(Threema is apparently a paid-for IM service, in case anyone else was wondering what this is about - wikipedia link)
posted by Dysk at 7:23 AM on January 12, 2023 [27 favorites]

Yep. Whenever i hear a tech-bro developer type who’s under 35 talk confidently and authoritatively about the security of their fancy new and unproven-by-time-and-failure app/tool/system, it’s a hard pass. “We’ve never been p0wn3d, it’s secure” says everything you need to know.

Great post.
posted by armoir from antproof case at 7:47 AM on January 12, 2023 [5 favorites]

Damn, I thought this post was going to be about another crypto scam.
posted by slogger at 7:59 AM on January 12, 2023 [4 favorites]

On one hand: don't roll your own protocols has always been sound advice.

On the other: (not defending any specific tech here) key management, continuity of ownership, backups as an ever growing attack surface, and truly revokable access aren't exactly protocol problems in that they exist between ideals and how humans want to operate in a communication ecosystem. Add in the (intentionally) sometimes-connected nature of mobile devices and the actually-kinda-dire situation for authoritative certs versus man-in-the-middle and software supply chain attacks and it's an understatement to say it's not that simple.

Mix in the profit motive and nation-state discomfort with truly strong end to end security and demonization of proponents of same and it's hard out there for messaging. This is in part why we have either nominally open standards with edge friction or totally walled gardens with social toxicity about those not on the inside.
posted by abulafa at 8:07 AM on January 12, 2023 [8 favorites]

I also had not heard of this chat app until now, but instead of a crypto scam my mind went to skooma
posted by shenkerism at 8:07 AM on January 12, 2023 [2 favorites]

The difficulty of designing secure cryptographic protocols was well understood even before SSL was invented. In grad school in the early 80’s I attended a lecture series by Jeffrey Lagarias titled, iirc, How to Steal a Library Book, illustrating dozens of unobvious ways to evade security measures. The lesson being that even with secure underlying cryptography, the protocols using it offer many surprising points of vulnerability. It’s a lesson we apparently need to learn over and over again.
posted by sjswitzer at 8:24 AM on January 12, 2023 [3 favorites]

Telegram has serious security unfixed holes too, including encryption just being off by default.

Axolotl aka double ratchet by Trevor Perrin is the de facto standard for forward-secure one-to-one e2e encryption. It works..

Signal, WhatsApp, and some others employ "sender keys" for group messaging. And messaging layer security (MLS) is an effort to improve upon sender keys for group messaging.
posted by jeffburdges at 8:40 AM on January 12, 2023

my mind went to skooma

khajit has the warez
posted by snuffleupagus at 8:47 AM on January 12, 2023 [8 favorites]

The new mantra shall be "don't roll your own protocol".

that's always been the mantra. problem is too many people think they're smarter than they are.
posted by kokaku at 9:14 AM on January 12, 2023 [7 favorites]

You can't really sell a product that you state "just uses the Signal protocol" because then no one would buy your product. Much easier to sell "we are geniuses and implemented our own messaging protocol" especially since people who know what Signal is aren't going to use things that aren't Signal (or a similar high standard).
posted by meowzilla at 9:39 AM on January 12, 2023

Just fyi, the fixed older matrix vulnerabilities referred to above.
posted by jeffburdges at 10:00 AM on January 12, 2023

'The NSA maintained a $250m/year “SIGINT Enabling Project” that inserted vulnerabilities into US cryptographic technology, and we only learned about it because an IT contractor downloaded all their PowerPoint decks.'

'The only reason we know about MKULTRA is because the CIA was unable to destroy all of the records due to a filing error.'

'About 5 years ago I started wondering if a malware C2 channel existed that embedded messages and data payloads inside the x509 cert used for the TLS handshake. I searched but never found this in the wild so this year I decided to write it myself.'
posted by jeffburdges at 10:23 AM on January 12, 2023 [5 favorites]

On one hand: don't roll your own protocols has always been sound advice.

It's not just "this, from a technical perspective", though. It's "this is a reliable indication that there will be much deeper problems with this program and this company." When you see a bug like this on the floor, you have to assume that there are hundreds in the walls.
posted by mhoye at 10:52 AM on January 12, 2023 [2 favorites]

So is Signal still the best choice for secure IM comms?

Screw Telegram. My devices were owned for months by Telegram haxx0rs in 2020. (I shouldn't have been hanging out online with them, yeah. Even for people with pristine lives and innocent, pure online activities, so many popular apps are so exploit-laden I recommend not using them at all if one can avoid it. Zoom, Snapchat, Skype, Telegram, Kik, and more.)

"a compression-based side-channel attack that recovers users’ long-term private keys through observation of the size of Threema encrypted backups"

whaaaaaaaa that seems really careless and scary??
posted by infinitewindow at 11:52 AM on January 12, 2023

I'm generally a free software guy, but I feel like the Signal foundation could have done a lot to fix this by making their software available under a more permissive license. The use of GPL 3.0 only/AGPL 3.0 only makes it impossible to use what's arguably the best secure messaging protocol in non-free software, and in this case, I think the privacy of millions of users ought to weigh more heavily than the freedom to modify and redistribute the source code, not to mention that Signal requires being tied to a phone number, which is both inconvenient and arguably a security problem.
posted by Joakim Ziegler at 5:19 PM on January 12, 2023 [1 favorite]

> infinitewindow: "whaaaaaaaa that seems really careless and scary??"

I would say that this kind of thing wouldn't be considered careless... if not for the fact that this exploit has the same shape as CRIME, an exploit demonstrated in SSL/TLS back in 2012. If that didn't already happen, then I wouldn't really call this particularly careless (though still deffo scary) since I think prior to its demonstration in a real-world system, this kind of compression-ratio-analysis-based attack was more of a theoretical threat.

However, given that it in fact already did happen and that whatever crypto (the real kind, not the bitcoin kind) and/or security expert(s) they had on staff didn't take that into account... that's probably not great. Neither are the other 6 vulnerabilities, though it does seem that one of those 6 was already patched in the current version. In conclusion, cryptographic security is hard, protocols especially so, and, like brain surgery, best left to people who really, really know what they're doing.
posted by mhum at 5:32 PM on January 12, 2023

…not to mention that Signal requires being tied to a phone number, which is both inconvenient and arguably a security problem.

Though the wording "we're hopeful" leaves some wiggle room and it's already a long time coming, according to Meredith Whittaker, President of the Signal Foundation, usernames are supposed to be implemented in the first half of the year.
posted by Strutter Cane - United Planets Stilt Patrol at 6:38 AM on January 13, 2023 [1 favorite]

The use of GPL 3.0 only/AGPL 3.0 only makes it impossible to use what's arguably the best secure messaging protocol in non-free software [...] I think the privacy of millions of users ought to weigh more heavily than the freedom to modify and redistribute the source code

Hard to imagine anyone who is motivated by the privacy interests of millions of users and not money would be put off by the GPL.
posted by Mitheral at 8:50 PM on January 25, 2023 [1 favorite]

Amen! Axolotl alone is not too hard to implement for a solid cryptography developer. It's really the bridge between user interface and cryptography where you'll never find anyone careful, qualified, and willing.

All my paranoid friends use Wire. It's basically Signal without phone numbers, and more collaborative people, ala MLS participation, etc. Android app is fucking slow though, almost as bad as Element/Matrix.
posted by jeffburdges at 1:38 PM on January 27, 2023