[kwlug-disc] Secure IM news

[Nick Guenther]

Le 23 novembre 2016 11:31:27 HNE, "locklin.jason at gmail.com" <locklin.jason at gmail.com> a écrit :
>I know there are a few people on here watching the IM sphere in the
>hopes of universal, secure messaging. Two articles have crossed my
>newsfeeds lately that might be of interest:
>
>Signal has done quite a lot of UX research. They have found that just
>using the word "fingerprint" sends the wrong message to most people
>(real fingerprints are considered sensitive information, not something
>you want to share), and have transitioned to using
>conversation-specific "safety numbers" rather than user-specific
>fingerprints. 
>https://www.whispersystems.org/blog/safety-number-updates/

I'm super happy about their work here, even though they unfortunately don't federate. It's too long that crypto geeks and the needs of the general public have been totally at odds, and to our peril because without security by default (ie everyone being on board) there will always be massive leaks---like how you plan your holidays with google calendar and unencrypted webmail.

> the ability to do e2e encrypted group IM. 
>https://medium.com/@RiotChat/exciting-new-riot-release-get-ready-for-chatting-securely-acc93ecfe0a

I am suspicious here; encrypted group chat is really hard. Does the server hand out keys when new people join? They say users can blacklist each other, but blacklists are weak: just come back under a different key. And it's claiming end-to-end encryption, but for the same reason the server could generate fake users at will. If they have or add a whitelist mode, every new user would have to be approved by every other new user; maybe users could delegate their trust to an OP deciding on who to whitelist, though.

It's a step up from before, but I am wary of overselling it's security and getting people snagged.