| > although TLS _can_ authenticate both parties, on the Web today we rarely do that. Instead the web server is authenticated using TLS but the client (a Facebook user) has some crummy HTTP layer authentication, maybe a password like "1LvUrDog" filled into an HTML form field. I would love to see more use of client certificates, but assuming good password practice is there a real security difference? Either way both parties authenticate themselves to the other. > Next, Facebook is authenticated to you by its proof of possession of a Private Key corresponding to the Public Key in a certificate from a Trusted Third Party CA. An adversary could corrupt this CA, but hopefully that's difficult. And hopefully Certificate Transparency would catch them if they did. > Signal doesn't use passwords. Your device has randomly picked a Private Key, but unlike Facebook you don't have a certificate from a CA, instead you can compare the associated Public Key on your device with that shown for another participant on their phone, if they don't match there's a Man in the Middle. So immediately that's an improvement, no password guessing. Well, depends what you're trying to verify. Verifying that someone is always using the same device is one choice with its own set of tradeoffs (e.g. many people change devices quite often). Verifying that someone always knows a given password is another. I think tied-to-device keys lose you more than you gain, though I appreciate there's room for disagreement here. > Signal also has Forward Secrecy. In fact each message sent and received changes the keys used for future messages. As a result an adversary can only eavesdrop by actively impersonating one of the participants. In a two person conversation that's often likely to become obvious pretty quickly whereas passive eavesdropping is undetectable. You don't have to actively participate as such - you can just forward messages between the two. And Signal's servers are already sitting in the right place to do that. In theory PFS is a valuable benefit. But the level of compromise needed to incorporate it into a practical system where people want to be able to send offline messages and messages to new contacts who they haven't exchanged keys with beforehand... IMO the resulting level of protocol complexity compromises your security more than the fairly weak guarantees you get out of it in practice are worth. Certainly not when the cost is no federation and identity-tied-to-phone-number. |
I think I can see how to repair this (Alice doesn't know Bob's private key, but she does know a long term public key for him, as a result she could periodically and automatically re-verify that she's still talking to Bob and not just someone who has her short term keys and is actively conducting a MITM) but Signal doesn't attempt such a repair and maybe I'm wrong.