For something like PGP, any performance difference wouldn't matter. There is one message and the key agreement is done once. As long as things are fast enough to be imperceptible to the user we are fine.
From the GnuPG prospective RFC-9580 is a deliberate fork away from what agreement could be achieved. Basically the faction that is now called RFC-9580 (mostly Sequoia and Proton) wanted to make a lot of changes to the existing standard but the faction that is now called LibrePGP (mostly GnuPG and RNP) was not convinced that those changes were necessary.
Traditionally the OpenPGP standards process has been very conservative and minimalistic. GnuPG comes from that tradition. So the RFC-9580 faction created their own maximalist version of the standard and are actively promoting it as the standard.
So from a user perspective, there are two incompatible proposals out there. It's a mess. So it is better to aggressively ignore them both and maintain interoperability by sticking with RFC-4880 (OpenPGP). That might be a problem if you for some reason are still concerned about a quantum attack against cryptography as the post quantum stuff has gotten caught in this schism. It is certainly something that the users need to keep in mind.
It is very hard to prevent a proposal from becoming a RFC. You have to generate ongoing opposition for longer than the supporters. FWIW, here is the LibrePGP proposal:
Observing the OpenPGP schism mess I think I have gained some insight as to why some RFCs become so bloated. For example it has been recently pointed out that there are 60 RFCs for TLS (with 31 drafts in progress)[1]. The RFC process seems to be more optimal during the design phase. Once we have an established standard there should to be some way to force those that propose changes/extensions to provide appropriately strong justifications for those changes/extensions. Right now it is a popularity contest and there will always be more people out there in favour of changes/extensions than those willing to endlessly fight against those changes/extensions. Because cryptography is so specialized and obscure, the users tend to get left out of the discussion.
It is a standard proposal, which is why it's in the standards track. The point was that it is not the only (the) standard, and not the universally accepted one.
>Encryption would have been baked in from the start, rather than waiting for PGP, S/MIME, and TLS to add them later.
This comment intrigued me so I did a tiny bit of research. It appears that X.400 uses S/MIME for encryption (see RFC-3854). Alternatively something called STANAG 4406 which provides some sort of centralized control of who sees what for military applications.
Yeah, you only get out something like 30% more energy than you put in[1]. So this isn't so much about how great solar is but is more about how bad corn ethanol is...
Note that that OEM would still have to deal with the minefield of patents created by the John Deere's of the world. I once worked for a company that had to work around an electronic circuit patent to detect a pulse. That was it, that was all it did. But if you used a standard differentiator circuit to detect the pulse created by a optical sensor watching for falling seeds you would violate the patent.
So a prerequisite might involve fixing the patent system...
The idea seems to be that there will some sort of cascading effect if we can somehow create physical qubits with sufficient noise performance. It's this "threshold" we keep hearing about. Once we exceed threshold there is a possibility that we can use error correction to expand everything without limit.
This assumes that there will not be other problems that arise. I suspect that "error correcting" thousands of qubits entangled with one another will be one of those problems.
"OK. Signal has forward secrecy. So messages are gone after I receive them. Great!"
Oh, you didn't turn on disappearing messages? Oh, right, then forensic tools like Cellebrite can get them. You have to turn on disappearing messages. The default is off.
Oh, you did turn on disappearing messages? We send the messages in notifications. So the OS can keep them. Turns out Apple was doing that. There is an option you can turn on to prevent that. It is off by default.
"I'll just delete the entire app!" No, sorry, the OS still has your messages...
At what point does the usability get so bad that we can blame the messaging system?
This same app had a usability issue that turned into a security issue just last year:
End to End Encrypted Messaging in the News: An Editorial Usability Case Study (my article)
I think one of the main issues is that end-to-end message encryption is a sham as long as backups are not encrypted. I could have good device security, but if the person I'm talking to does not use ADP, iMessage and WhatsApp messages get backed up with only at-rest encryption (I think Signal opts out of standard iOS backups) and possibly the same for backups of the iPhone notification database (which the article suggests as a possibility).
Similarly on Android, WhatsApp suggests unencrypted backups to Google Drive by default.
Putting on my tinfoil hat, I am pretty sure that Google/Apple/Meta have some deal (successor to PRISM) where end-to-end encrypted messaging is tolerated as long as they have defaults that make it possible to access chats anyway. Apple not enabling ADP by default and WhatsApp doing Google Drive backups that are not end-to-end encrypted is the implementation. Since most people just use the defaults, it undermines security of people who care.
It's a 'win-win', the tech companies can wash their hands in innocence, the agencies get access to data, and phone users believe that they are chatting in a secure/private manner.
"end-to-end message encryption is a sham as long as" -- I agree with that but would add even more caveats. If someone can't list those caveats off the top of their head they shouldn't be pretending they aren't able to communicate securely.
Just look at Salt Typhoon, every single person should be way more paranoid than they are, including government & agency officials. The attach surface and potential damage - financial and reputation - will only get worse with AI automation and impersonation, and that's for people who are doing nothing interesting and are law abiding citizens.
Given the shoddy state of network security at large, especially on infrastructure projects (power plants, hospitals, dams, etc.) I always feel like major governments sit on so destructive potential to disrupt communications and anything connected to the Internet of its adversaries to have mutual assured destruction potential of a nuclear bomb.
No one’s crazy enough to push that button, because once you do there is no turning back.
I have often wondered about this exact situation. Like there are many instances of companies who depend on keeping their network secure and are actively taking preventative measures to keep their network safe that end up getting hacked.
So surely there has to have been infiltration to some of the critical infrastructure keeping cities running. Why don't we hear more about it?
I mean the Hungarian minister of Foreign Affairs briefed Lavrov on internal EU matters and there are recordings of one or more calls. It seems that opsec is bad at pretty much every level.
> the tech companies can wash their hands in innocence
Hostile defaults, not just in tech, is how Western liberal soft power often works. They can always claim "hey, you have the choice", but they know very well most people won't even know they have the choice, or is it so cumbersome or costly to move away from the hostile defaults - and stay that way - that in practice, the effect is the same as if you lived in a totalitarian regime. The difference is that you can keep believing in the deception of "freedom" in a Western liberal society; in a totalitarian regime, you are much more likely to know you've got a jackboot on your throat, because there is one.
What is needed isn't radical liberal atomistic individualism which rationalizes the antisocial war of all against all that rewards raw might. You won't find freedom there. You need a culture of respect of and sense of duty toward the authentic common good, backed by moral authority, where authority is power + justice.
People keep pushing signal because it is supposedly secure. But it runs on platforms that are so complex with so much eco system garbage that there is no way know even within a low percentage of confidence if you've done everything required to ensure you are communicating just with the person you think you are. There could be listeners at just about every layer and that is still without looking at the meta-data angle which is just as important (who communicated with who and when, and possibly from where).
I've raised concerns about the Signal project whitewashing risks such as keyboard apps or the OS itself, and the usual response is that it's my fault for using an untrustworthy OS and outside Signal's scope.
At some point there need to be a frank admission that ETE encrypted messaging apps are just the top layer of an opaque stack that could easily be operating against you.
They've made encryption so slick and routine that they've opened a whole new vector of attack through excessive user trust and laziness.
Encrypting a message used to be slow, laborious and cumbersome; which meant that there was a reticence to send messages that didn't need to be sent, and therefore to minimise disclosure. Nowadays everything is sent, under an umbrella of misplaced trust.
There is nothing secure about sending encrypted content to notifications. If it were secure, it would only notify that there is a message, with no details included.
> If it were secure, it would only notify that there is a message, with no details included.
You're right. This is configurable via settings, but is not the default state.
That said: if I can get friends and family to use Signal instead of iMessage, that gives me the opportunity to disable those notifications and experience more security benefits.
But I agree with your point: most people think that Signal is bulletproof out of the box, and it's clearly not.
Once again there is a trade off between security and user convenience.
If security is the main differentiator then app should start in the most secure mode possible. Then allow users to turn on features while alerting them to the risks. Or at least ask users at startup whether they want "high sec mode" or "convenient mode".
As the app becomes more popular as a general messaging replacement, there will be a push towards greater convenience and broad based appeal, undermining the original security marketing as observed here.
Exactly, but, sooner or later the cost of support overcomes the need for security, that's what is driving this. Popularity is the main reason signal is now less secure than it was in the past.
According to Michael Tsai, they did use encrypted notification payloads. The OS just then stores the decrypted payloads in its notification database. [0]
Signal developer here. Our FCM and APN notifications are empty and just tell the app to wake up, fetch encrypted messages, decrypt them, and then generate the notification ourselves locally.
We send the messages in notifications. So the OS can keep them. Turns out Apple was doing that. There is an option you can turn on to prevent that. It is off by default.
At least on my iPhone the default is to preview messages only when unlocked [0]. This user went out of their way to show previews in a locked state which meant it was vulnerable by digital acquisition without unlock code.
“We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device,” a supporter of the defendants who was taking notes during the trial told 404 Media
Doesn't indicate this is an issue when you have it set to preview when unlocked.
They are not entirely separate from Mozilla. The MZLA Technologies Corporation is a for-profit subsidiary of the Mozilla Foundation. They have access to some of Mozilla's common infrastructure, but are otherwise entirely funded by donations. Donations to MZLA only fund Thunderbird and no other products.
Seems fine if you can donate to Thunderbird development. Compared to Firefox, where I don't think it's possible to donate to development at all (only to Mozilla activism side).
And both are owned and controlled by Mozilla Foundation, which is the issue. Why on earth would I donate money to an organization that seems dedicated to doing as little as possible other than acting as a tool to be used for the personal benefit of its leaders?
Seems to be some misunderstanding of what bike bells are for here...
A bell is helpful in a situation where a pedestrian is not aware of an approaching bike. The bell informs the pedestrian of two things:
1. That there is an approaching bike.
2. Roughly were the bike is approaching from.
The hope is that the pedestrian will then behave in a predictable way to allow a safe pass by the bike. In almost all cases the pedestrian will be able to simply continue doing what they were doing before they heard the bell.
If a pedestrian can not hear bike bells, for whatever reason, that is not a problem. They can just stay consistent with the centreline of the path/road/way. They then have a responsibility to shoulder check when shifting from side to side.
The new thing here seems to be the use of the neutral atom technique. Supposedly we are up to 96 entangled qubits for a second or two based on neutral atoms.
Shouldn't that be enough capability to factor 15 using Shor's?
reply