#1 By: Cory Doctorow, December 10th, 2013 10:01
#2 By: marco, December 10th, 2013 10:11
Even exchanging SMS messages with someone who doesn't use TextSecure, there is some benefit - you still get locally encrypted storage of all SMS messages on your phone. That means (as long as you have set your passphrase timeout appropriately and such) that if your phone is seized by police / your nosy sibling, they will not have access to all your stored conversations.
#3 By: Eli, December 10th, 2013 10:43
Good point, though if the police want your SMS messages, they'll just ask your carrier for them (yep, they're stored for quite a while).
#4 By: Nonentity, December 10th, 2013 11:10
In the event your receiving party isn’t on CM or using TextSecure, the implementation will silently fall back to a normal SMS message (unencrypted).
This of course opens the question of whether it's possible for a third party to make it look like the recipient isn't using encryption, to remove the benefit by forcing the fallback.
#5 By: Cary, December 10th, 2013 13:24
Piggy-backing on the FreeBSD post: Does it use a hardware based random number generator?
#6 By: marco, December 10th, 2013 14:47
Absolutely right - it's some protection, but not strong.
In at least some jurisdictions, arresting officers can look through a cellphone without a warrant, if there's no password lock on it. Where the arrestee has taken some measures to protect their privacy, that needs a warrant, the same as requesting texts from the carrier (again - depending on jurisdiction"
So, in this case, it might raise the protection to the level of requiring a warrant.
#7 By: marco, December 10th, 2013 14:48
Once you've established encrypted communication, I don't think it is possible to force a fallback without the sender's approval.
#8 By: Eli, December 10th, 2013 15:11
I think it's smarter than you give it credit for... but it almost doesn't matter at this stage. Consumer crypto fails because it's really hard to get people to use it, not because advanced attackers subvert it. If the defaults are too weak they can be adjusted later.... but if this app doesn't fail silently, it will be a hassle to use and I will disable it.
#9 By: gilbert wham, December 10th, 2013 15:39
They'll give you fifteen years if you don't fork over the password here, like.
#10 By: marco, December 10th, 2013 18:30
I'm not quite sure what you mean - I've used the app for over a year; it's not hard to use and only gotten better with time.
Also, what do you mean by "smarter than you give it credit for"? If an attacker can force the app to send plaintext when the sender means to encrypt, there's no way of spinning that as "smart".
#11 By: teapot, December 10th, 2013 19:43
This is already doable with 3rd party apps across all platforms.
★ WORKS ON EVERY PLATFORM: Android with ChatSecure, iPhone with ChatSecure, Mac with Adium, Linux with Jitsi, Windows with Pidgin, and more!
If you run it with Orbot (android tor proxy) you're as anonymised as you can be.
#12 By: Cory Doctorow, December 15th, 2013 10:01
This topic was automatically closed after 5 days. New replies are no longer allowed.