Hacker News new | ask | show | jobs
by kaeporan 4459 days ago
Hmm. Cryptocat was actually the first ever OTF project. I believe they've always asked for the publication of audits.

What I'm curious about is, why don't other projects such as TextSecure publish their audits as well? I'd certainly appreciate Moxie answering this question.

The OTF blog post certainly makes good points for this to happen. I also personally believe that this reticence to publish audits is damaging to the opportunity for the honest evaluation of encryption software and the establishment of a realistic perception of encryption software. It also misleads users.
1 comments
fit2rule 4459 days ago
>What I'm curious about is, why don't other projects such as TextSecure publish their audits as well?

Its embarrassing, duh.

link
tptacek 4458 days ago
For who, TextSecure or the auditors? Both are possibilities, one slightly more likely than the other. Auditors hate having reports published with no major findings.
link
kaeporan 4458 days ago
Why isn't Moxie replying? Publishing an audit, with or without vulnerabilities, surely is beneficial to TextSecure. I don't understand their reticence to publish audits. We know OTF has commissioned at least two audits for them, but not a word has been heard about them.

In fact, OTF has actually complained about their projects choosing not to publish audits: https://www.opentechfund.org/article/bringing-openness-secur...

link
tptacek 4458 days ago
This is the sixth time you've "asked" in this thread about TextSecure's audit. Cryptocat has literally never implemented a crypto feature of any sort, from random number generation all the way through user authentication, without some terrible vulnerability. TextSecure, on the other hand, is the subject of a total of zero published crypto vulnerabilities.

Whatever Moxie's reasons for not having published their audit, I'm sure they're valid. Either way, no amount of innuendo about TextSecure is going to change the ground truth about your own project.

There might be no person on the Internet more poorly positioned to cast aspersions on other people's projects than you. Please stop.

link
kaeporan 4458 days ago
To be clear, I'm not trying to cast aspersions. As I've already stated, TextSecure is a great project that I strongly recommend.

I'm trying to have a serious discussion regarding transparency of audits. I feel your reaction is overly aggressive and not genuinely constructive.

link