[kaeporan]

I think TextSecure is an excellent and inspiring project. All I'm trying to do is identify an area of concern for me. I'm not sure why you're attacking me personally here. I think my initial point of concern stands and I hope the TextSecure developers will work on addressing it.

And yes — I believe my work on Cryptocat does grant me some helpful perspective on the kind of issues faced in group chat. I'm more than happy try my best to offer some insight to other great open source projects. If I wanted to sneakily hide that I work on another encrypted messaging project (why would I? Open source projects discuss issues with one another all the time) it would have been simple for me to create another username.

[tptacek]

I'm not attacking you personally. I object to the fact that you didn't lead with the fact that you compete with TextSecure. As for your tone regarding the TextSecure project, here are all your messages regarding TextSecure:

https://hn.algolia.com/?q=author%3Akaeporan#!/comment/foreve...

I am, however, happy to attack your project, Cryptocat, which I believe to be incompetently interviewed, debugged into existence, and dangerous to its users.

Finally, you still haven't responded to my comment upthread.

[kaeporan]

I'm sorry, but I don't think your approach to this discussion is constructive. I hope TextSecure developers address my initial concern, and that's all for me.

[tptacek]

mpOTR sacrifices forward secrecy and provides transcript consistency with limited semantics, which has the side effect of making the "transcript integrity feature" trivial to implement, because the protocol supports only a silly version of it. mpOTR clients can't simply fix this with UI, because these are properties of the protocol.

The TextSecure protocol retains forward secrecy at the message layer and provides continuous transcript integrity. The TextSecure client hasn't worked out the UI for it, but the protocol supports it. TextSecure can provide continuous transcript integrity with a UI update --- something mpOTR clients can't do at all.

But here you are, sniping at TextSecure for lacking a UI feature that you've implemented a minimal and un-useful version of. Then, when called on it, you retreat to a position of "I'm inspired by TextSecure and am just trying to help". As if, after blogging about why transcript integrity is literally one of the reasons TextSecure doesn't use mpOTR, they were unaware of the importance of the feature.

mpOTR is a dead end. It's unfortunate you invested in it, but that is what it is.

[makomk]

It doesn't matter what kind of transport integrity the underlying protocol has if that integrity information isn't actually used. What's more, it's not just that they haven't got around to implementing UI for it, the problem is they can't figure out how to meaningfully expose that information in the UI - which, with consistency semantics this complicated, is actually the hardest part of the problem! They don't even really have the outline of a solution, let alone the transcript integrity you're claiming they have. Yet here you are treating their vapourware as though it provides more protection than something that actually exists.

[tptacek]

The UI for transcript consistency is absolutely not the hardest part of the problem. We are comparing an existing UI on top of a broken transcript consistency feature to a nonexistent UI on a functional, extant transcript consistency protocol. I am objecting to the notion that an extant UI built on a mound of sand somehow trumps a concrete foundation poured for a better UI.

This is apparently so much the case that Nadim has acknowledged jettisoning his existing protocol to come up with a new protocol that will support it.

You could disagree with me, but I don't think you can do so without acknowledging that the comment that introduced this issue to the thread was... let's say "not fully informative".

[kaeporan]

UI is absolutely a very difficult part of the problem, and here we see an example outlining this. Even a capable protocol still has problems if the UI fails to translate the capabilities into benefits and security increases for users. I speak from experience: Cryptocat has had some serious issues that were due simply to incomplete UI, the most recent of which was related to authentication.

Also, the reason for us moving to a new protocol has more to do with formal security proofs than being able to adopt new properties.

[kaeporan]

Thanks for agreeing to turn the discussion in a more constructive direction, Thomas.

I agree that mpOTR is a dead end. The initial paper by Goldberg et al describes a protocol that is bulky and largely undefined. I should mention that for those reasons, Cryptocat's group chat effort has been relabelled to "mpCat" instead of "mpOTR" — we're moving on to creating a protocol suitable for synchronous use-cases specifically (since TextSecure already has the asynchronous use-case figured out) without shouldering the bulkiness and obsolete nature delineated in mpOTR's original description. One of the things that is actually addressed better is transcript consistency: in mpCat, it will function on a level of reliability that is in fact continuous and not just occurs once per entire conversation.

We recently concluded mpCat's first review summit, and were very lucky to have the feedback of experts such as Trevor Perrin, Joseph Bonneau and Ximin Luo. We also invited members from TextSecure's team in order to help us understand the use-cases scenarios they have experience in. For what it's worth, the TextSecure members that were invited were seen as open source peers, and not as "competitors" as you put it. I should mention that TextSecure's research frequently came up while working on mpCat, and that they are contributing more to this field than most other projects. That's why I say they are inspiring.

[tptacek]

Despite the fact that you've fleshed your responses out from single sentences to whole paragraphs, there is still no technical content in this comment that addresses my comment. It appears that your response is "no, we don't properly do transcript consistency either, but we're working on it". But I had to read between the lines of your name-dropping comment to come to that conclusion.

An uninformed reader of your root comment on this thread would be surprised by that concession. Is my conclusion incorrect, or was your original comment deceptive? (Unintentionally, I'm sure.)

[kobeissl]

jesus christ fuck already

[kaeporan]

My original comment was simply to point out a current problem in this protocol design. There are some ways one can deploy to make it more difficult for Alice to send different messages to Bob and Carol without being detected, and they are deployed in Cryptocat (you're welcome to peruse the codebase and documentation.)

Just as a note, I'm sincerely discouraged from attempting to have an informative discussion with you by the fact that you keep assuming bad faith on my part, and generally responding in a needlessly rude and aggressive fashion. Consider that your general approach in this particular discussion might be why information security has a bad name as a poisonous field. If I don't reply to parts of your post, consider that it is because they are phrased in a way that assumes and implies a complete understanding, wrapped in aggression and the assumption of bad faith. I'm not here for that kind of discussion.