On 26 April 2014 17:18, Shava Nerad <[email protected]> wrote: > Anyone who is lauding the verifiability of open source security software had > best show that their code has been regularly and thoroughly audited.
Open source, closed source - at this point I am pretty much universally disgusted by any project who uses the term 'end to end encryption' without bothering to answer the UNIVERSAL, OBVIOUS question, of "How do I know I'm talking end-to-end to the right person?", "How is authenticity established?" "Can you replace my friend's keys?", however you want to phrase it. You can only get authenticity through: - Pre-Shared Secret shared confidentially* - Fingerprints/Keys previously exchanged authenticated-but-not-confidentially - 'Trusted' Third Party If a mobile app claims end to end encryption, but doesn't do something like display fingerprints, require QR codes scanned in person, or ask a 'secret question' of you or your friend - they use Trusted Third Party and thus are no more 'end to end encrypted' than Apple iMessage. -tom * There are a few variants of this, like recognizing your party's voice (ZRTP), SMP question/answer (OTR), prior key material (also ZRTP), etc -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
