[liberationtech] Recommended Software for Encrypted Blackberry Voice Calls
Chris Palmer
chris at eff.org
Tue Jan 25 14:11:07 PST 2011
On Jan 25, 2011, at 1:31 PM, Frank Rieger wrote:
> Regarding the overall security of BlackBerry, you totally need to trust RIM. See last years incidence where Etisalat in the UAE installed government trojans onto all BlackBerrys and it got only noticed way after the fact by accident.
Isn't Etisalat the threat actor in that case, moreso than RIM?
Granted, RIM gave Etisalat a code-signing cert. But then, Mozilla gives Etisalat (and CNNIC, and...) CA certs for web sites. And as the EFF SSL Observatory has shown, bad actors like Etisalat had intermediary signing certs for web sites even before they got root CA certs in Mozilla. And DHS has an intermediary cert, too.
This is one reason why I prefer Android's CA-less signing model. It uses signatures to identify and quarantine sources of code, not as a basis for giving code a high level of trust based on who the code's author could trick into signing the code.
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
More information about the liberationtech
mailing list