[liberationtech] Heml.is - "The Beautiful & Secure Messenger"

[Julian Oliver]

..on Thu, Jul 11, 2013 at 12:23:25PM -0700, Mitar wrote:
> Hi!
> 
> BTW. Even Tor has centralized directory servers. And it does not
> really matter if the code there is open source or not, because you
> anyway cannot know if they are really running some particular code
> there or not.

A good point. Nonetheless the way forward for security critical software is
toward de-centralisation; encouraging deployment and adaptation to local
contexts - political, social and topological. This is why both client and server
need to be open such that they can be both audited and adapted. 

I can't think of a case where arguments in favour of closed-source deployment in
this space aren't ultimately grounded in desire for control and capital return
within a product-oriented (rather than service) business model. Selling binary
blobs sans source code in a security setting is a risky business, in that it
pushes risk onto the customers.

Cheers,

Julian

> On Thu, Jul 11, 2013 at 12:17 PM, Mitar <mmitar at gmail.com> wrote:
> > Hi!
> >
> > On Thu, Jul 11, 2013 at 6:25 AM, Albert López <newbiesworld at hotmail.com> wrote:
> >> Ok, I understand what you mean. But why rely in a client-server approach
> >> when you can achieve your goal with a peer to peer solution?
> >
> > Their answer is:
> >
> > "The way to make the system secure is that we can control the
> > infrastructure. Distributing to other servers makes it impossible to
> > give any guarantees about the security. We’ll have audits from trusted
> > third parties on our platforms regularily, in cooperation with our
> > community."
> >
> > Which is a bit hand-wavy if we assumed that server code can be closed
> > source if client part is done well enough that you don't have to think
> > about the server side and you still know that you are secure. :-)
> >
> > But my main and almost only argument was, that I think we should wait
> > for a bit more concrete information before discarding the idea. At
> > least I can imagine plausible ways to implement the system securely
> > and having it known security properties while retaining part of it
> > closed source and centralized. But we don't know much to make any real
> > claims. What is interesting though, is that:
> >
> > "We are building Heml.is on top of proven technologies, such as XMPP with PGP."
> >
> >
> > Mitar
> >
> > --
> > http://mitar.tnode.com/
> > https://twitter.com/mitar_m
> 
> 
> 
> -- 
> http://mitar.tnode.com/
> https://twitter.com/mitar_m
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

-- 
Julian Oliver
PGP B6E9FD9A
http://julianoliver.com
http://criticalengineering.org