The gist is they claim Wickr failed to pay promised rewards offered by its bug bounty program, even though Wickr patched the issues reported by the researcher.
Please excuse my ignorance. I searched on the webs but couldn't find what VCP means in this context. Can someone please decode that for me (and maybe other readers like me)?
Btw, Wire [1] messenger just implemented timed messages which expire, like Wickr offers. Combined with a non-requirement for registration with a phone number and Google Play Services makes it even more ideal.
Signal has that too https://whispersystems.org/blog/disappearing-messages/ And using GCM is only a problem for people running a custom Android ROM without Google Play Services. They can use MicroG instead. For the vast majority of people who do have Google Play on their phone this is completely irrelevant. Using GCM doesn't make Signal less private.
> Google doesn't see any data via gcm, it's just a tickle. If you want push messages, you gotta use a push network.
> I've also seen first hand how difficult 3rd party clients can be on large networks with actual client logic, and unfortunately we simply don't have the resources to deal with that.
> I hope that everyone here who prioritizes federation above all else moves to federated products that support their goals, and I hope that those projects can demonstrate that I'm wrong about the inability to build competitive user experiences over the long term.
> If the only thing that the remaining people here want out of LibreSignal is a websocket-only solution and gmscore isn't an option for whatever reason, I would consider a clean, well written, and well tested PR for websocket-only support in Signal. I expect it to have high battery consumption and an unreliable user experience, but would be fine with it if it comes with a warning and only runs in the absence of play services. However, I also realize that still won't help people that are trying to build a Google-free experience on Google's platform, since we still don't have the things we need to be comfortable distributing software outside of Play.
> The thing is, Wire is developed by a for-profit company that has yet to discover a sustainable business model. They seem to be in a hurry to gain users, boasting about their own app's security and privacy before it has ever been independently audited.
> Using the Service to communicate by chat, our servers store your encrypted messages and other encrypted content and log other information such as the time and date of your conversations, and the other user or users with whom you are communicating. When using the Service to make or receive calls, our servers log and collect time and date of your calls, and the other user or users with whom you are communicating.
> Certain information (e.g. a recipient's identifier, an encrypted message body, etc.) is transmitted to us solely for the purpose of placing calls or transmitting messages. Unless otherwise stated below, this information is only kept as long as necessary to place each call or transmit each message, and is not used for any other purpose.
> This was put to the test in the "first half of 2016", when Signal's developers received their first subpoena. According to the documents that were published by the ACLU and OWS https://whispersystems.org/bigbrother/eastern-virginia-grand... , the Signal servers only store the number you register with (which can be anonymous https://yawnbox.com/index.php/2015/03/14/create-an-anonymous... ), the time you registered and the last time you connected to the Signal server (the precision of which is reduced to the day).
> The thing is, Wire is developed by a for-profit company that has yet to discover a sustainable business model. They seem to be in a hurry to gain users, boasting about their own app's security and privacy before it has ever been independently audited.
> Using the Service to communicate by chat, our servers store your encrypted messages and other encrypted content and log other information such as the time and date of your conversations, and the other user or users with whom you are communicating. When using the Service to make or receive calls, our servers log and collect time and date of your calls, and the other user or users with whom you are communicating.
> Certain information (e.g. a recipient's identifier, an encrypted message body, etc.) is transmitted to us solely for the purpose of placing calls or transmitting messages. Unless otherwise stated below, this information is only kept as long as necessary to place each call or transmit each message, and is not used for any other purpose.
> This was put to the test in the "first half of 2016", when Signal's developers received their first subpoena. According to the documents that were published by the ACLU and OWS https://whispersystems.org/bigbrother/eastern-virginia-grand... , the Signal servers only store the number you register with (which can be anonymous https://yawnbox.com/index.php/2015/03/14/create-an-anonymous... ), the time you registered and the last time you connected to the Signal server (the precision of which is reduced to the day).
At the end of the day Signal doesn't transfer messages realiably, which is also often repeated problem on the Google Play reviews. So I can't put my confidence in a messenger which can't reliably deliver instant messages. Not to mention using it without submitting to Google (Chrome "app") and which also happens to be OWS customer.
You can see if your message was sent to the server and if the message was sent to your friends phone. I haven't really had any problems delivering messages apart from one time when they had servers problems.
No need to use Chrome if you don't want to, Chromium also works.
> "Encryption works best if it's ubiquitous and automatic. The two forms of encryption you use most often -- https URLs on your browser, and the handset-to-tower link for your cell phone calls -- work so well because you don't even know they're there.
>
> Encryption should be enabled for everything by default, not a feature you turn on only if you're doing something you consider worth protecting.
>
> This is important. If we only use encryption when we're working with important data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive."
It's the least of Telegrams problems but let's not forget their home made crypto even though there are better alternatives. See the take-home message here:
> "We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack. At the same time, we see no reason why one should use a less secure encryption scheme when more secure (and at least as efficient) solutions exist.
>
> The take-home message (once again) is that well-studied, provably secure encryption schemes that achieve strong definitions of security (e.g., authenticated-encryption) are to be preferred to home-brewed encryption schemes."
> "Abstract: The number one rule for cryptography is never create your own crypto. Instant messaging application Telegram has disregarded this rule and decided to create an original message encryption protocol. In this work we have done a thorough crypt analysis of the encryption protocol and it's implementation. We look at the underlying cryptographic primitives and how they are combined to construct the protocol, and what vulnerabilities this has. We have found that Telegram does not check integrity of the padding applied prior to encryption, which lead us to come up with two novel attacks on Telegram. The first of these exploits the unchecked length of the padding, and the second exploits the unchecked padding contents. Both of these attacks break the basic notions of security, and are confirmed to work in practice. Lastly, a brief analysis of the similar application TextSecure is done, showing that by using well known primitives and a proper construction provable security is obtained. We conclude that Telegram should have opted for a more standard approach.
>
> Conclusion: TextSecure is based on strong primitives that have withstood crypt analysis from the crypto community for years, and these are combined in a way that proven provides authenticated encryption. Telegram on the other hand has crafted its own encryption scheme and deployed it in an unproven state, and prior to any scrutiny from other cryptographers. We have seen this done time and time again, and rarely with good results. Take for example the smart grid meters that were shown to use terrible crypto back in April this year. Furthermore, the DH Ratchet is a very nice way of providing forward secrecy on a per-message basis with little overhead, which is an improvement over Telegram's one key per 100 messages approach.
After seeing your comments in this thread and looking at your comment history, I have to ask: What is your affiliation with Signal/Open Whisper Systems, if any?
Just very enthusiastic about Signal then, I guess?
Often when someone is so outspoken about a product it's because they have a vested interest in its success (and they don't always disclose that fact)... that's why I asked. Thanks.
More enthusiastic about privacy and free software. I often see worse apps recommended for privacy reasons, so why not bring up the flaws in those and what's better about this. If something better comes along I'll switch to that and recommend that instead.
