Ask HN: Is secure messaging mainly a usability problem?

[_g2lm]

Suppose we wanted to stop the NSA from spying on us. The obvious solution would be encryption. I am then led to understand that basically you should just use PGP and TLS.

If we could get everyone in the world to communicate through an open-source channel secured by these two cryptosystems, would that stop third-party snooping? More generally, is there a technical/mathematical solution to this problem that the world just isn't on board with, or is there more?

[brudgers]

Encryption isn't an obvious solution in a world where three letter agencies have the financial and technical wherewithal to PWN my devices and manipulate the entropy pool. I'll put on my tinfoil hat and imagine how many man-years agencies foreign and domestic have devoted to breaking cryptography since 1930 and the level of commitment patriots have to doing what they believe is patriotic before I evaluate the likelihood that commercial and amateur interests have the will and resources to thwart state level actors.

The problem of secure messaging is that there are exponential mismatches of resources. PGP and TLS are only as good as the entropy pools upon which an implementation relies.

Good luck.

[_xoxa]

So to answer your question, the problem is a usability one.

[_xoxa]

Take a look at Signal be Open Whisper Systems - biggest problem with signal is that in order for you to verify the other parties identity in a fully trustworthy manner, you'd need to verify your keys in person.

[_xoxa]

The main issue with WhatsApp is the lack of warning when someone's keys change and the fact that you have no guarantee that the noise protocol is implemented end to end as it's impossible to check the source (decompiling/reverse engineering aside)

[_xoxa]

WhatsApp has implemented the same encryption scheme, but it's not as trustworthy as Signal on account of it being closed source. Assuming the code were trustworthy, proper verification of keys requires a physical meeting.