WingNews logo WingNews
top | item 18229801

(no title)

vader1 | 7 years ago

Fair enough, but this is kind of inherent for anything based on open standards. Was your email encrypted? It depends on whether the sending and receiving mailserver support TLS. Is your website visit perfect-forward-secret? Depends on whether your browser and the webserver support modern cipher suites. Is your DNS request encrypted? Only if your OS and your DNS server support DNSSEC or DoH.

These are valid challenges, but moving to propietary and centralized solutions instead is throwing away the baby with the bathwater. Was your WhatsApp conversation encrypted? You honestly can't know, and even if it is right now, Facebook could disable Whatsapp's e2e encryption at any time without you even noticing.

FWIW, OMEMO has been the (only) de facto encryption mechanism for modern XMPP clients in the last couple of years, and most clients that support it clearly distinguish encrypted and non-encrypted messages.

discuss

order

lvh|7 years ago

How do I know my XMPP client is actually doing what it says? Are you saying the provenance for my XMPP client is fundamentally better than that of the WhatsApp app?

arendtio|7 years ago

Well, there are different ways. If you want to know what your client is sending and you use your own server, then your server might be able to show you what it receives. ejabberd for example, lets admins inspect the stored offline messages. That way it is very easy to see if a message is encrypted or not. But you could also run a MitM proxy.

Another option is trusting audits or the developers. Last but not least you can inspect the source code of open source apps. So I don't know how deep you want to go with this, but for XMPP there are plenty of options to make sure the client does what it advertises.

Btw. I do not think that OMEMO is fundamentally better than WhatsApp does, as they are implementing the same protocol (Double Ratchet). The main differences are that one is an experimental public standard while the other is a proprietary protocol extension.

seba_dos1|7 years ago

OMEMO and its implementation in Conversations has been security audited by an independent entity.

Other than that, sure, you have no guarantees, yet it's still desirable for such critical security components to be free, or at least "open source".

CiPHPerCoder|7 years ago

> Is your DNS request encrypted? Only if your OS and your DNS server support DNSSEC or DoH.

DNSSEC doesn't encrypt, it only signs.