[liberationtech] Wickr app aims to safeguard online privacy
Jacob Appelbaum
jacob at appelbaum.net
Tue Feb 5 11:52:52 PST 2013
Collin Anderson:
>> Seems rather reasonable, really. Hardly malware but hardly perfect.
>
> Perhaps I am missing something, but isn't the point of contention that
> Wickr and Silent Circle are promising trust in the destruction of messages
> on the receiver side, which as far as I am aware is an improbable claim?
Self-destructing data generally requires all parties to delete their
unencrypted copies and keys; where as the cipher text might float around
for ages. This isn't impossible by any means and at UW, Vanish (
http://vanish.cs.washington.edu/ ) was an example of such a system. As
was the keypad (
http://www.cs.washington.edu/homes/yoshi/papers/keypad-eurosys2011.pdf )
system. There are a few of these sytems.
So depending on one's threat model, one may in fact create a
self-destructing data pipeline. No one claims such a system is perfect
but an all-or-nothing game isn't the only way to look at things.
> Again, correct me if I am wrong, but Pond does not claim that a user cannot
> edit the source to extend the expiration period, let alone copy and paste
> from chats, correct?
No, Pond doesn't make that claim. Pond is also an unfinished system. I
only mentioned it as an example threat model where self-destructing data
makes sense.
With a system like keypad, such a change as you suggest would be
insufficient. A third party is required to authorize the release of a
key and/or ciphertext.
Nothing stops a person with a digital camera from snapping a photo. My
assertion is simply that there is another choice other than malware or
worthless, which is a useful one in certain scenarios. With a keypad
like model, you could allow a user to decrypt a message a single time
and then design the app to erase the copy of the message; it wouldn't
stop a backdoor that was already installed from reading the message but
it would probably stop the backdoor installed next week from reading the
message.
All the best,
Jacob
>
>
> On Tue, Feb 5, 2013 at 2:11 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>
>> Brian Conley:
>>> Apparently Silent Circle is also proposing such a feature now.
>>
>> Such a feature makes sense when we consider the pervasive world of
>> targeted attacks. If you compromise say, my email client today, you may
>> get years of email. If you compromise my Pond client today, you get a
>> weeks worth of messages. Such a feature is something I think is useful
>> and I agreed to it when I started using Pond. It is a kind of forward
>> secrecy that understands that attackers sometimes win but you'd like
>> them to not win everything for all time.
>>
>> Seems rather reasonable, really. Hardly malware but hardly perfect.
>>
>> All the best,
>> Jake
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
>
>
>
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
More information about the liberationtech
mailing list