[kwlug-disc] Secure IM news

Chamunks chamunks at gmail.com
Wed Nov 23 21:41:08 EST 2016 

SignalApp is perfectly open they only use GCM for an efficient method to
tell clients where to send the message to p2p.  None of the messages
actually travel through GCM.  This is how android's designed to work same
with iOS in order to basically have an app on the app store you're
basically required to use their push system.

They also have security by default group chat messages using the signal
ratcheting crypto mechanism.

The best part of the signal protocol is that unlike the OTR spec, it
ratchets its keys for every message since its so cheap on the CPU these
days to make more keys.

On Wed, Nov 23, 2016 at 5:26 PM Hubert Chathi <hubert at uhoreg.ca> wrote:

> On Wed, 23 Nov 2016 16:28:32 -0500, Nick Guenther <nguenthe at uwaterloo.ca>
> said:
>
> > Le 23 novembre 2016 11:31:27 HNE, "locklin.jason at gmail.com"
> > <locklin.jason at gmail.com> a écrit :
>
> >> the ability to do e2e encrypted group IM.
> >>
> https://medium.com/@RiotChat/exciting-new-riot-release-get-ready-for-chatting-securely-acc93ecfe0a
>
> > I am suspicious here; encrypted group chat is really hard. Does the
> > server hand out keys when new people join?
>
> AFAIK, other participants send out keys when someone joins.  Obviously,
> the server can't hand out keys because the server doesn't have any
> keys.
>
> > They say users can blacklist each other, but blacklists are weak: just
> > come back under a different key. And it's claiming end-to-end
> > encryption, but for the same reason the server could generate fake
> > users at will. If they have or add a whitelist mode, every new user
> > would have to be approved by every other new user; maybe users could
> > delegate their trust to an OP deciding on who to whitelist, though.
>
> Their end-to-end encryption is in beta.  It currently operates in a
> blacklist mode, but there are plans for a whitelist mode as well.  A
> They've been focusing mostly on the technical aspect of end-to-end
> encryption, and will be giving some attention to the UX side now that
> it's in beta.
>
> > It's a step up from before, but I am wary of overselling it's security
> > and getting people snagged.
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20161124/f38b5500/attachment.htm>

More information about the kwlug-disc mailing list