Hacker News new | ask | show | jobs
by logjammin 2265 days ago
I've been using Wire [1] for years on desktop in large part because of their E2E claims; I wanted something simple and secure that worked relatively fluidly for video calls. I've had mostly pleasant experiences with it, and with many calls I'm surprised by the video quality. I've never tried their mobile app, but they've got one and it looks nice, aesthetically. Main drawback has really been that few people I know use it and I've had to cajole people into doing so a little bit, which stinks.

But I'm not a cryptographer and am unable to verify the company's security claims. For all I know it's go zero encryption whatsoever. Are there people on HN who feel qualified to comment? Has anyone used Wire before?

[1] https://wire.com/en/
6 comments
Aachen 2265 days ago
> I'm not a cryptographer and am unable to verify the company's security claims. For all I know it's go zero encryption whatsoever. Are there people on HN who feel qualified to comment? Has anyone used Wire before?

That's why they have independent security audits, see the reports near the bottom of https://wire.com/en/security (I know the people that performed the audit). A few things are new since 2018 but nothing conceptually changed, so as far as I know the audits are still quite current.

I work for a security firm, so we speak of unpatched vulnerabilities at our customers on a daily basis, and use Wire as our main communication system for that and other things.

link
rapsey 2265 days ago
Their default voice call setting is vbr. That is beyond dumb for something that claims security.
link
kreetx 2265 days ago
For those not in the know, how is vbr dumb?
link
GeorgeWBasic 2265 days ago
Leaks information about the voice stream. It's not inconceivable that a well trained algorithm could recover sentences from the transmission pattern, although I don't know for sure if it could do quite that well.
link
topkeks 2265 days ago
For example eavesdroppers know who is speaking at the moment among other nasty issues.
link
tialaramex 2265 days ago
If they actually cared about offering a secure product that would be enough all on its own.

Compare over in the SSH discussion IdentitiesOnly a feature that avoids the relatively smaller leak of potentially allowing an adversary to correlate your identity if you voluntarily connect to their server.

link
chronogram 2265 days ago
How is this explanation not adequate though? https://medium.com/@wireapp/we-do-use-variable-bit-rate-vbr-...

There's also the possible chance that AES is cracked without us knowing.

link
JshWright 2265 days ago
"Cracking AES" and recovering meaningful information from a VBR stream are very, very different things.
link
wyattpeak 2265 days ago
> Main drawback has really been that few people I know use it and I've had to cajole people into doing so a little bit, which stinks.

I find it fascinating how committed everyone now is to Zoom when, at least in my circle, almost nobody had used it before two weeks ago. At that point, everyone installed it as soon as the first meeting came up, and besides the ten minutes of everyone figuring it out it was plain sailing.

It's incredible to me that something everyone did without a thought two weeks ago (installing a new chat application) is now enough of a burden to not bother with. Highlights strikingly the value of being the first mover (or first adopted, as the case may be).

link
cataflam 2265 days ago
> I find it fascinating how committed everyone now is to Zoom when, at least in my circle, almost nobody had used it before two weeks ago.

Anecdotally, almost every startup/VC/etc. in my circle has been using Zoom for the past 2+ years (Paris and London). So there was probably a seed ready to take root not far from you. I've had the occasional Hangouts, and the rare WebEx or Teams meeting with some larger orgs, but that's it. I haven't even logged in to Skype in that time period.

Even my parents have been able to use zoom seamlessly from their phones. I think it helps that you don't even have to login or have an account if it's always someone else creating the meetings.

Zoom was not the first mover in chat/video apps, far from it. But over the past few years, it has overtaken all the other, older ones for the early adopters in the technology adoption cycle, at least in my anecdotal experience. The last few weeks have accelerated the mass adoption that could have taken much longer or never happened to an instant.

link
wyattpeak 2265 days ago
I'm sure, I gathered from the uptake that it wasn't new. My point wasn't about being a first mover (although I compared to the that), but about being the first to be taken up. How people's attitudes towards that initial hurdle of getting a system set up change extremely quickly.

It was easy to convince everyone to install Zoom two weeks ago, now I don't believe I could convince them to install anything else to replace it.

While Zoom may have overtaken others over a couple of years due to being a better system or what have you, that had no impact on my friends and colleagues who hadn't used it or others to come to an informed opinion on the matter.

link
troebr 2265 days ago
At my company we've used for a few years each: Hangout, Bluejeans, and Zoom. We got acquired so now we're also using Skype and Teams alongside Zoom. Zoom didn't really invent anything groundbreaking, they did the same thing but with a better execution, it's more pleasant to use.

Similarly, we used Hipchat before Slack, and now we have Teams and Slack. Slack serves the same purpose, but it's more pleasant to use than the other two.

Neither Slack nor Zoom were groundbreaking products, and they had significant competition. They both do the same thing as their competitors, and you could argue the difference isn't crazy, but the user experience improvements are enough to justify switching products.

I guess I'm just confirming that I had a similar experience to yours.

link
hiq 2265 days ago
You can use Zoom with a browser though, which means you might not have to install anything.

In practice it has never worked for me in the browser (on Debian), but I guess it does for most people.

link
berkes 2265 days ago
Anectdotal. But I've only ever heard from people that zoom web did not work. Everyone I've asked told me the same: 'no it did not work, but then I installed it, and it did work'.

Apparently their network effect is so big now, that people use it, despite it not working on first encounter.

link
fidelramos 2265 days ago
I use Zoom on Kubuntu when needed for work, and I always use the web version as I refuse to install the app. It has worked well with Chromium and Brave. Firefox doesn't work well if at all for video chat.
link
KingOfCoders 2265 days ago
Funny, had to use Zoom recently because of some clients who insisted on using it, and I had to install software (OS X), it didn't work in the browser or I didn't find the switch.
link
tibu 2265 days ago
https://github.com/arkadiyt/zoom-redirector Zoom Redirector is a browser extension that transparently redirects any meeting links to use Zoom's browser based web client.
link
ajot 2265 days ago
As seen in [0], it just changes the URL. This can be done with the Redirector [1] addon, which is generic and can help with similar problems for other webpages (Twitter -> Nitter; Youtube -> Invidious; www.reddit.com -> old.reddit.com). I wish there was a way to make and see user-made rules.

[0] https://addons.cdn.mozilla.net/user-media/previews/thumbs/23...

[1] https://addons.mozilla.org/en-US/firefox/addon/redirector/

link
p410n3 2265 days ago
On a sidenote, debians chromium is modified to be libre (or closee to that) and firefox is in the esr version.

MS Teams did also not work for me on debian, up until I bit the bullet and grabbed the Chrome .deb.

I hate it but it works flawlessly

link
beojan 2265 days ago
I've used a few video conferencing packages and Zoom just works, and works well. No quality issues or dropouts, Linux isn't treated as a second-class citizen.
link
supermatt 2265 days ago
A quick look over the source code shows that they do not use an SFU - as such they will be LIKELY be full mesh p2p, and therefore e2e encrypted by default - I don't have the time to verify this, but I understand they are audited for this kind of thing.

The downside to this architecture is that it is not very scalable (i.e. limited participants in a room). There are some ways around this using a lot of signalling between peers to throttle feeds, but you will still always be "uploading" a stream per peer.

link
sloppycee 2265 days ago
Dynamic super-peers worked for (old) Skype didn't it?
link
supermatt 2265 days ago
I'm not sure how much relaying skype supernodes did, but as skype wasnt webrtc-based they would have more control over stream encryption - allowing routing of encrtpyed streams for true e2e encryption.

For small webrtc conferences, treating certain peers as an SFU can certainly work. However, bandwidth requirements would be substantially higher than full-mesh for the supernodes, and equivalent to SFU peers for non supernodes - so supernodes would need to be chosen wisely (and you would still be very limited on number of participants - then you are entering the realms of peering supernodes and intelligent routing of streams). Additionally, this still wouldn't be e2e encrypted. Its just a (current) limitation of webrtc.

link
hawski 2265 days ago
A couple months ago I tried Wire and it commonly delivered notifications several hours late. I had the same issue on Signal. With such a limitation it was useless for me.

No problem on Messenger, Hangouts, Whatsapp and Zello.

Now I would like to have a private communication via Zerotier channel, but only with my wife and close family.

EDIT: I'm not here to discourage. I should have clarified, that I wonder what could be wrong. It was a problem on Android between me and my wife's phones.

link
Aachen 2265 days ago
I don't have that issue on Android, iOS, or in Chromium on Linux, and the people I chat with on Wire don't have that either. I wouldn't discourage others from trying what I think is the most secure, open and featureful platform currently out there.

(Matrix and Telegram don't have encryption on by default nor do video calling, WhatsApp isn't open in any way whatsoever, Signal doesn't do video calls afaik and requires a phone number and still wants me to unfirewall Google Services on Android... those are the main contenders I know of and Wire has advantages over them all, sometimes few and sometimes many, at least in terms of security. My main issue is just that Wire is sluggish to the point where I don't expect many people will want to use it.)

link
jksdf08923n4i 2264 days ago
Matrix provides video calls.
link
topkeks 2265 days ago
> Signal doesn't do video calls afaik

False. https://support.signal.org/hc/en-us/articles/360007060492-Vo...

> and requires a phone number

Like every other service, but they have plans for alternative methods.

> and still wants me to unfirewall Google Services on Android

False. https://signal.org/android/apk/

link
Aachen 2265 days ago
> Like every other service

False? E.g. not Wire or Matrix.

> False

After people kept bugging them (Moxie initially told me to get lost when I first opened a ticket about it), they implemented some form of fallback for GCM, and I happily tried it but it doesn't work for me. My guess is that it uses Google services when they're installed, and I didn't uninstall them because that would break a lot of other apps, but I did firewall it off. So this means that it doesn't work without Google Services on my phone and that it leaks some metadata to Google for almost everyone. I wouldn't say it's false to say that it still wants me to unfirewall GOOGLE. The apk I can get through Aurora store, that's not necessarily the issue (though the alternative distribution method of the official website is definitely a plus!).

Sorry about not knowing that they have video calls now, that's nice to hear. Does it also do group calls like Wire? The article doesn't say and while I'd love to try...

link
unicornwizard 2265 days ago
Unfortunately no group calls yet.
link
notechback 2265 days ago
Honestly, for most use cases e2e video does not really seem necessary. I am a big privacy advocate but if recommend a FOSS like Jitsi anytime over a private tool like Wire.
link
prophesi 2265 days ago
Wire is open source. It'd be a pain to self-host, but it's doable. And at the very least, you can verify that your client is indeed using E2E encryption and therefore trusting the server isn't necessary.

https://github.com/wireapp

link
tribby 2265 days ago
the audio on wire is great, too. I agree adoption has been slow.

> But I'm not a cryptographer and am unable to verify the company's security claims.

wire has been independently audited (protocol and application):

https://medium.com/@wireapp/wire-application-level-security-...

link