9 comments

[ 2.8 ms ] story [ 35.4 ms ] thread
"in an age where we better understand the power of social network analysis and the sensitivity of the social graph, the exposure of metadata by a "Web of Trust" is no longer acceptable from a security standpoint."

That depends on your security goal. Your goal might be to check to see if a message was sent by the person listed in the "From" field, in which case WoT can work very well.

"Nearly every project here uses Trust On First Use (TOFU) in one way or another"

This is not perfect either. In the scenario I described above, TOFU may be less useful than WoT. There are also scenarios in which TOFU makes no sense at all -- maybe I want to anonymously send an encrypted message to someone, and I have no point of reference for their key.

"This is not possible with the traditional protocol for email transport, although it will probably be possible to piggyback additional (non-backward compatible) protocols on top of traditional email transport in order to achieve metadata protection."

Ahem:

https://en.wikipedia.org/wiki/Cypherpunk_anonymous_remailer

The trouble with the web of trust is that it's basically analogous to publishing your contact list. It may solve some problems, but it creates entirely new ones at the same time.
Tangential: anyone know of an overview of projects working on next-gen IRC? I know the standard HipChat, Campfire and Flowdock, and recently discovered Slack and http://kato.im. Would love a full list.
https://news.ycombinator.com/item?id=7267226. Telegram seems most important in the context of security.
Cryptocat and Text Secure are most important in terms of security. Telegram still looks like security theater.
Ack, you're right. Subliminal marketing takes hold again :/

My intention was to push back on the references to hipchat, campfire and so on.

XMPP would be next-gen IRC, but I think you are looking for next-next-gen IRC :)
Looking great,Looking forward for shortcut keys like gmail. Yes i know i am hoping more :) but if i will get chance i will implement it.
It's a bit ironic that freedombox is using an expired certificate