Search Mailing List Archives
[liberationtech] Wickr - Leave No Trace
jacob at appelbaum.net
Thu Jun 28 11:31:47 PDT 2012
On 06/28/2012 06:28 AM, Nathan of Guardian wrote:
> On 06/28/2012 04:58 AM, ilf wrote:
>> Opinions on this? Has there been any peer-review?
> Not as far as I know, but I think can tackle it quickly here from what
> is on their website. Most of this is the usual open-vs-closed type
> issues, but still important to reiterate.
> I have also cc'd their privacy@ address so they can join the libtech
> list and respond if they choose. I should also disclose my well-known
> bias towards open source and open standards.
> - it is free (as in free cheese samples at the grocery store)
> - they have some sense of user-oriented design/threat model design
> - their claimed data retention / privacy policies seem ideal
> - the claim that centrally stored data is minimal
Proof? What is claimed to be stored?
> - it comes with all that proclaimed "easy to use" and "just works"
> attitude that is part of the Apple iOS world; from screenshots, it looks
> simple enough to use
How do they deal with an active MITM?
> - better than an unencrypted SMS!
Heh - really? Probably... :)
> - closed-source, no ability to publicly audit without some sort of NDA
Do they offer the ability to audit with an NDA?
> - includes "patent-pending technology" aka proprietary, encumbered, not
> an open/known standard
> - limited to distribution where Apple and partner countries allow it
> - only works on iOS
I assume they'll make an Android version too?
> - no perfect-forward secrecy, it seems, meaning any encrypted on a
> remote device, can easily be tied back to your wickr ID and/or your
> cryptographic key
Holy. Fucking. Shit.
So that basically says it all - where they say "Leave No Trace" what
they mean is "Leave a cryptographic trace!"
> - no information about client-to-server connection (SSL, TLS? resistant
> to man-in-the-middle attacks?)
Has anyone intercepted this data yet?
> - centralized service with no option of hosting your own
> - "Activist" is not one of their user stories/types that they have
> designed around, though they claim "freedom fighters" are among their
> existing users
> - based on their "third parties" policy, it seems their system design is
> susceptible to lawful intercept
Awesome! Nothing quite like a backdoor when you're using it to ensure
you "Leave No Trace!"
> Would I recommend it? Probably not, but I am curious to see what sort of
> mainstream uptake they might get, much in the same way I am curious
> about SilentCircle.com, which is offering a very similar set of promises
> as Wickr.
SilentCircle has Jon Callas and Phil Zimmerman. That's a totally
different ballgame. While I dislike that they're likely re-inventing the
wheel in a few places, I can't say that it's too similar.
All the best,
More information about the liberationtech