Daniel Martí <[email protected]> [2015-05-14 19:40:51 +0200]:
On Thu, May 14, 2015 at 17:32:02 +0000, Jacob Appelbaum wrote:However WhatsApp isn't Free Software as far as I understand, which was the original point of my message. So even if WhatsApp is otherwise identical in usability and security claims, we'd have no way to verify that it was true without source code, reverse engineering or well, blind faith.I'll give you that TextSecure is partially free software, but IMHO that's as good as saying it's not. Even though the black box it contains may not make the crypto system and secure messaging less secure, I would still not call it free software.
It seems my original point was completely missed.Regardless of whether it is free software or not, TextSecure is not any better for the casual user than WhatsApp (which is available for Windows phones, Symbian, and Nokia S40 series (for Asha phones), and Telegram, which too is available for more platforms).
For me security is about knowing what your threats are, trade-offs, and trust. Importantly, I firmly believe security isn't a binary. Whether software is free or not determines how much one can trust is.
While I personally abhor WhatsApp for taking an open standard like XMPP and closing it up, I am in a minority in India: there is hardly any smartphone user with Internet connectivity here who doesn't use WhatsApp (indeed, WhatsApp is in some cases even a motivation to get Internet). Having a more widely available tool with encryption built-in (even if it is a blackbox with WhatsApp having the ability to silently turn off encryption) is better as a safeguard against mass surveillance, which is what the casual (predominantly Android) user would/might be concerned about (saying "is concerned about" is a stretch).
Why should we trust WhatsApp to actually encrypt end-to-end rather than just handing over the data wholesale to governments and advertisers? We shouldn't. But then again, we shouldn't be trusting Google Apps, we shouldn't be trusting iMessages, we shouldn't be trusting any such service. But millions of people do. Despite none of them being auditable free software.
Given these circumstances, why would I tell casual users to use TextSecure when most of the messages they get there (at least for the next few months) would be unencrypted SMSes and most of what they send using it are also unencrypted SMSes, and this behaviour too will change, unexpectedly, in a few months' time? Again, far more people in India use Telegram than use TextSecure, and Telegram is available across more platforms.
For the non-casual user, I see no void that TextSecure is filling any more that isn't already filled by a good XMPP client (more OSes are supported) with OTR — both TextSecure and XMPP have very few users. Having said that, I strongly feel that OWS's products are some of the best examples out there which show that usability and security *can* go hand-in-hand.
Just as a side note - SMS is just slightly better than GCM. There are nearly no good Free Software options that only uses open protocols over open and free networks.I actually heard SMS is worse, and that this is why Moxie dropped its support in TextSecure.
Again, for me this misses the point: we can't change the fact that billions of people using Android are sending SMSes each day. Why would we ignore that, say: "Stop using SMS: there are few free software implementations, and it leaks too", rather than say: "Here's software that marginally makes SMSes better, but do remember that SMSes still leak metadata; oh, also, it isn't as elegant as it could be since we have to expose "key exchange" and other such unsavoury details to you to make it work"?
-- Pranesh Prakash Policy Director, Centre for Internet and Society http://cis-india.org | tel:+91 80 40926283 sip:[email protected] | xmpp:[email protected] twitter:https://twitter.com/pranesh_prakash
signature.asc
Description: OpenPGP digital signature
_______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
