Hi! On Thu, Jul 11, 2013 at 1:32 PM, Andy Isaacson <[email protected]> wrote: > Even if an attacker were to secretly compromise all of the Tor DAs and > publish a malicious consensus, the break is only to anonymity, not to > message privacy. (Granted, anonymity is a major selling point for Tor > and that break would be a major problem, but it's still not as severe a > break as the messaging app compromise.)
Why? If messages are encrypted client side (which is open source) and server just stores them, then it is exactly the same as with Tor. Who is saying that they will be running all the servers themselves? Maybe they will distribute them around different legal jurisdictions. They are just saying that they you will not be able to deploy your own versions of it. Like you cannot deploy your own Tor DAs and get all the Tor clients to use it (automatically). (You can configure your client to use it, but there is no way that I can start running my Tor DAs and all Tor clients deployed in the world will start using it as well. Why not? You are not trusting me? Wouldn't it be better to have more DAs? I can run it. Oh, I cannot? Tsk tsk tsk.) Even if Tor DAs were developed as open source, how can we be assured that they are really running that open source code and not some compromised version of it? I hear you what you are saying. That open source is a good (must?) practice to do when developing security-sensitive servers. But it is far from enough. The system should work even when servers are compromised because you cannot ever be sure what exactly is running on the servers. So if you cannot ever be sure what exactly is running on the servers, it can be closed source to begin with as well, no? And you just see it is another piece of untrusted code somewhere in the Internet. >> And it does not >> really matter if the code there is open source or not, because you >> anyway cannot know if they are really running some particular code >> there or not. > > Being closed source doesn't fix this problem, so how is that a useful > response to the advice "never trust a closed source privacy app"? Closed source does not fix the problem of nobody knowing what is really running on the server, but it allows for a traditional business model (I agree that there might be new ones which would work, but maybe they are just not yet known enough or we might even not yet think up them; and different business models have different business risks associated with them). And because open source does not fix the problem of what is running on the server as well, then we might opt for the variation with business model if this allows high-quality and highly useable service. (Of course with closed source you loose the free software freedoms and you probably get into a vendor lock-in, but if the client is open source, then you can still have access to your messages. Anyway, this is another topic.) Mitar -- http://mitar.tnode.com/ https://twitter.com/mitar_m -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
