[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/ - 72

File: 1492470909526.png (7.36 KB, 192x192, Silence.png)


When people talks about secure ways to communicate from a smartphone, Signal is always is the go-to choice. Except there's a few things that I personally think is annoying with this apps, like the fact it use the internet connection and make your texts go trough a SPOF (even though the transition make sense, see their blogs about it : https://whispersystems.org/blog/goodbye-encrypted-sms ).
So how to secure SMS/MMS traffic ? Since last years I've been using a fork of TextSecure 2.6.4, called Silence : https://silence.im
As explained in the first link I've put, both apps have their own pros and cons :
Pros :
>No google services dependencies
>Can be your default SMS apps
Cons :
>No IOS support (there's just no API to rely on).
>Except the length of the text, you cannot obfuscate the metadata
>Encrypted texts spotted from miles ( https://github.com/SilenceIM/Silence/issues/480 )
>No calls, no video.

So, what's your personal opinion ? What do you use to keep you secure ?
>inb4 use Antox you pleb
pls no


>on /sec/
>using a PTD
just carry a librebooted with ricochet. if you can't, your connect will not be more secure if you're using a PTD.


>how to secure SMS/MMS traffic
gpg mms is probably the best you can do.

using sms relies on the cellular phone system which relies on multiplexing which relies on sim cards which relies on a customer id number and carrier id which is attached to you and can be used to locate your position using base stations and satellites in like 5 different ways.

you can register any phone number on signal and use it from a web browser so it's a little bit safer metadata wise. Using the google push notification framework makes sense as it's lighter on battery than sockets and there's not really other infrastructure out there for droid.

Plus it has great PR unlike secure.im, Your friends may have heard of it.

If the object of the game is to chat securely with as many lay people as possible then pick signal every time.

Always validate fingerprints though and be wary of whatsapp and telegram because the implementation is bad. i.e. https://www.schneier.com/blog/archives/2017/01/whatsapp_securi.html


>Encrypted texts spotted from miles

I agree with the dev, this is not the concern and we can't do much. This is cryptography, not steganography. It is extremely hard to create a full-functional messaging program and while hiding the presence of encrypted messages, you won't find it from almost all apps... If you want to hide the message you need some sophisticated opsec.


>how to secure SMS/MMS traffic
>gpg mms is probably the best you can do.


btw, even encrypted, it's still not the best mean of communication (in my state sending raw PGP messages over SMS may cause suspicion). Avoid using the whole PSTN at all costs, except networking if you need security.


What about the XMPP protocol? Using an app such as Conversations, ChatSecure, or whatever iOS client with encryption, you can make an account on an XMPP server and chat with encryption using OTR or OMEMO. There will be some metadata, but the contents of the message are secured.


The Google services dependencies of Signal actually aren't there if you compile it from source. I find it frustrating that they don't provide a non-botnet version in F-Droid or somewhere similair.

I used Silence for a while, which was really great and a big pro that it worked over GMS as normal. The problem is that it doesn't work with Signal, and since more people interested in privacy are using that it required me to switch back.

Maybe the solution is to have a new standard for SMS which includes end-to-end encryption by default. I imagine there would be a lot of work and it would take time to switch over, but it seems a better alternative than a bunch of third parties competing with products that aren't compatible. I don't want 10 different messaging apps because my friends all use different ones.


File: 1492532876244.png (712.22 KB, 103x200, oversec.gif)

I'm sorry, what does PTD stand for ?
I've found this app which use Markov-Chained encryption, but the most part is proprietary : https://www.oversec.io
The concept seem great, and also work with pgp, but I don't like relying on proprietary code, so I don't think I'll use it.


you can tunnel it through tor too, but sending anything besides text through it is painful, and it has connectivity problems and sockets drain battery.

If you're texting with someone with a lainers level of knowledge it will work, but normal people will find problems with it.

I know because i've used conversations with normal people. for the record you should use omemo not otr.


I'm just shooting in the dark after reading acronyms online, but it might be Personal Trusted Device? Dunno.


There's actually a signal fork without gcm called Noise in the copperhead fdroid repo


If you haven't compiled your phone's OS, your phone can't be secure no matter what apps you use.
XMPP and IRC and secure enough though provided you use OTR.


PTD = Personal Tracking Device
Also known as "smartphone" these days...


Conversations+omemo encryption is the ultimate and most secure way to chat on your phone. If you want a desktop client you may try to look forward to dino. It's new but very promising.


thanks for your post RMS


I first thought was the GCM mode of cipher operation, "what the fuarrrk?", later I realized it was Google.


XMPP is good and in many cases the best choice and I use it every day. But not suitable for using with Tor.

Problem: every XMPP client leaks a significant amount of information, client version, OS info and more, in the way XMPP was designed (Tor Messager is a exception).

Even protocols as simple as IRC, we have client infoleak problems (away message, CTCP. etc) if we are not carefully enough, and XMPP is a rather complicated one...


Wait are you just looking to encrypt SMS? The guys who made Signal made TextSecure beforehand, just use that.


WOW reading comprehension, I literally just saw you mentioning TextSecure in your main post. Disregard.