Oh, for sure Moxie has a threat model that makes sense to him, but I
dispute that it makes any sense in the real world. Google's certificate
system is TOFU, so whatever certificate Google pushes to a users' device
is what that device trusts updates from thenceforth. And, there's no
obvious way for an Android user to verify a certificate *even if they
were so inclined*. For my part, as an Android user with a knowledge of
and interest in crypto, I have *never* checked a signed APK. Ever.
So, if even the more technical end of Moxie's customer base don't check
APK signatures, and if most people simply take what Google Play offers
them, what's to stop Google pushing a malicious TextSecure? Nothing.
Nothing, at all, ever. And all the machinations and air-gaps Moxie and
co implement are meaningless, because the TOFU scheme makes Google the
root of all trust on the Google Play market.
If it were merely about certificates, Moxie would offer up-to-date APKs
through his own website and F-Droid repository, allowing him to have
utter control over timely updates without an intermediate trusted agent.
But he doesn't, and when I asked I finally got an answer: It's because
F-Droid doesn't offer metrics, debugging, and analytics. Essentially, he
wants Google play so he can get silent feedback on what the Apps are
doing in the wild.
I don't object to this as long as it's opt-in for users, but I do object
that it's being presented as something (threat model) rather than
developer convenience. I love TextSecure, and I'm grateful to Moxie and
co for creating it. It lets me layer security on a legacy platform that
everyone uses in a way that's transparent and extremely user-friendly,
while offering security granularity for those so inclined (cert checks).
But the delivery is through an intermediary that are essentially a
public-facing wing of the NSA, and they have total control over the
trust/threat model for 95% of the user-base. So..I don't even.
On 13/11/14 17:51, Eric Mill wrote:
Moxie's laid out very clear reasons for why he uses Google Play and
discourages other people from building it. You may not agree with him,
but he at least has what I think is a coherent security model that he's
sticking to.
Really great discussion on it here:
https://github.com/whispersystems/textsecure/issues/53
https://github.com/whispersystems/textsecure/issues/127
Namely, he trusts apps signed with his signature (a process he manages
using his own airgapped system) and that's it. *You* may not hinge your
trust of the application on his signature, but he does, and he wants
ideally every TextSecure install to have it.
Both threads above are from before the CyanogenMod deal. To make that
happen, Moxie's team built a secure self-update path for the app, which
removed most of the barriers to requiring Google Play.
The other main barrier is push delivery, which right now uses Google
Cloud Messaging. High quality push delivery to a kabillion devices is
very hard, and not easy to replace. However, Moxie has encouraged people
to take advantage of the server's WebSockets support, and to build an
option for that into the client if they want to remove the last barrier
to Google support -- while warning that WebSockets delivery will not be
nearly as good as GCM-based delivery.
I was talking with a friend about this over the weekend, and I think
that the push that's happening for fully reproducible builds -- where
every build produces an identical binary with an identical hash -- would
resolve some of the issues Moxie has.
Then, Moxie can sign the hash of the binary, and others who build the
source code or get binaries from other places can verify that hash. That
still requires some tooling or verification UX, and for builds to be
reproducible by other people than Moxie, but it could make a difference.
-- Eric
On Thu, Nov 13, 2014 at 6:12 AM, Cathal Garvey
<[email protected] <mailto:[email protected]>> wrote:
Nope, I haven't had to install Play for Textsecure at all, and I
don't use or have a personal Google account. When it offers to set
up data channel, just skip it, and TS reverts to encrypting over SMS
instead.
Redphone also has a "no google" mode where it announces incoming
calls to other RP users with a simultaneous SMS, but I've found it
to be very buggy in my builds; calls connect but no sound
transmitted, etc.
As far as "where to get it", here's a copy:
https://ngrok.com:61924/__owncloud/public.php?service=__files&t=__264659e23e8733b528386eaa6f52d5__ef
<https://ngrok.com:61924/owncloud/public.php?service=files&t=264659e23e8733b528386eaa6f52d5ef>
Cert is self-signed:
SHA1: 63:9B:E2:FA:D8:A9:66:DE:46:B7:__E4:C2:18:47:73:04:C0:12:FE:1F
SHA256:
CF:D2:82:0D:C8:65:CE:EB:2E:3F:__36:EC:DA:9E:82:4E:2E:BD:51:19:__6A:7E:11:65:50:40:57:9E:B8:79:__8D:A2
This is an older build by now. Frankly I'm holding out for a JS
build of Textsecure and I'll probably try FFOS, then. FDroid and
Textsecure are my "killer apps" tying me to Android. I just wish
Moxie would let them play nice together.
On 12/11/14 23:13, Seth wrote:
On Wed, 12 Nov 2014 14:29:04 -0800, <[email protected]
<mailto:[email protected]>> wrote:
Where can TextSecure be downloaded?
Best workaround I've found so far if you want to download Google
Play
APKs on your computer and then transfer them to your phone
manually is
Raccoon:
http://www.onyxbits.de/raccoon
Requires java along with a 'dummy' Google account, but gets the
job done
with the least amount of hassle.
Unfortunately, it appears that TextSecure still requires the Google
Services framework to be installed and running on the Android
device.
Haven't figured out yet how to do this manually this without
installing
Google Play.
Also, FWIW, you can (or at least you used to be able to)
manually remove
a Google account from an Android phone without having to factory
reset
the device.
http://www.sleetherz.com/__android-news/how-to-change-__gmail-account-on-android-__market-without-factory-reset/__2511/
<http://www.sleetherz.com/android-news/how-to-change-gmail-account-on-android-market-without-factory-reset/2511/>
--
konklone.com <https://konklone.com> | @konklone
<https://twitter.com/konklone>
