Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] About "Confide"

Tom Ritter tom at ritter.vg
Sun Apr 27 05:16:06 PDT 2014


On 26 April 2014 17:18, Shava Nerad <shava23 at gmail.com> wrote:
> Anyone who is lauding the verifiability of open source security software had
> best show that their code has been regularly and thoroughly audited.


Open source, closed source - at this point I am pretty much
universally disgusted by any project who uses the term 'end to end
encryption' without bothering to answer the UNIVERSAL, OBVIOUS
question, of "How do I know I'm talking end-to-end to the right
person?", "How is authenticity established?" "Can you replace my
friend's keys?", however you want to phrase it.

You can only get authenticity through:
 - Pre-Shared Secret shared confidentially*
 - Fingerprints/Keys previously exchanged authenticated-but-not-confidentially
 - 'Trusted' Third Party

If a mobile app claims end to end encryption, but doesn't do something
like display fingerprints, require QR codes scanned in person, or ask
a 'secret question' of you or your friend - they use Trusted Third
Party and thus are no more 'end to end encrypted' than Apple iMessage.

-tom

* There are a few variants of this, like recognizing your party's
voice (ZRTP), SMP question/answer (OTR), prior key material (also
ZRTP), etc



More information about the liberationtech mailing list