[kwlug-disc] Secure IM news

locklin.jason at gmail.com locklin.jason at gmail.com
Thu Nov 24 09:49:39 EST 2016


On Wed, 23 Nov 2016 16:28:32 -0500
Nick Guenther <nguenthe at uwaterloo.ca> wrote:
> I'm super happy about their work here, even though they unfortunately don't federate. It's too long that crypto geeks and the needs of the general public have been totally at odds, and to our peril because without security by default (ie everyone being on board) there will always be massive leaks---like how you plan your holidays with google calendar and unencrypted webmail.
> 
> > the ability to do e2e encrypted group IM. 
> >https://medium.com/@RiotChat/exciting-new-riot-release-get-ready-for-chatting-securely-acc93ecfe0a
> 
> I am suspicious here; encrypted group chat is really hard. Does the server hand out keys when new people join? They say users can blacklist each other, but blacklists are weak: just come back under a different key. And it's claiming end-to-end encryption, but for the same reason the server could generate fake users at will. If they have or add a whitelist mode, every new user would have to be approved by every other new user; maybe users could delegate their trust to an OP deciding on who to whitelist, though.

I havn't played with it, but e2e encrypted channels are invite-only. Someone in the channel must invite a 
new party (obviously, as with any encrypted chat, you have to trust everyone inside). The UX is
pretty terrible, but they literally just implimented the nuts and bolts in the last couple months. There are
certainly ways that they could set up access controls. You may want to read the security audit, as it's published.
It did identify several concerns with the design.

I agree though, that in general, the larger the group, the less private it's going to be, and e2e can't fix that. 
You have more chinks in the armor. However, I don't know of a strict upper limit on the group size. A tight-knit
community, for instance, may be able to securely manage access to a private communication channel for a rather large 
group, given the right technology. 





More information about the kwlug-disc mailing list