Search Mailing List Archives
[liberationtech] Heml.is - "The Beautiful & Secure Messenger"
julian at julianoliver.com
Thu Jul 11 13:04:32 PDT 2013
..on Thu, Jul 11, 2013 at 12:23:25PM -0700, Mitar wrote:
> BTW. Even Tor has centralized directory servers. And it does not
> really matter if the code there is open source or not, because you
> anyway cannot know if they are really running some particular code
> there or not.
A good point. Nonetheless the way forward for security critical software is
toward de-centralisation; encouraging deployment and adaptation to local
contexts - political, social and topological. This is why both client and server
need to be open such that they can be both audited and adapted.
I can't think of a case where arguments in favour of closed-source deployment in
this space aren't ultimately grounded in desire for control and capital return
within a product-oriented (rather than service) business model. Selling binary
blobs sans source code in a security setting is a risky business, in that it
pushes risk onto the customers.
> On Thu, Jul 11, 2013 at 12:17 PM, Mitar <mmitar at gmail.com> wrote:
> > Hi!
> > On Thu, Jul 11, 2013 at 6:25 AM, Albert López <newbiesworld at hotmail.com> wrote:
> >> Ok, I understand what you mean. But why rely in a client-server approach
> >> when you can achieve your goal with a peer to peer solution?
> > Their answer is:
> > "The way to make the system secure is that we can control the
> > infrastructure. Distributing to other servers makes it impossible to
> > give any guarantees about the security. We’ll have audits from trusted
> > third parties on our platforms regularily, in cooperation with our
> > community."
> > Which is a bit hand-wavy if we assumed that server code can be closed
> > source if client part is done well enough that you don't have to think
> > about the server side and you still know that you are secure. :-)
> > But my main and almost only argument was, that I think we should wait
> > for a bit more concrete information before discarding the idea. At
> > least I can imagine plausible ways to implement the system securely
> > and having it known security properties while retaining part of it
> > closed source and centralized. But we don't know much to make any real
> > claims. What is interesting though, is that:
> > "We are building Heml.is on top of proven technologies, such as XMPP with PGP."
> > Mitar
> > --
> > http://mitar.tnode.com/
> > https://twitter.com/mitar_m
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
More information about the liberationtech