[guardian-dev] [Oi2-dev] Silent Circle Source
Abel Luck
abel at guardianproject.info
Mon Nov 12 15:29:07 EST 2012
Lee Mozzarella:
> ZRTP exchanges the SAS in band but verifies it out of band. It could
> be the same architecture.
Yea, but this is chat over XMPP, there is no "out of band" when you're
only typing. The SAS is being used to authenticate the integrity of the
crypto securing the chat messages.
If they said to exchange SAS over voice, or some other medium, sure, but
their site explicitly says:
"To authenticate an SAS just confirm the new SAS by having the
recipient of your message, text you back the words of the SAS as they
appear on their device."
~abel
>
> I'll browse the source. I can at least read Obj-C now and I have an
> unlocked iPhone 5!
>
> -lee
>
> On Mon, Nov 12, 2012 at 12:08 PM, Abel Luck <abel at guardianproject.info> wrote:
>> Abel Luck:
>>> it's coming... https://github.com/SilentCircle
>>>
>>> (some of it at least)
>>
>>
>> Just casually browsing the repo [1] here are some initial observations:
>>
>> * it looks like this is their XMPP client for IOS / OSX and supporting C
>> libs
>> * it's BSD 3-clause licensed [2]
>> * uses its own messaging protocol on top of XMPP (Silent Circle Instant
>> Messaging Protocol aka SCimp) [3] (note, this is not OTR)
>> * doesn't appear to support user to user authentication, but supports
>> some sort of ZRTP like Short Authentication String [4]
>>
>> Something worrying, is that the SAS seems to be designed to be exchanged
>> in-band.
>>
>> That is, the users type the SAS to each other to ensure it is identical,
>> but if you're being MITMed that won't do you much good (remember SAS is
>> to detect MITM).
>>
>> According to their site [5] they use push notifications for background
>> messaging.
>>
>> Would be awesome if an iOS / obj-c developer could examine it further
>> (Chris?).
>>
>> ~abel
>>
>>
>> [1]: https://github.com/SilentCircle/silent-text
>> [2]:
>> https://github.com/SilentCircle/silent-text/blob/master/PROJECT%20README
>> [3]:
>> https://github.com/SilentCircle/silent-text/blob/master/SilentChat/SilentChat/SilentChat/SCPP/XMPPSilentCircle/XMPPSilentCircle.h
>> [4]:
>> https://github.com/SilentCircle/silent-text/blob/master/SilentChat/SilentChat/SilentChat/App/ConversationManager.m#L814
>> [5]: https://silentcircle.com/web/faq/
>> _______________________________________________
>> Oi2-dev mailing list
>>
>> Post: Oi2-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/oi2-dev
>>
>> To Unsubscribe
>> Send email to: Oi2-dev-unsubscribe at lists.mayfirst.org
>> Or visit: https://lists.mayfirst.org/mailman/options/oi2-dev/lee%40guardianproject.info
>>
>> You are subscribed as: lee at guardianproject.info
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/abel%40guardianproject.info
>
> You are subscribed as: abel at guardianproject.info
>
More information about the Guardian-dev
mailing list