[HN Gopher] Moxie Marlinspike has a plan to reclaim our privacy
___________________________________________________________________
Moxie Marlinspike has a plan to reclaim our privacy
Author : konz
Score : 83 points
Date : 2020-10-19 10:27 UTC (12 hours ago)
(HTM) web link (www.newyorker.com)
(TXT) w3m dump (www.newyorker.com)
| 3np wrote:
| I was vouching for Signal for all my friends for years, supported
| them with donations, and was really rooting for them. However, I
| regrettably can't trust in moxie having the best intentions with
| Signal anymore. Lost count of the number of times this has been
| recycled on HN so I'm not taking the time to formulate this
| extremely well but:
|
| * For the longest time, requires phone number as identifier. When
| asked to remove this restriction, the reply is "so we can
| bootstrap off the phone's native contact application". But
| Android and iOS contacts have natively supported e-mail addresses
| on contacts since forever? And those could be optional? Every
| time the conversation has gone this far with anyone involved in
| Signal, silence/ghosting.
|
| * The whole PIN requirement debacle - where further amounts of
| metadata would be uploaded to Signal's servers (encrypted of
| course, with the PIN as passphrase of the key). Suddenly the app
| wouldn't start and users were locked out of all their Signal
| conversations (even reading them) without setting a PIN, no way
| to circumvent it. We were told this would be a strict requirement
| to be able to solve the above. After a lot of backlash they
| rolled it back after a week or so?
|
| * Hostility towards alternative implementations.
|
| * There's an open issue on GH for verified builds. Since 2015.
|
| Signal may be good today. What about tomorrow? I think the only
| durable and realistic solution (because let's face it, pure P2P
| for the mainstream is not the latter) is federation.
|
| Anyone feeling similarly should check out matrix.org. It may not
| be ready for the masses yet. But if we consider how we
| communicate in 5, 10, 20 years from now, it becomes obvious that
| we can't rely on a single actor as provider, regardless of how
| good they are today. The only way we get there is with people
| like the ones frequenting HN getting involved by using it,
| contributing, filing bugs, hosting home servers and using the
| clients.
| lrvick wrote:
| These are all exact reasons I have never used Signal.
|
| Additionally I find concerning the choice to bet the farm on
| SGX which has been repeatedly broken with repeated
| opportunities to extract the keys, at which point cracking
| small numeric pins is trivial.
|
| Moxie simply promised they always patch right away and never
| take the keys when they have such opportunities to do so.
|
| I do believe him, today, but I don't believe he is above being
| threatened or coerced tomorrow or that he won't get replaced by
| someone that cooperates better with state powers as happened
| with VK and countless others.
|
| I also took issue with Signal having central network metadata
| chokepoints his DCs or ISP could do timing heuristics on even
| if he does not.
|
| I tried to engage with Moxie about these issues but he
| dismissed each as things we will mostly have to accept because
| he feels it is not possible to create and rapidly improve a
| privacy focused communication tool for the masses that isn't
| produced and controlled by a single large company.
|
| Moxie is brilliant, and his contributions to cryptography and
| bringing education on privacy and end to end encryption to
| millions can't be overstated.
|
| The problem is Moxie and Signal are struggling to engineer best
| efforts under an assumption they treat like a law of nature: No
| end to end end encrypted messaging platform can succeed without
| complete centralization.
|
| I operate under a different assumption: No centralized platform
| will ever escape censorship and control by the government it
| operates under.
|
| Moxie has said before he is happy to be proven wrong.
|
| I hope as Matrix and others continue to prove him wrong with
| his own cryptography research that he comes around and rejoins
| the fight for a decentralized internet with irrevocable
| privacy.
| tptacek wrote:
| You can't coherently be alarmed by Signal's use of SGX while
| at the same time endorsing systems that use no cryptography
| whatsoever to protect the metadata Signal uses SGX for.
| nullc wrote:
| > You can't coherently be alarmed by Signal's use of SGX
| while at the same time endorsing systems that use no
| cryptography whatsoever to protect the metadata Signal uses
| SGX for.
|
| You can be: It isn't difficult to argue that signal
| overstates the security properties of their solution.
|
| It's not an incoherent position to say that it's more
| important to be conservative (or at least accurate) about
| the claimed properties than it is to provide epsilon more
| security.
|
| If it were the case that signal claimed that this metadata
| had no privacy towards them (and the hosts running their
| systems), but when you dig into the protocol or detailed
| tech docs you find that they're using SGX to minimize
| risk-- then I think there would be nothing to fault about
| the addition of SGX. In that case it would be purely
| additive security.
| saagarjha wrote:
| I'm not sure that that's the only conclusion you can draw.
| Some systems choose to not handle that metadata, which
| often makes them a worse service but they make that choice
| by looking at the landscape and choosing to not use SGX.
| The other plausible argument is that Signal uses SGX, which
| is better than nothing, but in selling it as more secure
| than it is they do more harm than good.
| JshWright wrote:
| Some people choose not to turn their servers on at all.
| It makes for a worse server, but it's very secure.
|
| Security is always about tradeoffs and compromises. A
| system that is very, very good, but not perfect and
| widely used is far preferable to a system that is perfect
| but used by no one.
| saagarjha wrote:
| Right, but in this case the choice is "should I be able
| to discover contacts" and some people just don't desire
| that feature enough.
| cwyers wrote:
| Who, though? Matrix has contact discovery, doesn't it?
| akerl_ wrote:
| What's an example of a system in this space which chooses
| not to handle that metadata?
| Groxx wrote:
| I don't need a phone number, nor do I need to upload my
| contacts' phone numbers[1], in order to use Matrix.
|
| [1]: I work around this by running Signal in a work
| profile with no contacts. So it's... kinda sorta
| optional, but in practice there are _many_ caveats and
| complications that make it effectively not. Certainly not
| when we 're claiming it for average users, which is
| Signal's argument for using it.
| akerl_ wrote:
| I'm not a Matrix user, but it seems like Matrix does in
| fact handle contact metadata:
| https://matrix.org/faq/#what-is-an-identity-server%3F
|
| I think there's a difference between what you're saying,
| which seems to be that you personally don't upload your
| contact metadata to Matrix, and what I asked / the
| previous commenter was describing, which is the idea that
| there are messaging platforms which have decided to not
| support storing this kind of metadata.
|
| Notably, last I looked, Signal does allow users to opt
| out of SGX metadata storage, though the initial
| implementation didn't cleanly allow for that.
| lrvick wrote:
| Matrix lets people host their own servers and in doing so
| put the metadata anywhere they are comfortable.
|
| One can have metadata for sensitive internal corporate
| channels stay on a network they own in whatever country
| they want while still being able to chat with outside
| parties on matrix.org or other servers. Several friends
| host their own servers and more recently matrix p2p is
| rapidly maturing to dump the need for servers at all for
| many use cases.
|
| Federated systems allow people like me can choose to host a
| server for my own family in my own home closet rack so data
| shared between my family and I never leave our network.
|
| Still others can host matrix as a Tor hidden service where
| it will be very expensive to even learn who to target.
|
| If all participants are using Tor and not using identifying
| information like a phone number, then bulk deanonymization
| becomes very expensive, particularly if many small highly
| targeted social circles roll their own.
|
| Signal does not give users a choice but to trust one SPOF
| setup built under a one size fits all threat model that
| flows all IP metadata to one place which can leak
| information regardless of any encryption.
|
| Put simply you can either choose Signal and put all your
| metadata in one place with one US based party that promises
| to use known bad hardware enclaves to protect it, or you
| can choose to carve off your sensitive communications to
| dedicated servers with whatever accountability structures
| that make sense for your threat model.
|
| I don't want a world where one central party holds all
| communications metadata in one place under one legal
| jurisdiction with one proprietary memory isolation
| technology.
|
| Moxie here likes to point out that email demonstrates all
| the things that can go wrong with federated systems, but if
| the alternative is letting a single party everyone trusted
| at one point in the past take over a whole class of
| communication long term, we would all still be using AOL.
|
| Internet messaging will outlive us all, and if we advocate
| everyone lock up their communications with one (even
| benevolent) dictator, it won't end well when the next
| dictator is not so benevolent.
|
| See: pretty much every social network in China and Russia
| that is now under state control in spite of early promises
| of privacy by founders.
| bawolff wrote:
| There is a reason why signal is relatively mainstream succesful
| (by crypto product standards) and PGP wasn't. Its because its
| willing to make tradeoffs in the name of usability (while still
| emphasizing security).
|
| A secure messenger product nobody uses helps nobody's security.
| nullc wrote:
| Many of the security design flaws in signal have had little
| to no direct impact on usability.
|
| For example, for years we asked for a simple mechanism which
| could be used to view a users key and mark it as identified,
| to prevent MITM -- even one buried in a menu for advanced
| users (who could at least act as canaries against widespread
| interception). Not only was the request turned down but
| usually responded to with vigorous personal attacks against
| the requesters.
|
| Subsequently once a fingerprint validation method was added
| it was gratuitously bound to be pair-wise, making it largely
| unusuable -- e.g. post a pgp signed signal fingerprint that
| any of your contacts could use to transfer trust from an
| existing key. Requests for a non-pairwise version, even as
| just some advanced thing that grandma never sees ... again,
| hostility.
|
| The constant logic-bombed auto-expiring software that make
| signal effectively open-source-in-name-only. etc.
|
| I think signal is fine as an insecure messanger: Unencrypted
| communications protocols should have no place in on the
| internet today. But to advance it as a _security tool_ almost
| certainly puts people 's lives and freedom at risk.
|
| Common usage of signal has zero security against MITM: users
| aren't effectively notified that the contacts keys have
| changed-- and given how often users lose/wipe phones perhaps
| that's really the best that can be done for normy friendly
| software.
|
| If that's how it is, that's how it is. Some resistance
| against passive monitoring is still a critical upgrade. But
| don't call it secure: if you do people will do and say things
| using it that they wouldn't otherwise.
| hackerfromthefu wrote:
| Can the downvoters please respond to the post with the
| reasons why they are downvoting?
| nullc wrote:
| I assume it's a defensible question of priorities.
|
| In spite of the many issues to complain about signal it's
| still a lot better than what $random_person would likely
| use otherwise.
|
| Do we do the most good for the world by under-
| representing signal's weaknesses and overstating its
| security in order to maximize the people using it over
| choices that are worse and cheerlead its development, or
| do we do the most good by trying to be frank and being
| critical of its limitations (at least some of which are
| pretty nitpicky), potentially at the expense of the
| discussion causing people to continue using clearly worse
| alternatives?
|
| Personally I answer this conflict like this: Outside of a
| techy venue I don't go into any details about signal's
| limitations-- I tell people they should use it, but don't
| assume it keeps them private from governments, google, or
| other powerful parties.
| schoolornot wrote:
| I have some concerns around the Signal foundation:
|
| The initial $50M in funding was a loan, not a donation, from
| Brian Acton to the new nonprofit Signal Technology Foundation.
| By the end of 2018, the loan had increased to $105,000,400,
| which is due to be repaid on February 28, 2068. The loan is
| unsecured and at 0% interest.[5]
|
| The Foundation is completely controlled by Brian Acton, who is
| the sole "member" of the nonprofit, with the right to appoint
| or remove every member of the Board of Directors. The Board
| consists of Acton and Marlinspike. Acton is also the
| President.[5]
| sk2020 wrote:
| Is there a reason to suspect Brian Acton's motives? I'm
| always skeptical of celebrity-hackers, but I don't know why I
| should be worried about Acton in particular.
| cwyers wrote:
| Why is it, whenever Signal is brought up on Hacker News, we get
| inundated with the people who object to the core decisions of the
| Signal Project? Would Signal really be better if, instead of
| having a secure messenger available to the masses, it spent
| massive amounts of time implementing the things these people
| want? No. I would be comfortable recommending Signal (or
| WhatsApp) to a nontechnical friend and communicating with them on
| it, with the expectation of a certain level of privacy. I spend a
| lot of time on Hacker News and consider myself a very technical
| person, and I'm not sure I trust myself to use Matrix in a
| forward-secure way where it's at right now. If everybody spent
| the time they spent complaining about Signal working on getting
| Matrix or whatever to a point where it was usable... well,
| frankly I don't think it'd be much better off than it is right
| now, but it seems more likely to bring about results to me than
| endlessly lobbying to have Moxie do _the thing he thinks cannot
| be freaking done right_. Right now, Signal exists and can be used
| securely (given certain common threat profiles) by the typical
| smartphone user. I'm really tired of people comparing the
| security that Signal offers to the security of imagined
| hypothetical messengers.
| dingaling wrote:
| Signal only has any userbase _due_ to advocacy; compared to the
| secure-enough-for-most WhatsApp which has literally billions of
| users and is the default choice, every user of Signal had to be
| convinced to install it.
|
| So I think it's unfair to bash people who criticise the
| project. The 'drag' they apply to wider adoption is still
| miniscule.
|
| Put it this way: why does Signal exist when WhatsApp is good
| enough? Wouldn't Mr Rosenfeld be better putting all that effort
| and ingenuity into a truly innovative new messenger?
| cwyers wrote:
| WhatsApp... uses the Signal Protocol. I don't understand this
| line of thinking at all.
| AnthonyMouse wrote:
| > why does Signal exist when WhatsApp is good enough?
|
| WhatsApp sends all your contacts to Facebook instead of the
| Signal Foundation, and unlike Signal, doesn't use SGX to keep
| Facebook from knowing what they are.
| nickff wrote:
| A great deal of human communication is dedicated to signalling
| high rank/superiority, or demonstrating
| familiarity/intimacy.[1] In the case of HN, very few people
| know much about Moxie, so the only useful signal they can
| convey is expertise. Many people come here because of their
| technical or product development background/interests, and the
| way they show expertise is by second-guessing technical, user
| interface, and other issues.
|
| As a result of this combination of constraint and desire, we
| get a bunch of comments where HNers talk about how they'd make
| Signal (as well as every other product) better/more useful.
|
| [1] From Deborah Tannen's works
| cwyers wrote:
| Huh. I did not expect a serious and insightful answer to my
| entirely rhetorical question. Thank you!
| saagarjha wrote:
| I think this is an uncharitable view, and while it might be
| true in some cases it is certainly not always the case. Many
| times the people who point out issues with Signal do it not
| because they think they want to show off, but because they
| honestly are frustrated that no product seems to meet their
| needs and Signal has specific issues that matter to them. I
| honestly believe "Signal is stupid for relying on phone
| numbers and SGX" is really just "I don't trust this things,
| they have a track history of having issues, I would really
| like to use this service and am sad that you chose to do
| this". Hacker News is often not very good at conveying what
| it is trying to say, but I remain optimistic that it's more
| than a intellect measuring contest.
| est31 wrote:
| I remember the outrage quite well when Facebook started
| spamming ads to the phone numbers of people who were forced
| to give Facebook phone numbers for "security" purposes and
| promised to never been shown ads on those numbers. Or when
| Jack Dorsey's Twitter account was hacked because of SMS
| 2fA.
|
| Last, phone numbers are general identifiers used in the
| search boxes of various data collection tools. Maybe you
| can search by the Threema ID as well, but that requires the
| tool to be a tiny bit more sophisticated, and that means
| the people who like to invade privacy of are a bit more
| frustrated.
|
| That isn't "smartness signalling" or whatever, that's a
| real concern.
| eeZah7Ux wrote:
| > signalling high rank/superiority
|
| Please leave this social darwinism propaganda out of HN.
| stefantalpalaru wrote:
| This guy was very active during a weird campaign to bury
| information detrimental to WhatsApp that would have affected a US
| operation in Turkey (the one meant to replace Erdogan with Gulen
| - a friendlier theocrat).
|
| https://www.cyberscoop.com/whatsapp-backdoor-guardian-open-l...
|
| http://technosociology.org/?page_id=1687
| olah_1 wrote:
| Signal's recent (not even yet out for many) implementation of
| mention-only notifications has reinvigorated my investment in
| them.
|
| I am a bit more confident now that usernames will eventually
| come.
|
| But the fact that it's so slow to change is quite ironic,
| considering that the whole point is "the ecosystem is moving".
| Well apparently it moves like molasses.
| StavrosK wrote:
| What are mention-only notifications?
| neonate wrote:
| https://archive.is/nARhl
| maxerickson wrote:
| Could Signal use phone number pairs to robustly implement a "make
| me visible to" discovery method?
|
| It could certainly implement contact matching based on number
| pairs instead of just numbers, but I haven't reasoned through
| whether it could robustly (and efficiently I suppose) keep other
| parties from enumerating the number pairs.
| bilal4hmed wrote:
| Other than matrix, what are some other alternatives or upcomers
| in the messaging field I should try.
|
| Matrix still has a high burden of me setting up my own server and
| maintaining it. Till their P2P solution doesnt release, they have
| their own metadata problem.
| olah_1 wrote:
| These are all worth keeping tabs on.
|
| Ethereum: https://status.im/
|
| Loki: https://getsession.org/
|
| Gun: https://iris.to/
|
| IPFS: https://berty.tech/
| est31 wrote:
| In addition to what the siblings said, Threema. Doesn't require
| phone numbers, is end to end encrypted like Signal.
|
| https://threema.ch/
|
| Also they announced that they will open source their client.
| elevation wrote:
| It's frustrating to see Signal's reputation undermined in
| technical circles by the shortsighted zeitgeist.
|
| Signal's constitutional emphasis on usability supports user
| demographics that no other security product can attract. My
| elderly relatives use Signal now instead of Skype. This drew in
| other family members who just wanted to video chat with grandma
| and grandpa. Matrix will never win markets like this.
|
| When tech nerds nit pick Signal's implementation, they ignore
| that the unfederated nature of Signal limits the damage these
| decisions can cause. Thanks to Signal's security posture, global
| protection from weak ciphers, buffer overflows, and even SGX, is
| just one software update away. This even protects you from faults
| in your contact's clients! Like the key agility that makes the
| Axolotl Ratchet so superior to GPG, update agility makes Signal
| infinitely superior to every existing or proposed federated
| network.
|
| The Signal group has an uncompromising commitment to user privacy
| and a poignant security philosophy. Signal has no competition in
| its usability class, making hypothetical protections from other
| products worse than useless for user cohorts who will probably
| switch back to skype or sms. Signal's detractors do a terrible
| disservice to the people they dissuade from using it.
| ryukafalz wrote:
| > When tech nerds nit pick Signal's implementation, they ignore
| that the unfederated nature of Signal limits the damage these
| decisions can cause.
|
| It limits the damage that some decisions can cause, but
| exacerbates others. Signal only allows the first-party client
| to connect to its network; if the developers were legally
| compelled to add a backdoor into that client, users would have
| few options.
|
| Its security depends on a single company being perpetually
| trustworthy, free of influence, and supported. Having used many
| chat platforms that have been shut down/acquired/etc in the
| past, that's not a bet I'm willing to take.
|
| I'd also contest the idea that Matrix can never have a client
| as usable as Signal, but I'll agree that there isn't one yet.
| StavrosK wrote:
| Compile your own client binary and use that?
| novok wrote:
| Signal is OSS and you can start your own fork & network if
| you want to.
|
| App publishing platforms not having a good binary signature
| verification system is the orthogonal issue that you're
| bringing up, that would in many ways apply to matrix for most
| users too. Most will never bother to sideload it.
| p1necone wrote:
| > Signal is OSS and you can start your own fork & network
| if you want to.
|
| You can't though, what use is your own fork when nobody
| uses it?
| upofadown wrote:
| >Like the key agility that makes the Axolotl Ratchet so
| superior to GPG,
|
| I am not sure how you can usefully compare a thing originally
| intended to secure email to a thing intended to secure IM.
|
| The ratchet only provides forward secrecy anyway. My take on
| that is that it is a pointless thing for something like email
| and pointless in practice for most IM applications. Most IM
| users keep their old messages and practically all email users
| keep their old messages...
|
| There is nothing particularly wrong with Signal. Some of the
| criticism might a reaction to the constant promotion of it over
| all other things, even when (as in this case) the things are
| fundamentally different.
| nullc wrote:
| > update agility makes Signal infinitely superior to every
| existing or proposed federated network.
|
| Translation: Signals ability to forcefully change the software
| and protocol out for users without any consent (much less
| informed consent) renders it functionally immune to any
| criticism or review because any aspect of the protocol could be
| changed ('improved') at a moments notice.
|
| I think signal is a fine insecure messenger. If you mistake it
| for a cryptographic security product you are making a
| significant mistake. The fact that is uses cryptographic
| techniques internally just means that it isn't grossly
| incompetently constructed, but that doesn't make it achieve any
| particularly strong notion of security against any particular
| attack model.
|
| I strongly recommend people us it (at least on devices which
| are already compromised by mystery meat binary updates that
| could be remotely backdoored at any time)... just don't think
| it's going to provide you with substantial security against
| active attackers (much less state level attackers or from
| Signal themselves).
| na85 wrote:
| >Translation: Signals ability to forcefully change the
| software and protocol out for users without any consent (much
| less informed consent) renders it functionally immune to any
| criticism or review because any aspect of the protocol could
| be changed ('improved') at a moments notice.
|
| What percentage of users, globally, do you suppose are
| qualified to make informed consent on arbitrary patches to
| $secure_messenger of your choosing?
| nullc wrote:
| Informed consent for a drug doesn't mean that you
| personally understand molecular biology. It usually means
| that you've received and understand factual information
| about the tradeoffs from hopefully neutral parties who are
| acting in your best interest and can weigh those
| considerations based on your own priorities and
| preferences. And that you can make the choice you make free
| of coercion, or otherwise it isn't consent at all.
|
| Signal's software management practices make the system
| largely opaque even to experts, and what review does happen
| comes at a significant lag. This is evidenced by the
| substantial number of times that signal has had to back-
| pedal on a change after substantial backlash. Even where it
| isn't opaque, there is no consent: the software stops
| running if you don't accept all changes, and seldom are
| changes introduced as optional features (default-on or
| otherwise).
| walrus01 wrote:
| My primary concern about Signal and usability is the insistence
| on using phone numbers to identify a person as a user ID.
|
| Anything that relies on SS7/PSTN working correctly is a very
| bad design choice in my opinion.
|
| Giving out your phone number to possibly untrusted contacts is
| also a bad decision because it opens up opportunities for
| scams, spam and social-engineering attempted hijacks of
| accounts (SIM swap attacks etc).
| fidelramos wrote:
| Signal is moving to allow users registering without a phone
| number. The infamous PIN was a necessary step to achieve that
| and other features, such as proper group management, which
| has just been released.
___________________________________________________________________
(page generated 2020-10-19 23:00 UTC)