[messaging] Crypto standards in modern-day consumer apps
mb at 3nsoft.com
Sat Jun 20 12:41:38 PDT 2020
>> Occasionally I worry that one day the credibility of end-to-end encryption will be harmed, because it will turn out that one of the big players has built in back doors or is changing public keys for targeted intercept. And then we (the 'experts') will say, ah ha! In fact, we never claimed these systems were secure against such attacks. And all the general public will hear is, "you said tech firms couldn't read our messages and you were wrong".
>> The restrictions WhatsApp put on forwarding messages might be an early sign of what's to come.
>> Cryptographically, the double ratchet/AES/Noise/etc are all designed to stop a MITM detecting if the same message is being sent twice. This is a core algorithmic property that cryptographers stress over. In the real world, when Facebook decided they had a moral obligation to fight "rumours" they just modified the software to stop people forwarding messages. When the MITM controls the endpoints it's unclear what meaning cryptography actually has, beyond time limited legal arguments.
> That day you worry about has already past... for those that missed it, this story broke last week:
> "Facebook worked with a third-party company to develop the exploit and did not directly hand the exploit to the FBI; it is unclear whether the FBI even knew that Facebook was involved in developing the exploit. According to sources within the company, this is the first and only time Facebook has ever helped law enforcement hack a target.
> This previously unreported case of collaboration between a Silicon Valley tech giant and the FBI highlights the technical capabilities of Facebook, a third-party hacking firm it worked with, and law enforcement, and raises difficult ethical questions about when—if ever—it is appropriate for private companies to assist in the hacking of their users. The FBI and Facebook used a so-called zero-day exploit in the privacy-focused operating system Tails, which automatically routes all of a user's internet traffic through the Tor anonymity network, to unmask Hernandez's real IP address, which ultimately led to his arrest."
Wonderful. Yet another example of news that is attached to worrying
about existing privacy/security tech, while details show that tech
wasn't easy to breach. I have a question.
Should we ask a less technical question. Why there are these global
giant platforms, where it is easy for a social predator to find victims?
Here is verge from 2017:
Spot the similarity. In a mean time I will scream into void: "Why signal
tells everyone in my address book that I have signal app installed?"
More information about the Messaging