Signal has had forward secrecy forever, right? The modern practice of secure messaging was established by OTR (Borisov and Goldberg), which practically introduced the notions of "perfect forward secrecy" and repudiability (as opposed to non-repudiability) in the messaging security model. Signal was an evolution both of those ideas and of the engineering realization of those ideas (better cryptography, better code, better packaging).
What's so galling about this state of affairs is that people are launching new messaging systems that take us backwards, not just to "pre-Signal" levels, but to pre-modern levels; like, to 2001.
1. Core Secrets said the FBI "compelled" companies to secretly backdoor their products. Another leak mentioned fines by FISA court that would kill a company. I dont know if you can be charged or not.
2. They paid the big companies tens of millions to $100+ million to backdoor their stuff. Historically, we know they can also pressure them about government contracts or export licenses. Between 1 and 2, it looks like a Pablo Escobar-like policy of "silver or lead."
3. In the Lavabit trial, the defendant said giving them the keys would destroy the business since the market would know all their conversations were in FBI's hands. The FBI said they could hide it, basically lying given Lavabit's advertising, which would prevent damage to the business. IIRC, the judge went for that argument. That implies the FBI and some courts tell crypto-using companies to give them access but lie to their users.
Just these three facts make me wonder how often crypto in big platforms is intentionally weak by governemnt demand or sloppy because they dont care. So, I consider all crypto use in a police state subverted at least for Five Eyes use. I'll change my mind once the Patriot Act, FISC, secret interpretations of law, etc are all revoked and violators get prosecuted.
People are going to come back and say "well yeah that's just what they tell you about FISA court, but I bet FISA courts fine people all the time", but no, it's deeper than that: private actors aren't parties to FISA cases. It's best to think of them as exclusively resolving conflicts between government bodies.
https://inteltoday.org/2020/02/15/crypto-ag-was-boris-hageli...
We've always done this.
I think these Twitter DMs only does the scamming the gullible part, as you need to pay to use the feature and this is scamming people into thinking they're paying for secure messaging.
I was going to point out that Bitcoin does not use encryption; but technically I think it's signature algorithm (ecdsa) can be thought of as a hashing step, followed by a public-key based encryption step.
So, in the most charitable reading, it using ecliptic curve asymmetric encryption. Presumably for the purpose of exchanging a symmetric key, as asymmetric encryption is very slow. In other words, what basically everything written this decade does. Older stuff would use non EC algorithms, that are still totally fine, but need larger keys and would be vulnerable to quantum computers is those ever become big enough.
It really can't. If you're extremely drunk you can think of it as similar to hashing followed by a public-key based decryption step (signing uses the private key, as does decryption) but that's about as good an analogy as calling a tractor-trailer a container ship because both haul cargo. The actual elliptic-curve part of the operation isn't encryption or decryption, and thinking of it as such will lead to error.
RSA does have a simpler correspondence in that the fundamental modular multiplication operation is shared between decryption and signing (or between encryption and verification). But modular multiplication alone isn't secure, it's the "padding" that turns modular multiplication with a particularly-chosen modulus from some basic math into a secure encryption/signature system. And the padding differs, and the correspondence doesn't hold in real systems. RSA without padding is just sparkling multiplication.
Yeah Musk as not very technical person would hardly know the difference.
X's new "encrypted" XChat feature doesn't seem to be any more secure
> ... As noted in the help doc, this isn't forward secure, so the moment they have the key they can decrypt everything. This is so far from being a meaningful e2ee platform it's ridiculous.
What does "Bitcoin style encryption" mean? Isn't Bitcoin mostly relying on cryptographic signatures rather than "encryption" as we commonly know it?
However, the challenge is distributing those keys in a trustworthy way - because if someone can tamper with the keys during distribution, they can MITM any connection.
I assume this "bitcoin style" encryption is a blockchain or blocktree of every users public key now and throughout history. Ship the tree root hash inside the client app, and then every user can verify that their own entry in the tree is correct, and any user can use the same verified tree to fetch a private key for any other user.
> Caution
> Experimental library!
and
> While this library is just a wrapper around the well known Libsodium library it still comes with high potential of introducing new attack surfaces, bugs and other issues and you shouldn't use it in production until it has been reviewed by community.
[0]: https://github.com/ionspin/kotlin-multiplatform-libsodium
OpenSSH was trivially backdoor'd [1] and distributed in several major distributions and the security community _did not_ notice until after it was already wild.
[1] https://www.ssh.com/blog/a-recap-of-the-openssh-and-xz-liblz...
https://github.com/signalapp/Signal-Android/blob/main/reprod...
...
>Signal doesn't have these shortcomings. Use Signal.
Dunno that Signal is a really good counterexample for this particular aspect of E2EE messaging. The option exists to compare a 60 digit decimal number but the usability of this feature is such that most users don't even know that this is something they have to do. Just having a feature is not valuable if no one knows that feature exists and have no idea what any of it means.
I like the approach used by Briar Messenger. They just have the user use the number that represents identity in the system. There is no misleading feature that maps a phone number to the actual cryptographic identity. This makes it much harder for the user to unknowingly use the system in an unsafe way. A Briar identity looks like this:
briar://bafybeiczsscdsbs7ffqz55asqdf3smv6klcw3gofszvwlyarciTwitter wouldn't be the first rebrand where people just decide they're not going to bother with this. Notably, there the odd year or so where the Royal Mail attempted to rebrand to 'Consignia' (in the alternate universe where the Iraq War didn't happen, this would be what everyone remembered about the Blair era), and Netflix's attempt, some years before scrapping it entirely, to rename its DVD delivery business to 'Quikster'.
Let’s just start some companies with the names:
- Let’s - Just - Start
You get the idea…
X.com is distinctive and unambiguous. Wikipedia has entertained at least 12 proposals to change the article name; 100% of them have failed, and they are issuing 3-month moratoriums on discussion now.
Honestly the new name is a bit of a prank on porn addicts. If someone is watching over your shoulder while you try to type "x.com" into the URL bar, autocomplete may reveal how many other sites begin with "x" that you’ve visited lately.
> [1] I'll respect their name change once Elon respects his daughter
It's still just Twitter, but you're not being banned anymore. So ACTUAL discussions can take place without having the thought police running around with a banhammer.