Hhmx.de * hhmx.de

nadja

· Föderation EN Sa 01.03.2025 14:40:48

@scy that matrix is wrong. OMEMO does not implement PFS, and Conversations implements a very old variant of OMEMO that is still using SHA-1 and not even close as secure as Threema

0x 1 0x

scy
@scy@chaos.social

Föderation EN Sa 01.03.2025 14:47:18

@dequbed Guess I have some reading up to do. Thanks! ;) If you have any relevant links to throw at me, I'd appreciate it, but I think I'll also find my way around.

Maybe @joinjabber is interested in chiming in?

0x 2 0x

nadja

nadja
@dequbed@mastodon.chaosfield.at

Föderation EN Sa 01.03.2025 15:41:28

@scy I don't think I have any specific links to throw your way, even the OMEMO document doesn't claim PFS anymore.

Also, OpenPGP doesn't even attempt PFS, and for that and some additional reasons I'd rank it as even worse E2EE than OMEMO is. But then again, that ranking depends on what you threat model is.

0x 0 0x

Delta Chat
@delta@chaos.social

Föderation EN Sa 01.03.2025 18:30:31

@scy @dequbed @joinjabber @sten @mxey
Delta Chat is used in, and designed for, people in repressive environments world-wide, and has some proven track record:

- a 2024 deep analysis of #deltachat 's guaranteed end-to-end encryption mode from Applied Crypto Group at ETH Zuerich https://eprint.iacr.org/2024/918

- a 2024 security audit of @rpgp , the Rust-implemented #OpenPGP engine https://github.com/rpgp/docs/blob/main/audits/NGI%20Core%20rPGP%20penetration%20test%20report%202024%201.0.pdf

- FAQ entry on PFS https://delta.chat/en/help#pfs

- Six security audits overall https://chaos.social/@delta/113963707915543266

0x 1 2x

mxey

mxey
@mxey@hachyderm.io

Föderation EN Sa 01.03.2025 20:40:07

@delta “six security audits overall” but the one you link to says “Yet, the security of its protocols has not been studied to date.”. Claiming you had 6 security audits in total, when 5 of them apparently didn’t look at your protocol, in a conversation about the security of the protocol, is misleading at best.

0x 1 0x

Delta Chat
@delta@chaos.social

Föderation EN Sa 01.03.2025 20:43:16

@mxey good question. Research studies are actually a different thing than security audits. So more precisely we would need to say "five security audits and one research study" and the research study is referring to the relative lack of research studies, not security audits (we don't know of any messenger that has more published security audits than ours btw).

0x 1 0x

l
@link2xt@fosstodon.org

Föderation EN So 02.03.2025 00:48:07

@delta
Wire lists a lot of audits, but has not published them AFAIK:
https://wire.com/en/security

WhatsApp might actually have a lot of published audits, e.g. https://www.nccgroup.com/us/research-blog/public-report-whatsapp-end-to-end-encrypted-backups-security-assessment/, but you need to search for them.

0x 0 0x