Hacker News new | ask | show | jobs
by schabernakk 4573 days ago
I am really looking forward to TextSecure for iOS. I hope I am wrong on this one, but from the text on their Website Heml.is doesn't seem to be too eager to open source their code after release.

I don't know any details about whispersystems (except that moxie marlinspike is with them) but I sure do hope they can provide a well designed cross platform messaging app completely open source (which I don't think exists yet)
1 comments
mike-cardwell 4573 days ago
On Hemlis's front page:

"We have all intentions of opening up the source as much as possible for scrutiny and help! What we really want people to understand however, is that Open Source in itself does not guarantee any privacy or safety. It sure helps with transparency, but technology by itself is not enough."

They have no intention of releasing the source code. Use https://www.surespot.me/ instead, it does the same stuff, already exists, and is released under the GPL (v3).

link
em3rgent0rdr 4573 days ago
Surespot depends on a bunch of google play services and is officially distributed on google play. Is there a way to install pre-compiled surespot apk outside of google play for those that don't install proprietary google code on their phone? I noticed that the open-source android apk repository F-Droid can't distribute it for this reason: https://f-droid.org/forums/topic/surespot-encrypted-messagin...

(Side note: moxie prohibits TextSecure on F-Droid as there is no forced auto update like google play. I currently have to download and compile the TextSecure source code myself, which is no biggie, but as a CM user, I'm definitely excited about this integration!)

link
perlpimp 4573 days ago
Sounds like a trap to me, not having the source code. Maybe it works for now but investing trust as things are now I'd rather go with opensource client.

Trust must be earned, so far it they brag about way they made tech work with a patched version of android - they don't really put forth anything that will give them credibility as a very secure protocol.

Claims without proof are just that.

link
tptacek 4573 days ago
The track record of open source cryptography is bad.
link
dublinben 4573 days ago
The track record of closed source cryptography is worse.
link
IanChiles 4573 days ago
cough cryptocat cough
link
atmosx 4573 days ago
The cryptocat issue can be viewed sideways:

* Open source applications are bad, see what happened to cryptocat?

* Open source is awesome! Look what happened to cryptocat!

If cryptocat was closed-source... would ever be noticed? I wonder...

link
wglb 4573 days ago
For example?
link
eliteraspberrie 4573 days ago
There are claims that Crypto AG products used to leak keys in ciphertext, at the request of the NSA:

http://www.hermetic.ch/crypto/kalliste/speccoll.htm

link
tptacek 4573 days ago
I stifled the urge to say the same thing, but then realized that I'd lose the evening to defining what "mainstream" meant, after people dredged up random examples of snake oil from Schneier blog posts; not to mention the inevitable rehashing of the "beware custom algorithms and 390244 bit keys" thread, which is going to have to happen now because bringing up crypto truisms from the late-90s makes people feel smart.
link
uniclaude 4572 days ago
Please explain for those of us who are not good enough in the field (I'm genuinely asking).

I was under the impression that software like GnuPG and OpenSSL could be considered safe, so seeing a security professional warning about a negative track record of open source cryptography is worrisome.

What exactly should we be careful of when it comes to open source cryptography?

link
lvh 4572 days ago
Not all open source code is broken; just a lot of it is. I think tptacek is trying to say that open source vs closed source is a mediocre predictor of the quality of a cryptosystem :)
link
illicium 4572 days ago
OpenSSL
link
tptacek 4573 days ago
You'd be making a pretty big mistake to opt for something that hadn't been vetted, over TextSecure, simply because of the availability of source code.
link
mike-cardwell 4572 days ago
Personally, I've used both, but settled on SureSpot for the moment. SureSpot uses data exclusively, which is cheaper than SMS for me. Although I understand that TextSecure now has (or will be getting soon) a data channel. So I'll definitely take another look.

Moxie has proven himself to be more than capable of building such a system, but the author of SureSpot seems more than competent too. See the section titled "Technical Overview" on:

https://www.surespot.me/documents/how_surespot_works.html

Interesting fact: TextSecure wasn't made open source until it was bought by Twitter: https://dev.twitter.com/blog/whispers-are-true - IIRC, prior to this the website claimed it was open source, but offered no way of getting the source, and if you asked for it, you would find out it was only given to trusted third parties to perform security reviews.

link