Adding a very interesting finding. I just looked at the new Skype source and found that it seems to deploy Signal protocol! This is an amazing development!
Screenshots: https://twitter.com/kaepora/status/930045153422860288 All the more reason to look into this! Nadim Sent from my computer > On Nov 13, 2017, at 12:32 PM, Nadim Kobeissi <nadim@nadim.computer> wrote: > > Hello everyone, > > Skype was recently rewritten entirely. It is now based on Electron. This new > Skype has been rolled on all desktop platforms worldwide. > > When Cryptocat and Signal switched to Electron, the security of Electron > itself became somewhat more important (more-so when Signal switched, since, > as everyone knows, Cryptocat is used exclusively by myself, my poodle and > exactly one random person on Twitter.) > > But now that Skype has switched too, Electron is a much bigger deal: busting > Electron = busting Skype, and getting a bunch of comparatively less important > apps (including Signal, Cryptocat) for free. > > Guides exist that outline best-practice guidelines for writing Electron apps > [0,1]. However, as of today and to the best of my knowledge, no real study > exists in order to correctly understand the security that Electron can offer > all these messaging apps we’ve used it to build. > > This is unsustainable. > > I propose that we assemble and create a task force, similar to the TrueCrypt > Audit Project [2] that centers on Electron: > > 1. What security properties are we assuming? > 2. How much code coverage do we have in order to verify that we’re > getting these properties? > 3. What is the status of our source code review? > 4. What is the status of our black box review, including fuzzing and > similar? > 5. You get the drift. I think I’m being pretty predictable here. > > If there is interest, I’d be happy to work on putting together a team and > combine our efforts [3] to set a work plan, get funding, etc. and get this > done. Aside from Signal, I’d like to see Wire, Microsoft and others > participate as well, based on skill level, ability to contribute and stake in > better understanding Electron. Let’s: > > 1. Establish who’s doing what. > 2. Set the hours we’re willing to commit to this. I’ll see if I can > determine compensation, based on whether we can funnel a small pot to pay for > the effort. > 3. Establish work packages and deadlines. > 4. Finalize findings in a report. > > The Open Crypto Audit Project [2], again, has already followed this approach > to great success. > > Finally, a flourish of sincerity: > In the past, the Signal team has reacted, always, towards anything I’ve ever > proposed in what can accurately be termed “high-school shunning.” I’ve gotten > really bored with this and I hope Moxie, Trevor and co. can find the time to > formulate a response to this, at the very least, even if they can’t find the > time to meaningfully participate. > > References: > [0] > https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf > [1] https://github.com/electron/electron/blob/master/docs/tutorial/security.md > [2] https://opencryptoaudit.org/ > [3] https://www.youtube.com/watch?v=GyOMYC6mlsY > > Nadim > Sent from my computer > _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
