[messaging] WhatsApp & OWS team up

Tao Effect contact at taoeffect.com
Tue Nov 18 11:27:33 PST 2014 

Good observation Nadim, I'm also curious about the GPL question. Maybe some EFF folks can answer that?

On Mike Hearn's point re key verification problem:

> Cracking the usable key verification problem. This move brings WhatsApp to the same level of security as iMessage (or better, given the forward security), but WhatsApp/Facebook could still do a switcheroo on people's keys. TextSecure never really figured this out IMO - it still expects people to manually compare long strings of hex.


I will, as seems to be my role here, recommend the blockchain and a system like DNSChain for solving this problem. :-)

The Onename folks are subsidizing registrations in Namecoin btw.

If you want to completely get rid of the possibility of an untrustworthy third-party doing a "switcheroo", then this is the only way to do it (as far as I can tell).

You can also, with the risk of third-party switcheroo, do a provider-based blockchain approach that I've talked about in previous emails here, which is where, for example, a provider registers gmail.bit (or migrates the .com to the blockchain), and then you query the user's public key from them over a MITM-proof channel that's secured by the public key for the service itself (which is stored in the blockchain).

Provider based systems, whether they're doing with a blockchain or not, however, will always (I think), have the switcheroo problem.

> Either way, this is historic. I think Moxie's team deserve immense
> respect for accomplishing this. This is an accomplishment I will look
> up to for many years to come. Truly inspiring.

Hear hear! Congrats to everyone who was involved with this at Open Whisper Systems!

Cheers,
Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Nov 18, 2014, at 10:54 AM, Nadim Kobeissi <nadim at nadim.computer> wrote:

> Mike Hearn hits the nail on the head! My only questions were in fact
> regarding how to handle identity authentication and how to deal with
> the closed-source nature of WhatsApp damaging potential security
> guarantees.
> 
> Although, I just noticed something: TextSecure is GPL, and Moxie says
> that WhatsApp is using the same code as TextSecure. Doesn't that mean
> that WhatsApp is now obligated to send a copy of its source code to
> whoever demands it? :-) That would be amazing if true.
> 
> Either way, this is historic. I think Moxie's team deserve immense
> respect for accomplishing this. This is an accomplishment I will look
> up to for many years to come. Truly inspiring.
> 
> NK
> 
> -----Original Message-----
> From: Messaging [mailto:messaging-bounces at moderncrypto.org] On Behalf
> Of Joseph Bonneau
> Sent: November 18, 2014 1:16 PM
> To: Mike Hearn
> Cc: messaging
> Subject: Re: [messaging] WhatsApp & OWS team up
> 
> 
> On Tue, Nov 18, 2014 at 11:23 AM, Mike Hearn <mike at plan99.net
> <mailto:mike at plan99.net> > wrote:
> 
> 
> 	https://whispersystems.org/blog/whatsapp/
> 
> 	Huge, massive congratulations to Moxie and the team - this sort of
> mainstream success is inspiring. I'd been hoping for a long time that
> once TextSecure showed you could build a secure messenger with
> production quality usability, Facebook / WhatsApp might pick it up,
> and today my dream came true :)
> 
> 
> I echo the major congratulations! One of our main goals with the EFF
> Scorecard was to push big providers to take steps like this, hopefully
> many more will follow suit.
> 
> 
> 	I can see a couple of directions to go now:
> 
> 
> I would add
> 
> 3) Design an efficient, auditable, privacy-friendly public key
> directory. WhatsApp/TextSecure still largely rely on a centralized
> public key directory. Cracking usable key verification would be great,
> but I'd also like these key directories to be able to convincingly
> prove to me that they've only signed for a certain set of keys for my
> username over a given time period. Some work is underway on this at
> Princeton and hopefully elsewhere...
> 
> 
> 	It will be interesting to see what the political ramifications of
> this are. WhatsApp should now be pretty close to intercept-proof for
> all governments bar the USA. Given its ubiquity and complete
> centralisation inside California, I suspect this will result in all
> kinds of interesting jockying as different countries try to get lawful
> intercept capabilities to it (by switching keys, I guess).
> 
> 
> Presumably Apple has already been in this position for over a year
> with iMessage, although it might be more interesting because WhatsApp
> doesn't have the political clout
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141118/1488b5ed/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141118/1488b5ed/attachment.sig>

More information about the Messaging mailing list