[messaging] How secure is TextSecure?
Trevor Perrin
trevp at trevp.net
Fri Dec 19 14:35:51 PST 2014
On Fri, Dec 19, 2014 at 1:28 PM, Joseph Bonneau <jbonneau at gmail.com> wrote:
>
> I had a simple thought reading this paper: why not have the server simply
> reject a user from ever attempting to register a key with the same
> fingerprint as a key anybody else has already registered? That would block
> UKS attacks (modulo server collaboration)
If Bob lies to his girlfriend Alice and give her Charlie's fingerprint
and phone number, Bob doesn't need to register anything.
Alice will simply text "I love you" thinking it's going to Bob, but
instead it will confuse Charlie. I've argued this is a trust problem
more than a technical one - if Alice trusts someone to give her Bob's
information, she's at risk of being lied to.
If Bob only lies about his fingerprint, not his phone number, then the
server would have to collude to misroute the message to Charlie, so a
server-side check doesn't add much value.
> if two users choose the same key accidentally
> something has probably gone horribly wrong entropy-wise and it would be
> worthwhile to detect that.
Agreed that scanning for public-key collisions has value to detect bad RNGs.
Trevor
More information about the Messaging
mailing list