[messaging] EFF Insecure Messaging Scorecard

Nathan of Guardian nathan at guardianproject.info
Mon Nov 17 07:37:40 PST 2014



On Mon, Nov 17, 2014, at 09:40 AM, carlo von lynX wrote:
> How can it be ethically acceptable to call any tool
> "secure" that does not protect the metadata?

While I understand where you are coming from, and acknowledge the
limitations in protocols like XMPP. I am also very excited about the
extremely important work on next-generation systems and protocols like
Pond, Secushare, and the like. I was very happy to see TheGrugq's port
of Pond to Android, and with the years work on systems like Briar coming
to fruition, I do think we are about to take a big step forward on
protecting mobile metadata.

The EFF was focused on helping mass market users they can reach with
taking the first step up from insecure SMS and messaging that offers
basically no defense at all from a variety of bad actors. They need to
offer apps available today that a had a history of being maintained and
updated (Moxie, Nadim and I have been at this awhile now), and could
offer good user experiences to even novice users. I also know this is
only the first step in a process for EFF, and that I hope they will be
open to feedback such as you have provided.

> Correct me if I am wrong, but I seriously do not see
> any of the metadata-protecting messaging systems in that
> list.

I would like to point out some particular features of ChatSecure that do
combat and minimize metadata-based surveillance. I think Cryptocat, by
its transient nature, also has some of these characteristics. You might
dismiss them as band-aids, but we see them as practical defense-based on
what is available today. 

1) One-tap use of Tor, which both means the ability to circumvent
network surveillance by our WISP/Telco, and the ability to connect to
Tor Hidden Service hosted XMPP servers. This is why EFF mentioned
"ChatSecure + Orbot"

2) Support for multiple accounts and in-app creation of accounts on any
server you choose, over Tor if you choose, and offer a built-in list of
geographically diverse, vetted XMPP hosts. Maintaining multiple
identities is meant to be easy to. This also means anyone can run a
server based on open-source/free software, and using our Lil' Debi (our
Debian-on-Android system), a more experienced user can run an XMPP
server on a phone or tablet inside a Hidden Service. 

3) Support for a secret identity/burner account that generates a
randomly named account on a Tor HS based server (Calyx) that only
supports OTR-encrypted messaging and does not log. This can be used for
communicating with only one contact, ideally using the same app and
method to connect, such that the buddy list only shows one contact.

4) Full encryption of all account data, messages, contacts and shared
media data on the device and no integration with built-in contact lists
on the phone, to stop any leak of data from the ChatSecure environment
into your phones unencrypted/insecure storage. When thinking about
mobile, you must also consider metadata physical extraction, as well as
inherent insecure of the OS services themselves.

5) No requirement for using your actual phone number or device
identifiers, and no integration/dependency upon Google Cloud Services
(push, etc).


> I know very well that they are all experimental,
> but it is irresponsible not to openly say: Sorry people,

What do you mean by experimental?

> there IS no well established and stable messaging system
> that will actually protect you as it should. All we can
> offer are tools that will protect what you talk about,
> not you as a person.

Yes, I agree that is generally true, but I do hope that you appreciate
the work we've done in minimizing metadata leakage.

> Whereas tools designed to protect not only the words, but
> also the person, aren't even known to the EFF it seems:

None of these wonderful tools are available today for mainstream users
on their mobile phones in any stable, audited or tested state. The EFF's
survey was about mobile messaging, not desktop.

+n

-- 
  Nathan of Guardian
  nathan at guardianproject.info


More information about the Messaging mailing list