[garrettr_]

I'm probably just inviting myself to get trolled by replying to this, but this comment is just ridiculously wrong on so many levels.

> The fact that the guy behind it is hyping it via the New York Times, a generalist publication, instead of validating the thing through professional cryptographers (which he isn't) and recognised privacy champions such as the EFF is very telling.

Cryptographer Matthew Green on Signal's crypto and code quality (it was called RedPhone/TextSecure at the time of this writing): https://blog.cryptographyengineering.com/2013/03/09/here-com...

Version 1.0 of EFF's Secure Messaging Scorecard gave Signal 7/7: https://www.eff.org/node/82654.

> The thing has not been properly validated or verified (for a start, because there is no design document to validate against, and no published goals to verify against)

Signal has been analyzed, with favorable results, by academic researchers at least twice:

- https://eprint.iacr.org/2014/904.pdf - https://eprint.iacr.org/2016/1013.pdf

> it uses an ad-hoc encryption scheme from a non-cryptographer

Moxie Marlinspike and Trevor Perrin probably wouldn't call themselves "cryptographers," but almost anybody in the field would agree that they are experts on applied cryptography.

[at612]

> I'm probably just inviting myself to get trolled by replying to this

I'm sorry that you get that impression, but I do appreciate your input.

> Cryptographer Matthew Green on Signal's crypto and code quality (it was called RedPhone/TextSecure at the time of this writing)

That's the application that they sold to Twitter, not the one being talked about here. I do not know how different the code bases are.

It is also around that time that the app had a gaping, amateurish hole in that it was simply leaking everything via logcat. And what does the guy do? Instead of addressing the issue like a professional, he goes on a complete tangent rubbishing F-Droid (https://github.com/WhisperSystems/Signal-Android/issues/53) and then making rather poor excuses as to why you should get your application from the Google store and not from anywhere else.

Excuses which by the way, have been evolving over time. I think he eventually admitted that he wants to keep track of how many users are using it (handy to show to your potential buyers).

He also has a history of lying, such as when he used fake WHOIS details to run his "Google anonymiser" thing. And of course, when he was shut down by the registrar, as you do when someone has given you false details, what did he do? He went to the press to whine about the registrar! After he entered a contract in bad faith, something which happens to be a prosecutable offence. That's the sort of person we are talking about here. I hope you will understand if his word does not exactly fill me with confidence.

> https://www.eff.org/node/82654.

That page starts with: "This is version 1.0 of our scorecard; it is out of date, and is preserved here for purely historical reasons."

And continues with: "the results in the scorecard below should not be read as endorsements of individual tools or guarantees of their security"

> Signal has been analyzed, with favorable results, by academic researchers at least twice:

Yes, I am aware of those. And that is not what validation and verification is which, as I said, in the absence of publicly available design documents, is impossible to do independently. The guy is trying to make it look like he's selling a "secure" communication platform, but if you presented that to a defence contractor (which I have some experience with) you would be laughed out of the building. Proper security is not done like this at all. For a start, you actually define your goals, i.e., what you intend to secure, against what threats, etc., etc. If you can show me a paper with that information I would be grateful.

Notably, you may have noticed that those papers, like Green's, are a protocol analysis, not an analysis of the entire solution. In that respect, you're back to the previous situation: the protocol might be ultra-secure, but if you're still leaking your plaintext on a different channel...

> Moxie Marlinspike and [...] probably wouldn't call themselves "cryptographers,"

At the risk of sounding elitist, what is his academic background? (I elided the other person because I do not know who he is).

> but almost anybody in the field would agree that they are experts on applied cryptography.

What do you base that conjecture on?

[platinumrad]

>He also has a history of lying, such as when he used fake WHOIS details to run his "Google anonymiser" thing. And of course, when he was shut down by the registrar, as you do when someone has given you false details, what did he do? He went to the press to whine about the registrar! After he entered a contract in bad faith, something which happens to be a prosecutable offence. That's the sort of person we are talking about here. I hope you will understand if his word does not exactly fill me with confidence.

I really don't see why someone should be on my shitlist for lying to godaddy dot com or whatever giant registrar unless you consider fudging identifying details about something that really doesn't matter, especially considering he was very openly associated with the project, some sort of horrible moral offense. I especially find your taking massive umbridge with fudging personal information baffling given how privacy-minded you otherwise seem.

>At the risk of sounding elitist, what is his academic background? (I elided the other person because I do not know who he is).

Combined with the above, the way you're hand-waving away the other of the two original developers of the protocol really just makes it seem like the position you've taken against Signal is mostly predicated on some sort of grudge against Marlinspike himself. Yes, trashing F-Droid was not a great thing to do and you might see him as someone with a strong penchant for self-promotion, but the way you keep on tying your criticisms to Marlinspike personally really muddles your case. For example, you object to him promoting Signal in a New York Times piece saying it is a generalist publication and posit he's just trying to drum up attention so he can find a buyer, which may or may not be true, but isn't one of the most important goals of a secure messaging application to get people to actually use it and to achieve widespread adoption? The main lesson I've learned from GPG mail is that a perfectly private means of communication is worth very little if I can't actually convince anyone to use it with me.

[at612]

> I really don't see why someone should be on my shitlist for lying to godaddy dot com or whatever giant registrar unless you consider fudging identifying details about something that really doesn't matter,

I think I can see where you are coming from. You seem to compare this with, say, opening a GMail account under an alias, if I understand correctly.

However, holding domain names and, at the time, SSL certificates requires a different sort of accountability. I can elaborate on that if you wish, but I trust it won't be necessary.

> especially considering he was very openly associated with the project,

In the same way that Mr platinumrad or Ms at612 are associated with this discussion? By the use of an alias?

> some sort of horrible moral offense.

Yes. And please note he did not just lie to the registrar. When he got caught, he went and whined to some journo who published a piece criticising the registrar without bothering to contrast the information first. It all being presented as if it was the registrar in the wrong, when they were following the rules, which are there to protect the public in the first place. This coming from some bloke who was saying "don't trust Google, trust me. Because."

> I especially find your taking massive umbridge with fudging personal information baffling given how privacy-minded you otherwise seem.

I value my privacy. At the same time, when I enter a contract, I do so in good faith and of course part of it is letting the other party know who I am.

> really just makes it seem like the position you've taken against Signal is mostly predicated on some sort of grudge against Marlinspike himself.

Yes, you are correct. My apologies if that wasn't clear. I question the ethics, motivation, and competence of this one individual, who happens to be closely associated with said project.

> Yes, trashing F-Droid was not a great thing to do

To put it mildly. On an incidental note and more generally, have you ever seen him do a mea culpa?

> [but] isn't one of the most important goals of a secure messaging application to get people to actually use it and to achieve widespread adoption?

I do not know. I would guess not (based on defence experience). But the main point is that him saying "oh sure, it's secure" does not make it secure. He seems to be taking advantage of the public's inherent credulity and lack of awareness of what "security" actually means and involves. We have gone through this discussion already, so for an example of what I consider a better developed and correctly presented security solution, please see the Conversations IM application.

> The main lesson I've learned from GPG mail is that a perfectly private means of communication is worth very little if I can't actually convince anyone to use it with me.

This is a different, and long discussion, but it is probable that the reason why you are seeing that is the other party having mentally (or formally) done a cost/benefit analysis and deciding that their information is not of such value to justify the extra effort to protect it. Rightly or wrongly.

[twr]

I think that issue highlights the problem with unofficial repositories. Users remained vulnerable because their upstream provider didn't update quickly enough. It culminated in a user spamming the official issue tracker with an outdated and annoying bug report.

This isn't just unique to Android: there are multiple ongoing efforts at the moment in the Linux world to lessen frustrations with distribution repositories. Snappy, Flatpak, and AppImage intend to unify application deployment and allow users to install applications from anywhere. In most cases, this could mean pulling directly from the application developer themselves. GNOME and KDE will likely encourage this.

I know some Firefox developers who have grouched at the delay between official releases and when distributions finally deploy them, so this problem isn't exclusive to desktop environment developers.

Back to Android: Moxie had a point when he claimed that Android is more privileged to have a system that provides package verification back to the original developer. It doesn't matter where you get an APK from: the developer's website, Google Play, APKMirror, or Bittorrent. If you have the developer's public signing key, you can verify the authenticity of the APK.

F-Droid represented a serious step backwards in Android security, back when they used to self-sign APKs. It wasn't possible any longer to cut out the distributor from the chain of trust. Fortunately, they reacted to Moxie's criticisms, and F-Droid now retains the original package signature when the build can be reproduced.

From a developer perspective however, encouraging or even tolerating unofficial installation channels for secure communication software is bad. If vulnerable users are in-contact with non-vulnerable users, they unknowingly put both parties at risk. If the ecosystem evolves to the point where this is common, the whole system is insecure.

What Android desperately needs is a high-quality, non-profit, privacy-friendly, charity- and grant-driven app store. It must entice open-source app developers. It cannot do self-builds, except for reproducibility. It needs crash-reporting, analytics, usage metrics, device-specific builds, localization options, and more. It requires dead-simple tools for command-line deploying.

Until then, in my opinion, F-Droid will never be accepted by app developers. F-Droid is for users only. Not for the same purposes, either: for the cautious user, F-Droid mainly shines as a locally-setup repo for self-deployed apps.

P.S.: Perrin & Moxie recently began documenting Signal Protocol: https://whispersystems.org/docs/

[at612]

> From a developer perspective however, encouraging or even tolerating unofficial installation channels for secure communication software is bad.

What is your threat model?