[guardian-dev] Key verification removed from TextSecure
Bernard Tyers - ei8fdb
ei8fdb at ei8fdb.org
Fri May 31 06:33:28 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What is the implications for the security and verification of the users SMS in this case?
To me that seems like: if the initial SMS is bogus, then the rest of the conversation can be bogus?
Is there any idea of the reasoning for this change? Technical, commercial?
I guess overall: how more or less secure is the user because of this change?
The only information I can find on TOFU (TUFU) is:
http://en.wikipedia.org/wiki/User:Dotdotike/Trust_Upon_First_Use
http://defcon.org/html/defcon-18/dc-18-speakers.html#
http://static.usenix.org/events/usenix08/tech/full_papers/wendlandt/wendlandt_html/index.html
anyone got any other info?
thanks,
Bernard
On 31 May 2013, at 00:07, Abel Luck wrote:
> TextSecure no longer supports the concept of "verified" and
> "unverified", instead Moxie has moved to this concept of an identity key
> combined with TOFU POP.
>
> "There is no longer a concept of "verified" or "unverified."
> Only "what we saw last time" and "different from last time."
> See:
> https://github.com/WhisperSystems/TextSecure/commit/24fc93e9aeb5d0810eb9c7e7d79da019b84035f5
>
> ~abel
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/ei8fdb%40ei8fdb.org
>
> You are subscribed as: ei8fdb at ei8fdb.org
- --------------------------------------
Bernard / bluboxthief / ei8fdb
IO91XM / www.ei8fdb.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQEcBAEBAgAGBQJRqHx4AAoJENsz1IO7MIrr+GAIALHcW08pdPrtK3D890w8n1IU
AYFmenannU0fo+xcHo3tdT0YU6UJTj+/Va+gX2/7mvNt7YNWQkNHpzB0IWTzP3I6
eKHATcrTqe7T4ckWvn33IagkZAReI11Kw0h+BrQAWmlv7ujPMLSpARiI0bF+zwXj
nSPUTM+BO7yXPoVdEMRULm2Ev4bNKYrsgt/jSQmZnOdLRHnDH8h5Yc6l0U4EHZWx
gcJKaTQd1ujFQ6xkV7qWHJaxtWSVLABPmAJu5k811trEc8559CauM6uvEtI6lQAY
Oy+KVuQMhIEZC9DRPXve8ZxPA2nTNhvh7RU7xv8144Jesm+i6NvCySoLbZePLU0=
=wVsu
-----END PGP SIGNATURE-----
More information about the Guardian-dev
mailing list