
> the incentive for companies to hide information from the auditors or hire
> unscrupulous auditors to ensure that they get a positive report to
> publish). The goal here was to incentivize smaller projects and startups to
> think about outside audits and having a formal process to look for bugs, so
> allowing large companies with independent internal audit teams to pass this
> was reasonable. I think that's a reasonable choice-I can only speak
> directly to Google and Yahoo! where I have worked but they both have
> serious internal audits. No audit will find all bugs and most audits have
> limited scope anyways.
> To Jacob's point, Google's auditors are likely only tasked with verifying
> that Google Hangouts as implemented meets the security goals it's aiming
> for. Impossibility for any high-level insider at Google or any agency able
> to compromise a Google data center from collecting user data is not in that
> spec and they're not claiming its an E2E encrypted tool. This weakness is
> reflected elsewhere on the scorecard, not as a sign of bad auditing.
> *Skype-this was pointed out this morning and we're on it. In general this
> was not an adversarial process, we communicated with most of the tools on
> here and took them at their word if they claimed to have implemented
> features (or done audits, etc.). I think this was actually our mistake, but
> we've gotten back in touch with Microsoft and will update unless they're
> willing to publicly state that Skype data is end-to-end encrypted as we
> defined it.
> *Others-Subrosa has an audit published here (
> https://subrosa.io/files/cure53-audit-may2014.pdf). Note that this audit
> was not particularly favorable for Subrosa but it happened in the last year
> so it counts. Telegram did not dispute with us that they haven't been
> formally audited yet. If there are other tools with an audit please point
> that out and I will update the scorecard. Sadly we emailed a number of
> open-source projects asking for clarifications on things and many didn't
> write back. I'm sure we missed a few audits.
> *"Featured" tools. This was a launch mistake. Our goal was to have a
> version that could be embedded in smaller sites, the main page is updated
> now so that everything is expanded by default.
> *Tools we didn't evaluate: Obviously some editorial choices had to be
> made. I'm hoping we can keep expanding the list though because there are
> some other great tools not on here yet.
> *Extra features-I'm hoping to have a v2 next year with more like 20-30
> columns. The thinking here was we just wanted a quick visual check that
> non-techies could enjoy. We're definitely missing the whole space of
> anonymity and painting with a pretty broad brush on some security features.
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141105/fedbe364/attachment.html>

More information about the Messaging mailing list