Comment by OhMeadhbh
1 day ago
I talked to Moxie about this 20 years ago at DefCon and he shrugged his shoulders and said "well... it's better than the alternative." He has a point. Signal is probably better than Facebook Messenger or SMS. Maybe there's a market for something better.
Is there any reason they didn't use email? It seems like something that would have been easier to keep some anonymity., while still allowing the person to authenticate.
email is notoriously insecure and goes through servers that allow it to be archived. also, email UIs tend not to be optimized for instantaneous delivery of messages.
I have no idea if that was true 20 years ago, but it's not true now. XMPP doesn't have this problem; your host instance knows your IP but you can connect via Tor.
Tor has the problem that you frequently don't know who's running all the nodes in the network. For a while the FBI was running Tor exit nodes in an attempt to see who messages were being sent to. maybe they still are.
OTR has been on XMPP for so long now
Is that good? According to the wikipedia page it seems last stable release was 9 years ago. Is anyone using that? Last time I had a look at XMPP everybody was using OMEMO.
10 replies →
[dead]
Briar and Session are the better encrypted messengers.
Session lacks forward secrecy, which isn't ideal.
I remember listening to his talks and had some respect for him. He could defeat any argument about any perceived security regarding any facet of tech. Not so much any more. He knows as well as I do anything on a phone can never be secure. I get why he did it. That little boat needed an upgrade and I would do it too. Of course this topic evokes some serious psychological responses in most people. Wait for it.
> He knows as well as I do anything on a phone can never be secure
I assume because of the baseband stuff to be FCC compliant? Last I checked that meant DMA channels, etc. to access the real phone processor. All easily activated over the air.
All easily activated over the air.
Indeed. The only reason this is not used by customer support for more casual access, firmware upgrades and debugging is a matter of policy and the risk of mass bricking phones and as such this is not exposed to them. There are other access avenues as well including JTAG debugging over USB and Bluetooth.
I don't think the FCC requires DMA channels. That's done out of convenience because it's how PCIe works.
2 replies →
Any citation on this? I’ve never heard that.
2 replies →