You are viewing a single comment's thread from:

RE: Let's Talk About Secure Messaging Apps

in #security8 years ago

Great points all around, @arhag, thanks! Yes, Wire's protocol is based in part on the Axolotl Ratchet, which was later upgraded to be the Double Ratchet, which is technically only part of the Signal protocol (as Double Ratchet only manages the cryptography, and not the key exchanges, etc etc). According to Wire, they went off-book from the official Axolotl protocol because they wanted to not require a phone number, and Axolotl (and Signal still today) use the phone number to provide some of their security guarantees, so removing it isn't trivial and takes some innovating.

And yes, I think I was clear that I do not regard Wire's protocol as being as secure, from a confidentiality and integrity standpoint, as Signal; however, Wire is much more available, what with it's easy and friendly usernames (rather than SUUUUUUPER finicky phone numbers in Signal, et. al.) and it's nice UI/UX. And all of that comes with the addendum that, AFAIK, Wire's protocol has not been seriously attacked, even after having been formally reviewed by a university's security department (they found a potential MITM vuln that the servers could exploit on video calls, I think, but MITMing video calls is tricky in its own right, and Wire said they knew about it and were planning to fix it; not sure if they have yet or not).

Yeah, Wire has an acceptable UX for adding more devices. I'm not sure about Signal's. On Wire, you can add a new device to your account at any time. If you or your contacts have previously verified all the keys in any conversation, Wire yells loudly and won't let you send messages in those conversations until you've confirmed that you know there's an unverified key in the conversation (even if it's supposedly your own key). New devices cannot decrypt old messages, only new ones going forward, so a new device gets nothing historical, and if people have been verifying keys, probably nothing new either. The place Wire really fails is when I add a new device, I ought to be able to verify it on one of my old devices, and then have the old device send a signed assertion to all my other devices/my contacts saying "Hey, old key you've already verified here, just letting you know that according to me, the new device is legit too." Now, the contacts can decide for themselves whether they accept that assertion, but in general there's no reason to assume that an old key is compromised just because a new device showed up on the account.

As to blockchain integration, yes yes a thousand times yes, I'd like to see this done really well too. Keybase might be it, but I haven't taken the time yet to look into it.

As to forward secrecy and deniability... Yeah, you'll note I actually never even talked about keys in my article. That alone warranted enough prose that I got scared off. There are so many posts that could be written and not even scratch the surface... Haha. And one can't properly understand forward secrecy and deniability without understanding keys (symmetric and asymmetric) at the very least.