|
|
|
|
|
|
by canes123456
3320 days ago
|
|
|
Why does Threema not use the Signal Protocol? Lack of an open source protocol makes it a non start for most uses of this. The protocol can not really be "verified" in any real sense. You can check that you can decrypt the message with nacl. All this doesn't show anything about a lack of bugs or backdoors. Google and Facebook both decided to use the Signal protocol. Why should we trust a small company to do this correctly the first time? Without even being able to check what they are doing? |
|
|
There is an open source re-implementation of the Threema protocol obtained by reverse engineering: https://github.com/blizzard4591/openMittsu There is also an (incomplete) implementation in Go: https://github.com/o3ma/o3/ Note that Threema does not disallow reverse engineering in their terms of service.
The fact that OpenMittsu can properly encrypt and decrypt messages that are compatible with the Threema apps should be proof that the implementation is correct. Also, since Threema is financed by selling the app with no external investors, there should be more incentive to stick to their promises than to cheat on their privacy-sensitive users.
And even if the apps and the server were open source, unfortunately it would still not be possible to verify that the version on Google Play / iTunes is the same as the published source code. I'm not aware of a way to create reproducible builds on these app stores either.