Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Viber Security and Privacy

Collin Anderson collin at averysmallbird.com
Fri Sep 21 11:25:55 PDT 2012


Thanks Katrin and Talmon,

> Voice may or may not pass through our servers (depending on network
> conditions). Voice is scrambled, but not encrypted. So someone who
> manages to capture the voice packets going between users may, in
> theory be able to access the audio. They will need a good
> understanding of what we do, but theoretically, it's possible.

Unfortunately then, Amin's question is answered -- as long as Viber relies
on the obscurity of their transport encoding, rather than real encryption,
the application is unsafe for places where communications are surveilled.
Certainly it may be difficult at first, however, Amin, Eric and others have
proven that there is a market flush with cash for a
sufficiently motivated actor to reverse engineer the application.

Cordially,

Collin


On Fri, Sep 21, 2012 at 1:01 PM, Katrin Verclas <katrin at mobileactive.org>wrote:

> Thanks, Talmon, for replying.
>
> This leaves a lot of questions open, unfortunately. There is a lengthy
> thread on Viber security on the Stanford University Liberation Technology
> list with a number of security experts, so copying your response to the
> list.
>
> Regards,
>
> Katrin
>
> On Sep 21, 2012, at 12:37 PM, Talmon Marco wrote:
>
> > Dear Katrin,
> >
> > My name is Talmon Marco and I am Viber's CEO. The question you sent to
> > our Privacy/Support team was brought to my attention.
> >
> > Generally speaking, absent physical or software access to the device
> > message sent via Viber should be considered secured and fully
> > encrypted between the user and the server. That means that Viber has
> > the technical capability to access messages. To date, we have never
> > done this, but this is something that could be developed.
> >
> > Voice may or may not pass through our servers (depending on network
> > conditions). Voice is scrambled, but not encrypted. So someone who
> > manages to capture the voice packets going between users may, in
> > theory be able to access the audio. They will need a good
> > understanding of what we do, but theoretically, it's possible.
> >
> > Identity, login, etc. are fully encrypted, protected by secret keys
> > and all the other "right things". However, if you are using an Irani
> > phone number as your ID, it stands to reason that Irani government
> > could register the same number and access the activation SMS. You may
> > want to register using a non Irani number - pinger, for example, gives
> > away free US numbers.
> >
> > As for warrants, we generally accept warrants but only from countries
> > where we believe due process exists. Iran does not fall under this
> > category and as such we will not be accepting warrants issued by Iran.
> >
> > I hope this addresses your question.
> >
> > Kind Regards,
> >
> > Talmon
> >
> > ---
> > Talmon Marco, CEO
> > Viber Media, Inc.
> >
> >
> >
> > Sent from my Phone
>
>
> Katrin Verclas
> MobileActive.org
> katrin at mobileactive.org
>
> skype/twitter: katrinskaya
> (347) 281-7191
>
> A global network of people using mobile technology for social impact
> http://mobileactive.org
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120921/cee4bd32/attachment.html>


More information about the liberationtech mailing list