[messaging] Viber's New End-to-End Authentication

Ben Laurie ben at links.org
Fri Apr 22 22:10:16 PDT 2016


On 20 April 2016 at 17:54, Michael Farb <mwfarb at cmu.edu> wrote:
> Does anyone know about the end to end messaging protocol used by Viber in
> the release they announced yesterday? I believe it’s closed source, but I’d
> be curious to know if they have posted the general protocol anywhere. I’ve
> not found anything yet. I’m curious to know if it’s based on the ratchet
> used for Signal or not.
>
> https://support.viber.com/customer/portal/articles/2017401-viber-security-faq
>
> What I really like is the improved UX for authentication I’ve not seen yet.
> They use their own real-time channel (voice) to guide the user through the
> fingerprint readout. Now, real-time channels are available through many
> tools, but I think this is the first time I’ve seen a text messaging service
> do this (ZRTP in video calls and voice calls notwithstanding).

I can't find it right now, but there was a paper in the last year or
so about attacking voice channels for fingerprinting by using a mitm
with voice synthesis. Apparently it works pretty well.

>
> What I’d like to see next: A way to prevent accepting the fingerprint
> without reading it similar to SafeSlinger, with perhaps a shorter hash to
> confirm.
>
> Cheers,
> Mike
>
> Michael W. Farb
> Research Programmer, Carnegie Mellon University CyLab
> www.cylab.cmu.edu/safeslinger
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>


More information about the Messaging mailing list