5 comments

[ 3.1 ms ] story [ 25.8 ms ] thread
This sounds very similar to https://threema.ch
A friendly reminder to all that Threema had some serious flaws in their cryptography model, and their response was lackluster, to put it nicely.

https://breakingthe3ma.app/

> In our work, we present seven attacks against the cryptographic protocols used by Threema, in three distinct threat models. All the attacks are accompanied by proof-of-concept implementations that demonstrate their feasibility in practice.

Interesting, thanks for sharing

> We disclosed our findings to the Threema development team on the 3rd of October 2022, including possible mitigations for the attacks. Soon after, we met with Threema representatives to discuss our work and its public disclosure. On that occasion, we agreed on an initial batch of mitigations to be released in Q4 of 2022, followed by the public disclosure and final mitigations to be released in Q1 of 2023. In December 2022, we agreed on the 9th of January 2023 as the date of public disclosure.

> On the 29th of November 2022, Threema released a new protocol, Ibex, in order to further mitigate our attacks. The Ibex protocol aims to provide forward security for the E2E layer in Threema. We have not audited this new protocol.

I wonder if the new protocol would survive an audit

For a secure communications app, the website is awfully light on details of that security. This could just be a mis-alignment issue (i.e. website aimed at "average users" who may find technical jargon a reason to avoid the app). But my initial question of "why would I use this over Signal or GPG emails?" doesn't seem answerable from the website.

The security page says:

> 3. Verified and Secure -- Widely reviewed Open Source Public Key Cryptography and App itself can be fully audited and accredited.

As a bit of feedback, this description needs some cleanup. The word "can" in here is a scary word. Has the app been audited and accredited? If it has, make that clear. (Perhaps include information about when the app was audited and by whom.) If it has not been audited and accredited, this advertising blurb is a super red flag. "We could do some security stuff in the future but have not yet" wouldn't go onto the website, but you've wrapped the statement in enough jargon that unsophisticated users may be misled.

Not open, not transparent, makes a bunch of claims without backing them up. If this was a side project, I'd be more forgiving. If it was someone's attempt at building their own signal, and was open source, and wasn't being billed as a real company, I'd be more forgiving.

> Widely reviewed Open Source Public Key Cryptography and App itself can be fully audited and accredited

But, this is a slick looking web page with a slick looking app and a bunch of appeals to authority and even an "endorsement" from the EU (whatever that means).

Do not use this app.