[Aachen]

> I'm not a cryptographer and am unable to verify the company's security claims. For all I know it's go zero encryption whatsoever. Are there people on HN who feel qualified to comment? Has anyone used Wire before?

That's why they have independent security audits, see the reports near the bottom of https://wire.com/en/security (I know the people that performed the audit). A few things are new since 2018 but nothing conceptually changed, so as far as I know the audits are still quite current.

I work for a security firm, so we speak of unpatched vulnerabilities at our customers on a daily basis, and use Wire as our main communication system for that and other things.

[rapsey]

Their default voice call setting is vbr. That is beyond dumb for something that claims security.

[kreetx]

For those not in the know, how is vbr dumb?

[GeorgeWBasic]

Leaks information about the voice stream. It's not inconceivable that a well trained algorithm could recover sentences from the transmission pattern, although I don't know for sure if it could do quite that well.

[topkeks]

For example eavesdroppers know who is speaking at the moment among other nasty issues.

[tialaramex]

If they actually cared about offering a secure product that would be enough all on its own.

Compare over in the SSH discussion IdentitiesOnly a feature that avoids the relatively smaller leak of potentially allowing an adversary to correlate your identity if you voluntarily connect to their server.

[chronogram]

How is this explanation not adequate though? https://medium.com/@wireapp/we-do-use-variable-bit-rate-vbr-...

There's also the possible chance that AES is cracked without us knowing.

[JshWright]

"Cracking AES" and recovering meaningful information from a VBR stream are very, very different things.