|
· Föderation EN Sa 01.03.2025 14:34:23 @dequbed https://www.messenger-matrix.de/ would disagree. Or do you have some strong arguments against OMEMO? And Delta Chat is using OpenPGP, which would also qualify as "worthwhile E2E encryption" in my book. |
|
Föderation EN Sa 01.03.2025 14:40:48 @scy that matrix is wrong. OMEMO does not implement PFS, and Conversations implements a very old variant of OMEMO that is still using SHA-1 and not even close as secure as Threema |
|
Föderation EN Sa 01.03.2025 14:47:18 @dequbed Guess I have some reading up to do. Thanks! ;) If you have any relevant links to throw at me, I'd appreciate it, but I think I'll also find my way around. Maybe @joinjabber is interested in chiming in? |
|
Föderation EN Sa 01.03.2025 15:41:28 @scy I don't think I have any specific links to throw your way, even the OMEMO document doesn't claim PFS anymore. Also, OpenPGP doesn't even attempt PFS, and for that and some additional reasons I'd rank it as even worse E2EE than OMEMO is. But then again, that ranking depends on what you threat model is. |
|
Föderation EN Sa 01.03.2025 18:30:31 @scy @dequbed @joinjabber @sten @mxey - a 2024 deep analysis of #deltachat 's guaranteed end-to-end encryption mode from Applied Crypto Group at ETH Zuerich https://eprint.iacr.org/2024/918 - a 2024 security audit of @rpgp , the Rust-implemented #OpenPGP engine https://github.com/rpgp/docs/blob/main/audits/NGI%20Core%20rPGP%20penetration%20test%20report%202024%201.0.pdf - FAQ entry on PFS https://delta.chat/en/help#pfs - Six security audits overall https://chaos.social/@delta/113963707915543266 |
|
Föderation EN Sa 01.03.2025 20:40:07 @delta “six security audits overall” but the one you link to says “Yet, the security of its protocols has not been studied to date.”. Claiming you had 6 security audits in total, when 5 of them apparently didn’t look at your protocol, in a conversation about the security of the protocol, is misleading at best. |
|
Föderation EN Sa 01.03.2025 20:43:16 @mxey good question. Research studies are actually a different thing than security audits. So more precisely we would need to say "five security audits and one research study" and the research study is referring to the relative lack of research studies, not security audits (we don't know of any messenger that has more published security audits than ours btw). |
|
Föderation EN So 02.03.2025 00:48:07 @delta WhatsApp might actually have a lot of published audits, e.g. https://www.nccgroup.com/us/research-blog/public-report-whatsapp-end-to-end-encrypted-backups-security-assessment/, but you need to search for them. |
|
Föderation EN Sa 01.03.2025 15:36:14 @scy i wouldn’t categorize OpenPGP as worthwhile crypto https://www.latacora.com/blog/2019/07/16/the-pgp-problem/ It’s nowhere close to what Signal does |
|
Föderation EN Sa 01.03.2025 16:47:53 @mxey @scy I was about to write just about the same. I'm sure that PGP (any variety) *can* be used securely, but it's just too damn hard. The "packet" format is so useless that you could have sign-then-encrypt or encrypt-then-sign and never know which. When last I looked (which is admittedly some time ago), PGP still supported many many now dangerously obsolete algorithms. I understand why they do that, but it's certainly not an endorsement to use it as the crypto layer for a new messenger. |
|
Föderation EN Sa 01.03.2025 17:16:47 |
|
Föderation EN Sa 01.03.2025 17:44:05 |
