[guardian-dev] Threema "Seriously secure mobile messaging"

ShootAKite at riseup.net ShootAKite at riseup.net
Wed Mar 19 00:28:56 EDT 2014


openssl connected with PFS ciphersuite ECDHE-RSA-AES256-SHA which is
cool and 'openssl s_client -connect www.threema.ch:443

Since we are on the topic of cipher suites Lee and n8fr8 may want to
check the output of these commands:
$ openssl s_client -connect ostel.co:5061 -cipher LOW
$ openssl s_client -connect guardianproject.info:443 -cipher MEDIUM
A


$ openssl s_client -connect www.threema.ch:443
CONNECTED(00000003)
depth=1 C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2008 - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=CH/ST=Zurich/L=Zurich/O=Kasper Systems
GmbH/OU=Threema/CN=threema.ch/emailAddress=info at kaspersystems.ch
   i:/C=CH/O=SwissSign AG/CN=SwissSign Server Gold CA 2008 - G2
 1 s:/C=CH/O=SwissSign AG/CN=SwissSign Server Gold CA 2008 - G2
   i:/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGQDCCBSigAwIBAgIQAOf7UIUHgYMSX+vHZVYaCTANBgkqhkiG9w0BAQUFADBR
MQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMSswKQYDVQQDEyJT
d2lzc1NpZ24gU2VydmVyIEdvbGQgQ0EgMjAwOCAtIEcyMB4XDTEzMDgyMDA4MDU0
MloXDTE1MDgyMDA4MDU0MlowgZoxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIEwZadXJp
Y2gxDzANBgNVBAcTBlp1cmljaDEcMBoGA1UEChMTS2FzcGVyIFN5c3RlbXMgR21i
SDEQMA4GA1UECxMHVGhyZWVtYTETMBEGA1UEAxMKdGhyZWVtYS5jaDEkMCIGCSqG
SIb3DQEJARYVaW5mb0BrYXNwZXJzeXN0ZW1zLmNoMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAk3YGMnEYHw+7D2PXECJPJfIE+rmvDamLmi4ds9MUDPDS
bspxiGy2NHmdRERAS0ksr43dxWqu1izQrKaeT1sPFVimfjyd9Ahy4mvxf4F4hnfu
qoMr7Lon53fcGt2H820FW5Rh+6HaPMT+7bVDlCspeERN+vnrAd6+UEFJCxZgRMXh
EVzj4evhA1mc3NsPKw6zjwv0NjYaudPHg7gazt0MRM6S7fAm4uDs47AhCXxECtAH
GsTgB4rYW2gpavd2+9lGlZ+qt9oBe1ufA+7rHJLhQeAOifzlEt0uFuXaIyjsy3Kg
0Du9pceH0VHSAhjHZu96UwZE9r1FCU3sMbtJMosOCQIDAQABo4ICyDCCAsQwFQYD
VR0RBA4wDIIKdGhyZWVtYS5jaDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRjIomJQkMMOxiUhqTNM452oJX9
RTAfBgNVHSMEGDAWgBSXdt4KNOUQmkDE69idWlN7IcxHPjCB/wYDVR0fBIH3MIH0
MEegRaBDhkFodHRwOi8vY3JsLnN3aXNzc2lnbi5uZXQvOTc3NkRFMEEzNEU1MTA5
QTQwQzRFQkQ4OUQ1QTUzN0IyMUNDNDczRTCBqKCBpaCBooaBn2xkYXA6Ly9kaXJl
Y3Rvcnkuc3dpc3NzaWduLm5ldC9DTj05Nzc2REUwQTM0RTUxMDlBNDBDNEVCRDg5
RDVBNTM3QjIxQ0M0NzNFJTJDTz1Td2lzc1NpZ24lMkNDPUNIP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q
b2ludDBiBgNVHSAEWzBZMFcGCWCFdAFZAQIBBTBKMEgGCCsGAQUFBwIBFjxodHRw
Oi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24uY29tL1N3aXNzU2lnbi1Hb2xkLUNQLUNQ
Uy1SNS5wZGYwgdUGCCsGAQUFBwEBBIHIMIHFMGQGCCsGAQUFBzAChlhodHRwOi8v
c3dpc3NzaWduLm5ldC9jZ2ktYmluL2F1dGhvcml0eS9kb3dubG9hZC85Nzc2REUw
QTM0RTUxMDlBNDBDNEVCRDg5RDVBNTM3QjIxQ0M0NzNFMF0GCCsGAQUFBzABhlFo
dHRwOi8vZ29sZC1zZXJ2ZXItZzIub2NzcC5zd2lzc3NpZ24ubmV0Lzk3NzZERTBB
MzRFNTEwOUE0MEM0RUJEODlENUE1MzdCMjFDQzQ3M0UwDQYJKoZIhvcNAQEFBQAD
ggEBADucPNanJP+O771iKJxJXz56fdErXmrAqhercaSVVznJmSxvEkTOMkYIdV7Z
tpP5zOFTF+Ezjv3CVCMgjlMjBs9N+jeFv4rjqCud82MTYWsxyL5ZzErlLqju7InG
2s8rcbASbygxfB4waAJWxHmSzlAphoPrOAAcZckHowXhKc03NbAXjpts4EnlyRXD
ctUaoqMWgtOftqhULB7MUtk20QSPyLq3P9uM8pSm11YhNT4j4f8j6KltEiGz1FM/
fS8/J2TPTcst8P8+PVrq5iswaw6TNnqJkrdf5asRUuOP8xjyFuGhzoouoG6fzXLC
KRNTgSyVLOV5jJA3hx4gI5A4EKg=
-----END CERTIFICATE-----
subject=/C=CH/ST=Zurich/L=Zurich/O=Kasper Systems
GmbH/OU=Threema/CN=threema.ch/emailAddress=info at kaspersystems.ch
issuer=/C=CH/O=SwissSign AG/CN=SwissSign Server Gold CA 2008 - G2
---
No client certificate CA names sent
---
SSL handshake has read 3922 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID:
0B9D68C18AE54276A10C4F6B4FBDA826461DC24D03E589B7A4A56AD1788376F3
    Session-ID-ctx:
    Master-Key:
47B558A1CAC1CBDD679F4236E8D56AE8A30F8A5302E503BBCDE25493D8359B7796B176C7933B8AD9DB119AFCEA62E7B6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 1800 (seconds)
    TLS session ticket:
    0000 - 84 29 23 dd 38 1f 7c 72-07 fd 01 5a c3 4f 04 cb  
.)#.8.|r...Z.O..
    0010 - 0a 82 3f 5a 1a ee cd d3-aa a3 bb c6 59 e8 aa 12  
..?Z........Y...
    0020 - 06 3e 26 46 2a cc ac b7-be cb 2f 14 01 11 73 4a  
.>&F*...../...sJ
    0030 - 95 a0 33 7b 0e ac 06 66-26 c5 c1 97 39 a2 f3 39  
..3{...f&...9..9
    0040 - 78 67 18 67 d2 b7 59 82-80 bd c8 13 e2 6e 24 a1  
xg.g..Y......n$.
    0050 - 0c cf 82 7e b9 57 30 ea-d0 8d 48 86 00 0d 39 95  
...~.W0...H...9.
    0060 - 27 49 26 6d d6 f8 6a 52-11 47 7b f4 da 9b 54 9c  
'I&m..jR.G{...T.
    0070 - 61 6a 15 8b 43 8b ac 48-31 c3 9b 89 ed e1 c7 ac  
aj..C..H1.......
    0080 - 5a a5 7c a9 2a 23 a3 97-d4 6c 03 40 8a 32 5c 9f  
Z.|.*#...l. at .2\.
    0090 - b6 ca d0 77 a4 3f 50 07-42 2f c8 61 64 30 78 a7  
...w.?P.B/.ad0x.

    Start Time: 1395200564
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
closed

On 03/17/2014 11:09 AM, Dominik Schürmann wrote:
> Hi,
>
> not very detailed but a good start:
> https://www.os3.nl/_media/2013-2014/courses/ssn/projects/threema_report.pdf
>
> Regards
> Dominik
>
> On Sun, 2014-03-16 at 17:09 +0100, Pasquale Stirparo wrote:
>> Hi,
>>
>> Has anyone had the chance to analyze/go through Threema?
>> Ok, being closed source doesn't play on its favour, but it seems to use
>> standard and robust mechanisms to secure both data in transit and stored,
>> other than being "privacy friendly" by not storing the conversation in
>> clear on their servers and by not uploading automatically the users address
>> book.
>>
>> Any thoughts?
>> Thanks
>>
>> https://threema.ch/en/
>> https://threema.ch/en/faq.html --> Security section
>> https://threema.ch/validation/
>>
>>
>> P.
>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/dominik%40dominikschuermann.de
>>
>> You are subscribed as: dominik at dominikschuermann.de
>
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/shootakite%40riseup.net
>
> You are subscribed as: shootakite at riseup.net



More information about the Guardian-dev mailing list