> French prime minister Elisabeth Borne asked that government workers "take all measures" to deploy Olvid by December 8.
> France's junior minister in charge of digital, Jean-Noel Barrot, wrote in a social media post that the messaging app had been used by his team since July 2022.
> "In December, the entire government will use Olvid, the most secure instant messaging service in the world."
Never heard of it before. Has anyone looked into their protocols?
Allegedly the major governments participate in a cooperative spying exchange dubbed Five Eyes. Since it's illegal for Country A to spy on their own citizens, they instead have Country B do it and vice-versa. Then participants exchange info in a quid-pro-quo fashion.
Quite a few reasons to be concerned. Moxie left Signal and at least one of the new board members has a US government background. The update methods allow issuing a compromised update to targeted users. And while Signal still claims that “in our model, the server knows nothing about users”, for a few years now users’ contacts lists (sweet, sweet metadata nearly as valuable as the messages) have been uploaded to servers, protected only by the notoriously vulnerable Intel SGX technology.
>The entire client code is open-source. This code, once compiled, makes it possible to produce iOS and Android clients which are able to communicate with our production server (the exact same one used by the client applications downloaded from the App Store or Google Play), and thus enter into contact and chat with all other Olvid users.
>For the moment, however, we have chosen not to publish the source code of the server through which the messages transit.
I don’t fully believe this. Over the past few years, we’ve seen politicians in every country using WhatsApp/Signal to conduct their official/corrupt practices without oversight. I cannot imagine they’d abandon those channels for the officially sanctioned one.
Countries should in-house their critical technology, jobs, and infrastructure true as much as possible. Sure, you can save a few bucks by using that huawei router or Russian developed secure message app. And maybe it’s cheaper to pay people in China to handle all of your advanced fabrication. And foreign investment money seems to flow a lot more freely than domestic. But I think we’ve seen over and over again how countries that control investments and supply chain are more than willing to use their influence as a political lever when it suits them.
Signal claims to only have the phone number and, IIRC, last connection time. But being American they seem at least somewhat vulnerable to pressure by the US government.
Hypothesis yet plausible scenario: Signal is actually a NSA/CIA-run honeypot.
As far as I know, nobody knows (for sure) what software runs on the official Signal servers. Only the official client app can be used to communicate with ONLY the Signal server.
US law (as far as I know) forces ALL US-based organizations (including non-profits) to cooperate with any and all government agencies, without being legally allowed to publicly admit or disclose that they're doing so. Thanks to Snowden we know that this has happened A LOT in the past. After Snowden, when exactly did the NSA stop illegally spying on everybody? ... Exactly...
With the above in mind it is possible that all Signal traffic is not actually e2e encrypted and is instead decrypted and re-encrypted at the server.
A less "far fetched" version of the above would be that there are simply known vulnerabilities in the Signal client app (and/or Android and/or iOS and/or other apps) that governments are exploiting to see all decrypted Signal communications.
IMO it would be extremely dumb for an EU country to voluntarily use software made in the US or in any other country if it isn't FULLY open source and FULLY audited (and compiled from source) by the EU country itself.
Just like it is extremely dumb that EU-based companies are PAYING to upload their own trade secrets to their direct competitors in the US through OneDrive.
And yet many of these same ministers undoubtedly support the EU's recent nth attempts to open encryption backdoors for the most commonly used consumer messaging systems on the continent, arguing that it won't be harmful to security while adding in all the usual "for the children, fighting terrorists" bullshit..
Hypocrisy is never more than a stone's toss away from any government policy.
Edit: reading a bit more about it they will be able to use both Olvid and Tchap, to have a Tchap account you must be a public sector employee so Olvid will be a way to communicate with external contact I guess.
47 comments
[ 3.2 ms ] story [ 103 ms ] thread> France's junior minister in charge of digital, Jean-Noel Barrot, wrote in a social media post that the messaging app had been used by his team since July 2022.
> "In December, the entire government will use Olvid, the most secure instant messaging service in the world."
Never heard of it before. Has anyone looked into their protocols?
https://olvid.io/assets/documents/2020-12-15_Olvid-specifica...
The client app sources are available under AGPLv3 license:
https://github.com/olvid-io/olvid-android
https://github.com/olvid-io/olvid-ios
Does this mean they are pushing Olvid in general preference over Tchap, their Matrix network? https://joinup.ec.europa.eu/collection/open-source-observato...
France not a member.
Besides that it is likely heavily targeted by threat actors and no doubt you have people in NSO group focused on just Signal exfiltration.
Having another app will mean additional labor for nation-states and just not relying on off-the-shelf “press button to hack” software.
> The others promised you that. Olvid did it.
Bold claims. Still, don't see the server side source in their public GitHub. Perhaps I'm missing something.
>The entire client code is open-source. This code, once compiled, makes it possible to produce iOS and Android clients which are able to communicate with our production server (the exact same one used by the client applications downloaded from the App Store or Google Play), and thus enter into contact and chat with all other Olvid users.
>For the moment, however, we have chosen not to publish the source code of the server through which the messages transit.
More here: https://olvid.io/faq/server-and-open-source/#Does%20Olvid%20...?
https://www.washingtonpost.com/graphics/2020/world/national-...
Mirror: https://archive.ph/emy0p
It’s French!
The French government is picking up a French solution built by a French company.
I doubt that the decision was as much technological as it is obviously political.
Unfortunately this is a common pattern in Europe, especially the bigger states like France and Germany.
Using what then? will they go back to using pigeons or will President Macron force Olvid upon all European administrations?
So all the standard US problems (national security letters, etc) would seem to apply.
As far as I know, nobody knows (for sure) what software runs on the official Signal servers. Only the official client app can be used to communicate with ONLY the Signal server.
US law (as far as I know) forces ALL US-based organizations (including non-profits) to cooperate with any and all government agencies, without being legally allowed to publicly admit or disclose that they're doing so. Thanks to Snowden we know that this has happened A LOT in the past. After Snowden, when exactly did the NSA stop illegally spying on everybody? ... Exactly...
With the above in mind it is possible that all Signal traffic is not actually e2e encrypted and is instead decrypted and re-encrypted at the server.
A less "far fetched" version of the above would be that there are simply known vulnerabilities in the Signal client app (and/or Android and/or iOS and/or other apps) that governments are exploiting to see all decrypted Signal communications.
IMO it would be extremely dumb for an EU country to voluntarily use software made in the US or in any other country if it isn't FULLY open source and FULLY audited (and compiled from source) by the EU country itself.
Just like it is extremely dumb that EU-based companies are PAYING to upload their own trade secrets to their direct competitors in the US through OneDrive.
If you think that the above is far-fetched, read this: https://www.swissinfo.ch/eng/politics/switzerland-closes-inv...
[0] https://kitklarenberg.substack.com/p/signal-facing-collapse-...
Is the German government pushing to use a German-made messaging app I'm not aware of, or is your comment generic?
Never did the US do that. Ever.
Signal is safer than whatever the unproven Olvid is.
[1] https://olvid.io/pricing/en/
Running servers and writing software is not free.
Hypocrisy is never more than a stone's toss away from any government policy.
Edit: reading a bit more about it they will be able to use both Olvid and Tchap, to have a Tchap account you must be a public sector employee so Olvid will be a way to communicate with external contact I guess.