[liberationtech] Heml.is - "The Beautiful & Secure Messenger"

[Andy Isaacson]

On Thu, Jul 11, 2013 at 12:23:25PM -0700, Mitar wrote:
> BTW. Even Tor has centralized directory servers.

It's incredibly misleading to imply that the Tor DA design provides a
similar threat to a server-hosted-crypto proprietary privacy app.  (I'm
not accusing you of intentionally misleading, but the claim that you're
repeating is misleading.)

The Tor DAs are run by multiple individuals in diverse legal
jurisdictions, and their sole purpose is to make a publicly checkable
attestation of public facts.  The implementation run by the DAs is open
source and has been developed in public according to a public design for
a decade, in accordance with Kerckhoff's Principle.

A non-open-source privacy app developed by a single company has a
corporate nexus of control, a single jurisdiction to get a secret
warrant in, and a single codebase and update server/signing-key to
compromise giving 'the keys to the castle'.

Even if an attacker were to secretly compromise all of the Tor DAs and
publish a malicious consensus, the break is only to anonymity, not to
message privacy.  (Granted, anonymity is a major selling point for Tor
and that break would be a major problem, but it's still not as severe a
break as the messaging app compromise.)

> And it does not
> really matter if the code there is open source or not, because you
> anyway cannot know if they are really running some particular code
> there or not.

Being closed source doesn't fix this problem, so how is that a useful
response to the advice "never trust a closed source privacy app"?

Seatbelts don't help when your car flies off a cliff.  It's still a good
idea to wear your seatbelt, for the 99% of crashes where they do help.

Having open review of the design and implementation of your privacy app
isn't enough to solve all of the potential compromises.  But it's still
a good idea to have open review which will help address a vast number of
vulnerabilities.

-andy