[messaging] Value of deniability

Jacob Appelbaum jacob at appelbaum.net
Wed Dec 10 20:03:09 PST 2014

On 12/11/14, Eleanor Saitta <ella at dymaxion.org> wrote:
> Hash: SHA256
> On 2014.12.10 19.45, Jacob Appelbaum wrote:
>> On 12/10/14, Eleanor Saitta <ella at dymaxion.org> wrote:
>>> On 2014.12.10 17.00, Jacob Appelbaum wrote:
>>>> Why not have both options, legally and cryptographically?
>>> Because if you want to have both options, even if there was
>>> absolutely no cost in terms of protocol design, has a significant
>>> cost in terms of user experience, user education, and end-user
>>> security planning overhead.  Every security invariant that you
>>> intend to support must have a specific cost justification in
>>> terms of end-user outcomes. Adding a new one because it has no
>>> protocol cost ignores massive costs elsewhere, in a way that
>>> exactly parallels the complete usability failures of most
>>> encryption protocols.  Usability and user requirements analysis
>>> must be part of cryptographic protocol design if there is any
>>> hope it will work.
>> It works in OTR and it works well enough, I think. I don't see any
>> obvious room for improvement. Though I admit, I like the
>> TextSecure design.
> Ending conversations in OTR is specifically a piece of user
> interaction that is only required due to the deniability component,
> correct?

Not quite. I'd encourage you to look at the code and the specification
to understand the full process for refreshing or ending a

> So it's not true that there's no room for improvement.  OTR
> is also, although far better than many alternatives, something I hear
> frequent usability complaints about.  This is not what success looks
> like.  This is at best what the absence of failure looks like.  OTR
> does not in any meaningful way drive deniability as an invariant
> through the design process, nor do implementations clearly explain to
> users what invariants they can or cannot expect the system to maintain.

I never claimed that there wasn't room for improvement?

I like the design of TextSecure (and RedPhone/Signal) and I showed
that there is a legal context for this property, which is what was
requested in the first place. In any case, I don't think an
improvement would be removal of the denability properties from OTR.

All the best,

More information about the Messaging mailing list