[liberationtech] About "Confide"
Tom Ritter
tom at ritter.vg
Sun Apr 27 05:16:06 PDT 2014
On 26 April 2014 17:18, Shava Nerad <shava23 at gmail.com> wrote:
> Anyone who is lauding the verifiability of open source security software had
> best show that their code has been regularly and thoroughly audited.
Open source, closed source - at this point I am pretty much
universally disgusted by any project who uses the term 'end to end
encryption' without bothering to answer the UNIVERSAL, OBVIOUS
question, of "How do I know I'm talking end-to-end to the right
person?", "How is authenticity established?" "Can you replace my
friend's keys?", however you want to phrase it.
You can only get authenticity through:
- Pre-Shared Secret shared confidentially*
- Fingerprints/Keys previously exchanged authenticated-but-not-confidentially
- 'Trusted' Third Party
If a mobile app claims end to end encryption, but doesn't do something
like display fingerprints, require QR codes scanned in person, or ask
a 'secret question' of you or your friend - they use Trusted Third
Party and thus are no more 'end to end encrypted' than Apple iMessage.
-tom
* There are a few variants of this, like recognizing your party's
voice (ZRTP), SMP question/answer (OTR), prior key material (also
ZRTP), etc
More information about the liberationtech
mailing list