<div dir="ltr">SignalApp is perfectly open they only use GCM for an efficient method to tell clients where to send the message to p2p. None of the messages actually travel through GCM. This is how android's designed to work same with iOS in order to basically have an app on the app store you're basically required to use their push system. <br><br>They also have security by default group chat messages using the signal ratcheting crypto mechanism.<br><br>The best part of the signal protocol is that unlike the OTR spec, it ratchets its keys for every message since its so cheap on the CPU these days to make more keys.</div><br><div class="gmail_quote"><div dir="ltr">On Wed, Nov 23, 2016 at 5:26 PM Hubert Chathi <<a href="mailto:hubert@uhoreg.ca">hubert@uhoreg.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Wed, 23 Nov 2016 16:28:32 -0500, Nick Guenther <<a href="mailto:nguenthe@uwaterloo.ca" class="gmail_msg" target="_blank">nguenthe@uwaterloo.ca</a>> said:<br class="gmail_msg">
<br class="gmail_msg">
> Le 23 novembre 2016 11:31:27 HNE, "<a href="mailto:locklin.jason@gmail.com" class="gmail_msg" target="_blank">locklin.jason@gmail.com</a>"<br class="gmail_msg">
> <<a href="mailto:locklin.jason@gmail.com" class="gmail_msg" target="_blank">locklin.jason@gmail.com</a>> a écrit :<br class="gmail_msg">
<br class="gmail_msg">
>> the ability to do e2e encrypted group IM.<br class="gmail_msg">
>> <a href="https://medium.com/@RiotChat/exciting-new-riot-release-get-ready-for-chatting-securely-acc93ecfe0a" rel="noreferrer" class="gmail_msg" target="_blank">https://medium.com/@RiotChat/exciting-new-riot-release-get-ready-for-chatting-securely-acc93ecfe0a</a><br class="gmail_msg">
<br class="gmail_msg">
> I am suspicious here; encrypted group chat is really hard. Does the<br class="gmail_msg">
> server hand out keys when new people join?<br class="gmail_msg">
<br class="gmail_msg">
AFAIK, other participants send out keys when someone joins. Obviously,<br class="gmail_msg">
the server can't hand out keys because the server doesn't have any<br class="gmail_msg">
keys.<br class="gmail_msg">
<br class="gmail_msg">
> They say users can blacklist each other, but blacklists are weak: just<br class="gmail_msg">
> come back under a different key. And it's claiming end-to-end<br class="gmail_msg">
> encryption, but for the same reason the server could generate fake<br class="gmail_msg">
> users at will. If they have or add a whitelist mode, every new user<br class="gmail_msg">
> would have to be approved by every other new user; maybe users could<br class="gmail_msg">
> delegate their trust to an OP deciding on who to whitelist, though.<br class="gmail_msg">
<br class="gmail_msg">
Their end-to-end encryption is in beta. It currently operates in a<br class="gmail_msg">
blacklist mode, but there are plans for a whitelist mode as well. A<br class="gmail_msg">
They've been focusing mostly on the technical aspect of end-to-end<br class="gmail_msg">
encryption, and will be giving some attention to the UX side now that<br class="gmail_msg">
it's in beta.<br class="gmail_msg">
<br class="gmail_msg">
> It's a step up from before, but I am wary of overselling it's security<br class="gmail_msg">
> and getting people snagged.<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
kwlug-disc mailing list<br class="gmail_msg">
<a href="mailto:kwlug-disc@kwlug.org" class="gmail_msg" target="_blank">kwlug-disc@kwlug.org</a><br class="gmail_msg">
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" rel="noreferrer" class="gmail_msg" target="_blank">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br class="gmail_msg">
</blockquote></div>