top | item 7292682

(no title)

petsounds | 12 years ago

Whisper Systems' headquarters is located in San Francisco, according to http://en.wikipedia.org/wiki/Whisper_Systems

Doesn't that make them susceptible to a search warrant forcing them to give up the private keys (or equivalent) to TextSecure, ala Lavabit?

discuss

sigil|12 years ago

Yes it would make them susceptible...if, like Lavabit, they actually held private keys that secured your communications. They don't.

While I have the utmost admiration for Levison's stand, the fact that Lavabit held centralized private keys for its users was a very bad technical and security decision. Moxie has more about this here [1].

Now some may be wondering, what's to stop Whisper Systems from backdooring TextSecure by court order? In a word, this: [2]. The TextSecure client is open source. Not only can the community scan the source for something suspicious, but we can build and verify the binaries ourselves.

[1] http://www.thoughtcrime.org/blog/lavabit-critique/

[2] https://github.com/WhisperSystems/TextSecure/

georgemcbay|12 years ago

The fact that the app is open source is nice, but realistically speaking very few users will build their own copy from source over just downloading an existing binary from Google Play or the Apple App Store. Nothing (but garden variety trust in the source of the binaries) is stopping a situation where there is a clean open source version and then a version with a backdoor built into binaries submitted to the app stores.

And even if you are one of those paranoid users who builds from source, a backdoored central build could still impact you personally unless you're sure everyone you are messaging has also built their own from clean source.

Personally I wouldn't worry too much about this scenario playing out, but I don't see that the client being OSS really buys you much safety practically speaking.

abdullahkhalids|12 years ago

It would be really nice if WS moved to deterministic builds. Really helps with not everyone having to compile themselves (if somebody is checking the source).

unknown|12 years ago

[deleted]

danielsiders|12 years ago

I don't think they retain keys, but aren't all the messages (encrypted) routed through their servers, giving them access to metadata?

unknown|12 years ago

[deleted]

hershel|12 years ago

Yes, but they mentioned the option of letting people run their own servers.

privong|12 years ago

I'm pretty sure Whisper Systems never get any private keys, because the private keys are only stored on the end user devices.

jpollock|12 years ago

Legal intercept legislation would likely require them to patch customer systems to allow the reporting of the key.

Bob_Sheep|12 years ago

That is Whisper Systems, not Open Whisper Systems. They are different.

01Michael10|12 years ago

Wrong, Whisper Systems is Open Whisper Systems but whether they are still located in SF I don't know.