Cwtch.im (pronounced couch) is an app I'm looking closely at but doesn't seem to have much movement in terms of shipping new releases or getting it going in apks or Fdroid. But I keep any eye there too.
I mean I see the advantages of p2p for a more resilient network. Which is great when the internet is shut down but I also hope there will be some way to protect the people's identities.
You can forget about this one. With a name like that, it isn't going anywhere.
* deanonymizing users
* building social graphs of users’ interactions, both in real time and after the fact
* decrypting and reading direct messages
* impersonating users to anyone else on the network
* completely shutting down the network
* performing active man-in-the-middle attacks, which allow an adversary not only to read messages, but to tamper with them as well
This app basically allows for the exact opposite of what people are expecting from the app. Doesn't that qualify as some sort of fraud or false advertising? If not, I wonder if we need further regulation to protect the public from developers that are either incompetent or straight malicious.
Fraud typically requires some sort of mens rea. It sounds to me like Bridgefy is just really bad as making secure applications.
> If not, I wonder if we need further regulation to protect the public from developers that are either incompetent or straight malicious.
There is a long history of people trying to create liability for software bugs. It was a bad idea then and it's still a bad idea today.
If a bridge is built wrong and kills people when it collapses, someone must be at fault.
What’s the difference if it happens with a virtual “thing”?
Most of us have never directly paid Google for anything. I think we would still have justification in being upset if there was a central Google flaw that allowed users to view our search or Gmail histories.
We're acutely aware of this conversation, and know that we must prioritize the safety of our user base. All of the issues reported on the article are already being fixed, and we should have updates published in the next few weeks.
Here's our blog post: https://bridgefy.me/bridgefys-commitment-to-privacy-and-secu...
As always, we're available to keep the conversation going; please refer to the email address included in the blog post.
Thanks!
Identity is critical in encrypted messaging. Identity is a hard problem in practice. Very few things do an adequate job. The things that do are awkward and require concepts that few people understand.
For personal identity the most plausible outside authority is government, and it's unlikely that people protesting a government would trust it to identify them - after all government counter-protest forces would presumably be able to make use of that against them.
So you're probably screwed in the larger sense. Is this tip that "There is a team with food and water on the North side of the bridge" from "Kirsty" real? Well you haven't the faintest idea who "Kirsty" is so even if you could magically be entirely confident the message is really from "Kirsty" that doesn't help you decide.
Signal does the absolute most it's practical to attempt here, you can choose to check that your friend Kirsty is actually your friend Kirsty by some trustworthy means (e.g. meeting up physically) and then Signal promises you'll know that future messages are really from Kirsty. But trust isn't transitive so PGP's apparently more powerful offering doesn't actually do anything except maybe give you a false sense of security.
Bridgefy doesn't offer even that very limited capability from Signal, but I'm dubious about the practical import for a live protest. I can buy that BLM or Extinction Rebellion which are long-term organisations with sustained buy-in from local organisers benefit from something like that (and indeed ER uses Signal) but individual protests or protesters I don't think so.
Leaving off the question of how useful the transitive stuff is, PGP has a reasonable and simple framework. The terminology of key trust is terrible though. Few people know what it means to trust a key (my house key is OK but I think my shed key might be up to no good).
Messaging identity reputation is all about what you think of the other people's identities. Do you know them? What context do you know them from (e.g. a particular protest)? Why you think this messaging identity relates to a person somehow? How is this entity allowed to interact with you? This stuff can't be automated away.
I think the ultimate answer would have to involve generating a simple conceptual model of a messaging identity and then teaching people about it. If you solve identity then everything else is easy.
Trust in the abstract isn't inherently transitive, agreed. I'd argue that employing PGP as though it were is misusing the tool (that might well be easier to do than it ought to be, but that's a different conversation).
WoT as realized by PGP seems to me to be a very good tool for manually assessing whether to trust a previously unknown key for someone that a third (untrusted) party sends you.
I remain highly optimistic that some future take on the WoT concept will be advanced enough to tackle trust in general in a distributed manner.
It's afaik android-only, and doesn't use nodes as relays for private messages.
That seems like a relatively easy corner to deal with. What I really want to see is one with meshing, public chats, and open joining (of the public chats, verifying contact names can be done offline). That’s where it starts to be actually useful in protest etc situations where public internet access might not be available.
It does seem like a nice feature for existing platforms to be able to enable in disasters and at events.
As for protests, maybe some communication is better than none if the government is shutting things down?
Radio has different characteristics that make it an imperfect substitute in protests. The biggest one is that people already have cell phones, but pre-event coordination also becomes much more important, and people have to practice. (Not much, but radio discipline is a thing, and in an emergency you need it.)
In the US, legal radio usage would be easier to eavesdrop on (I believe encryption is effectively banned). But if you're willing to ignore that detail then it won't be easy to eavesdrop on you.
It would be trivial for a state funded adversary to triangulate broadcasters though.
Bluetooth/Mesh based local broadcast apps such as FireChat and Bridgfy are literally extreme low signal to noise streams of thoughts coming from everyone around you. We don't even need to get to the privacy or security part to eliminate it due to it being completely unusable in areas with more than a couple people.
Signal:
Slow, requires phone number to register and access to contacts. Users still receive messages after leaving a group, and the history still remain on the desktop app. Disappearing messages disappeared on the phone you'll still get it after it purported it have disappeared.
Wire:
Extremely slow.
Why is Telegram good?
* Super fast
* Good balance of security and usability.
* Early flaws in mtproto has largely been fixed.
* You can choose a username, instead of a phone number
* Good privacy settings to select who can find you, how to find you, who can call you, who can pull you into group chats etc.
* Desktop app has feature parity with the mobile apps. No glaring flaws found in Signal.
* Operationally extremely battle tested by successful protests around the world such as Hong Kong, Iran and Belarus.
* Any problems found on the ground, when reported, will be fixed in a matter of days to weeks by Telegram. They are that responsive.
Words of advise to Silicon Valley companies and security professionals in general. Stop bashing Telegram and actually go and try using your proposed alternatives in protests. Most if not all of these so-called secure chats are completely unusable for any organizations trying to avoid being arrested or be used as evidence against you.
Unless this has changed recently -- and I can't find any indication that it has -- this is not true. You can choose a username in addition to a phone number, but you must have a phone number. Your username is effectively an alias for your number; your account is tied to the number, not the username.
This cannot be stressed enough. One can do their imaginary layman revolutions and or secret operation in these chats, citing theoretical security features, etc. But when it comes to the real world, they simply do not work, in the same way your todolist mvc example doesn't work for project management and accounting.
