Threema: analysis of a secure messenger

[EDIT: 09.01.2023]: Threema has reacted to the publication in bold terms: The [research] paper is based on an old protocol that is no longer in use. The presented findings do not apply to Threema’s current communication protocol “Ibex” or have already been addressed. None of them ever had any considerable real-world impact. See how the story develops. Threema is a Swiss encrypted messaging application which has been widely advertised as a secure alternative to Signal, WhatsApp or Wire....

January 9, 2023 · 3 min · 9x0rg

Telling users to ‘avoid clicking bad links’ isn’t working

Abstract: Telling users to ‘avoid clicking bad links’ still isn’t working by David C. - Technical Director for Platforms Research and Principal Architect - NCSC (UK) Why organisations should avoid ‘blame and fear’, and instead use technical measures to manage the threat from phishing. Infosec tenets simply don’t work Advising users not to click on bad link: users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is not their job...

December 28, 2022 · 2 min · 9x0rg

Ditching WhatsApp [updated]

[First published on September 05, 2016] I am ditching WhatsApp, following Facebook’s decision to begin harvesting data from its messaging service. Even though Motherboard claims “it may be possible to prevent WhatsApp to give your phone number to Facebook” (LOL) WhatsApp will still harvest your metadata. “Sharing metadata with Facebook still exposes users to significant risks,” says Claire Gartland, consumer protection counsel for the Electronic Privacy Information Center. “Facebook will have data indicating who WhatsApp users communicate with and how frequently, and connecting WhatsApp users with their social media accounts and broader online activity, associations, political affiliations, and more....

June 14, 2018 · 2 min · 9x0rg

Chiffrement de messagerie instantanée: à quel protocole se vouer?

Vu sur le site de l’ANSSI: Accompagnant la prise de conscience généralisée du besoin de sécuriser ses communications électroniques, de nombreuses applications de messagerie (quasi) instantanée ont fait leur apparition sur les ordiphones. Toutes annoncent un haut niveau de sécurité, laissant ainsi l’utilisateur dans le doute, vis-à-vis du niveau réel de sécurité à escompter. Donc, que privilégier entre Signal, Telegram ou XMPP? Je ne cite pas WhatsApp/Facecrook à dessein, hein....

November 15, 2017 · 1 min · 9x0rg

A brief history of GnuPG

A brief history of GnuPG: vital to online security but free and underfunded Donate to GnuPG. Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition. One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forced to fundraise to continue the project....

October 13, 2017 · 3 min · 9x0rg

The CIA didn't break Signal App

The CIA didn’t break Signal or WhatsApp… despite what you’ve heard. The agency might be able to break into your phone, but files released today show no ability to intercept encrypted chats before they arrive there. There’s been one particularly misleading claim repeated throughout coverage of CIA documents released by WikiLeaks today: that the agency’s in-house hackers “bypassed” the encryption used by popular secure-chat software like Signal and WhatsApp. It doesn’t....

March 8, 2017 · 2 min · 9x0rg

About backdoors in Signal App

… or why it’s useless to have the most secure crypto system in the world, when using non-free and untrustworthy tools and libraries to implement it. tl;dr: There is a “backdoor” in Signal nobody cares about, only Google can use it. – ~ larma/blog

January 21, 2017 · 1 min · 9x0rg

Why I won’t recommend Signal anymore (damn'it)

I don’t like WhatsApp - I don’t mean the app by itself, it’s a great app - but its owner, Facebook. And I don’t like Facebook owner, Mark. Mark Zuckerberg bought WhatsApp for a whooping USD 19 Billion in 2014. Why would you do that? When you invest such a mahoosive amount of money in an instant messenger, you probably expect a mahoosive return on investment, right? Unless it’s about philanthropy....

November 6, 2016 · 2 min · 9x0rg

Principes de cryptologie et chiffrement -

Comprendre les grands principes de la cryptologie et du chiffrement – La cryptologie ne se limite plus aujourd’hui à assurer la confidentialité des secrets. Elle s’est élargie au fait d’assurer mathématiquement d’autres notions : assurer l’authenticité d’un message ou encore assurer son intégrité. Pour assurer ces usages, la cryptologie regroupe quatre principales fonctions : le hachage avec ou sans clé, la signature numérique et le chiffrement. Les usages de la cryptographie...

October 29, 2016 · 1 min · 9x0rg