>proven to be the most secure messaging protocol >implemented in Whatsapp >implmented in Wire (Skype employees made their own client) >implemented in Google Allo >implemented in Facebook >will probably be implemented in other proprietary messaging protocols that we will be forced to use
What's keeping the open source community from taking the Signal (Axolotl) protocol and building a truly free, truly anonymous, truly platform-agnostic IM client that is everything that Sup Forums wants?
Or are we going to keep pretending that Tox and other shitty protocols like Telegram are secure?
Or are we going to just bend over and take it up the ass and use Google Play Services to use Signal?
u seem to be mistaken senpai the only for a closed source thing to be secure would be that their is only one incineration,one copy that is heavily encrypted that not even the man behind it could decrypt it
Asher Hughes
Ever heard of XMPP with OMEMO?
Thomas Davis
>It's only secure because it isn't open source.
Axolotl is open source you dumb nigger.
Christian Rogers
Only works with one Android client
Alexander Gray
What is Silence?
Evan Cruz
Not an IM client.
Logan Foster
To become popular messenger app should "just werk" and have huge ad budget. Open source don't have money, not allowed into appstore/playmarket, and tinfoil-hat paranoics cant make it easy to use (eg without phone number and push services).
Lucas Phillips
what's stopping Sup Forums from just removing the google play services and the phone number requirement? aside from that it's safe no?
Justin Myers
Because the dude goes apeshit, see libresignal
Isaac Evans
You're free to! Just don't use the Signal name and servers, or Moxie will bitch at you.
Logan Bennett
libresignal failed because this no one is stopping the libresignal devs from using their own servers, of course they'll need some money for it but that's why donations exist in the first place
Jordan Diaz
>truly anonymous Important point: the Signal protocol (Axolotl) does not provide anonymity. It does not protect metadata.
An overlay network on top of that potentially could, but be aware that garlic/onion routing (as in I2P or Tor) is designed to support interactive low-latency sessions, and is not resistant to a global passive attacker performing correlation or confirmation. If you're willing to tolerate a little more latency (in my own tests so far, my test users are, for everything except voice and video) as in the partial connection scenario Axolotl was designed for, a stronger form of mixnet can provide that protection.
I am working on that. I am over 10 years into the research, and more research is needed, but we are now beginning to get close to some kind of usable designs. However I'm having to design forward enough for the future that I'm also thinking post-quantum exchanges would be a good idea too, and turning my attention to possibly NTRUPrime, or the Ring-LWE ones like NewHope, or even that supersingular isogeny elliptic curve one that looks extraordinarily interesting. Curve25519 is great now, but I think by the time I'm done, and looking forward to the amount of time I'd like the crypto to be solid, I maybe want to hedge my bets by securely combining both (agl and co is experimenting with this in Chrome for Google, using NewHope).
If you want to actually design a practical network, proof against Nation State Adversaries doing mass surveillance, including social network analysis, you've got a very hard problem on your hands indeed.
However I do feel that OP has a solid idea and this would be a benefit. I use Signal as a phone messenger, but I'd far prefer to have something more IRC-like as I really, really don't like the phone number requirement; phone numbers are a potential attack vector on several levels.
t. helped Trevor Perrin review Noise, a strong transport layer framework.
Camden Gray
But it's written in Java.
Brody Garcia
well fuck, how hard it will be to develop an application that fits what you just wrote? and how hard it's going to be to make servers for it?
The solid and obvious idea that it'd be really great to do what is basically Tox-but-uses-Axolotl? Maybe not that hard. You could probably work from Tox.
Bear in mind that any P2P messenger like that without additional protection means that any random with an appropriate tool can look IP addresses up from nyms - just like with Skype before it went centralised again.
I'm not saying that's inappropriate for an interim solution, as long as (like Tor, I2P and other tools) everyone is clearly aware of what it can and can't do, and no-one writes security cheques promises that the technology can't actually cash.
Lots of people need solutions that address the most immediate and obvious problems now. I really commend Moxie's fantastic efforts for that (although I disagree with him on syndication, or that phone numbers should be the only ID for Signal).
The comprehensive solution I'm working on, in a way that addresses the aspects of the threat model I raise? A lot harder than Signal and Noise: those are merely two useful components among many.
It requires probably 2-5 years more research I think, including some very hard security proofs, and after - or ideally partially in parallel with that - actual development of a secure reference implementation (beyond simple research prototypes) with solid, secure code. Considering people's lives rely on this type of thing, this definitely shouldn't be some "move fast and break things" type summer project from a couple of interns. Sorry. Proper science and engineering is hard and takes a bloody long time. I'm playing the long game here: someone has to. But I've broken components of prototypes out and helped with a few other projects along the way.
My general design is autonomous and decentralised, with full participant "nodes" and mobile/low-bandwidth/low-energy "points" (borrowed terminology from oldschool FidoNet Technology Networks). I would not/cannot/should not run any servers.
Christian Rogers
>Not using XMPP + OTR
Evan Flores
It's implemented in Signal you dumb fuck.
Andrew Ortiz
Google Services Framework/phone number dependencies
Brayden Diaz
Signal (app) is also completely centralized
Asher Cooper
If it's connected to the internet. It is no longer secure or private.
Daniel Scott
>no centralized servers how do they start conversation ?
Christian Perez
It's only secure because it is open source.
Just like all the unbreakable things today. Everything closed source gets broken constantly
James Jones
go be an idiot somewhere else
Brandon Price
hope to see your project como to life user, so we're fucked atm? is there something we can do?
Jaxon Lee
>It's only secure because it is open source. How many anons on Sup Forums are qualified to audit FOSS code? Do either of you ever spend any time actually auditing code on FOSS projects? The fantasy that "experts" with years of experience spend countless hours scanning open source code for bugs is rubbish. Even popular and heavily used code included in commercial products is constantly called out by vulnerabilities exposed by exploits. If it wasn't for the exploits the bugs would go unseen.