Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Communications EU Encryption

EU Commission To Staff: Switch To Signal Messaging App (politico.eu) 46

The European Commission has told its staff to start using Signal, an end-to-end-encrypted messaging app, in a push to increase the security of its communications. From a report: The instruction appeared on internal messaging boards in early February, notifying employees that "Signal has been selected as the recommended application for public instant messaging." The app is favored by privacy activists because of its end-to-end encryption and open-source technology. "It's like Facebook's WhatsApp and Apple's iMessage but it's based on an encryption protocol that's very innovative," said Bart Preneel, cryptography expert at the University of Leuven. "Because it's open-source, you can check what's happening under the hood," he added. Signal was developed in 2013 by privacy activists. It is supported by a nonprofit foundation that has the backing of WhatsApp founder Brian Acton, who had left the company in 2017 after clashing with Facebook's leadership.
This discussion has been archived. No new comments can be posted.

EU Commission To Staff: Switch To Signal Messaging App

Comments Filter:
  • It's ok to stick with the proven encryption protocols. Rolling their own sounds like a recipe for disaster.
    • Re: (Score:2, Insightful)

      I sure hope they'll include a back door in the version of Signal they're using. I mean, all the governments want back doors, right?

    • by VTEX ( 916800 ) on Monday February 24, 2020 @11:31AM (#59761004)
      This is typically true, but the Signal protocol has been audited by several institutions since its creation.

      Additionally, here is a link [iacr.org] to a formal security analysis of the protocol.
    • It uses standard solutions, plus some innovative additions. And everyone's copying Moxie since. :)

      Plus, TLS is just fundamentally wrong for a peer to peer network anyway. Apart from having too many moving parts and optional inferior bits left in for backwards compatibility.

      Keep calm, look at the code, and never underestimate Moxie. :)

    • Very bad description (Score:5, Interesting)

      by DrYak ( 748999 ) on Monday February 24, 2020 @12:00PM (#59761188) Homepage

      It's ok to stick with the proven encryption protocols. Rolling their own sounds like a recipe for disaster.

      So many errors in this quote:

      - Signal hasn't invented a new encryption at all. It's using the industry established AES under the hood for the actual encryption step.
      - Signal hasn't invented other cryptographic function either, it's using well researched and studied primitives (e.g.: curve 25519).
      - What Moxie Marlinspike has done is to evolve the handshake, from OTR (off the record, previously used by e.g.: pidgin to encrypt message atop of legacy messaging networks) and evolve it into the Axolotl Ratchett (among other, better for out-of-sync offline message, multiple participants chats, etc.). This evolution has been done in the open, with review being done by others, etc. it has been rolled very carefully and very slowly.

      In short, it's not "I hAVe inVEntED a NEW ENcryptIOON!"
      It's reviewed and audited work tha thas been done on sound bases.

      Also:
      - Actually, Facebook has said that they use the exact same encryption protocol for WhatsApp and Messenger. The interesting part isn't the encryption (or more precisely, the handshake, as mentionned above), as that part has been taken up by the competition.
      - The interesting part is the opensource part. From the beginning Signal has been developed in the open and has been reviewed. There are audits having been done on the code, we know the code is safe for use. And because it's opensource you can even compile your own. Or have a special repository like F-Droid do the compilation for you.
      - Meanwhile, WhatsApp and Messangers are blobs. You have to trust Facebook's promises that they actually implement the protocol. For what you know, they might actually only be pretending but actually implementing a double ROT-13 based encryption. Or they might be running the Signal protocol straight from Open Whisper systems and implementing a perfect end-to end encryption channel to your smartphone app, but then implementing a backdoor in said app that will leak the "perfectly securely received" content back to any government agency. Or any advertiser.
      But you have to trust Facebook. Because there's no way to check the closed source blobs (save for extensive reverse engineering of the whole app's binary/bytecode to see if it really does what FB pretends it does).

      So TL;DR:
      No it's not the algorithm itself that is important to the EU.
      It's the fact that its developed openly which gives to important critical consequences:
      - It can (and has been) reviewed and deemed good by professionals in the field.
      - You can have ways to verify that your are actually running safe code and not need to take Facebook's words for it.

    • by Minupla ( 62455 )

      I agree with the premise in most cases. I like the http://www.moserware.com/2009/... [moserware.com] solution to this problem: "I ____ promise that once I see how simple AES really is, I will not implement it in production code even though it would be really fun. This agreement shall be in effect until the undersigned creates a meaningful interpretive dance that compares and contrasts cache-based timing and other side channel attacks and their countermeasures."

      Now having seen https://en.wikipedia.org/wiki/... [wikipedia.org] talk a numb

  • by layabout ( 1576461 ) on Monday February 24, 2020 @11:11AM (#59760904)
    Communications within a government agency should be preserved and archived for compliance with public records law. If they want confidentiality of communication, then they should fork the signal project, modify it to record and upload all messages to a government archives site in a way analogous to how government emails preserved for public records
    • End to end encryption and confidentiality do not preclude archivation. You'll have to manage that at the endpoints, though. Not sure if Signal allows for this, but it's no different than Whatsapp... except that teh Zuck is not reading along.
      • Re: (Score:1, Offtopic)

        > Not sure if Signal allows for this, but it's no different than Whatsapp...
        > except that teh Zuck is not reading along

        Not by default but it's open source, as @layabout was saying.

        What'sapp modifies the axolotyl ratchet to allow an extra copy that can be unsealed with Facebook's key plus either user's key, for "abuse reporting". A two-key system could be maintained in an EU system for archiving and investigations but without either participants' cooperation.

        The problems are twofold: using a non-EU sy

      • It has a daily achival feature that encrypts properly with a passphrase and everything. Right now it canâ(TM)t save to the external card yet, so you have to automate that e.g. with Tasker.

        Although it can also be set to stay below x messages and delete the rest, and you can send âvanishingâoe messages. (The latter of course being snake oil like DRM.)

      • by jeremyp ( 130771 )

        If anybody can read a message I send except the intended recipient, it's not end to end encryption, by definition.

    • I agree, in addition to the archiving, we shouldn't allow any government secrecy outside of the war department, or there will be no oversight.

    • Comment removed based on user account deletion
      • as the trump (and other autocratic governments) has demonstrated, governmental privacy encourages criminal behavior. if you are in a position of public or private power, the more transparent your life should be.
    • They said for public communication not sure if that means they should use it for their personal communication like when sexting with your wife, her sister, interns, mother-in-law or for official communications with the public.

    • by mysidia ( 191772 )

      Communications within a government agency should be preserved and archived for compliance with public records law.

      Only communications which are public records. Not all communications between government employees have to become part of a public record:
      only if there is some government business contained in the communication, And in that case, it is the the responsibility of the sender/creator of that record to make sure that record gets preserved for the retention period and not improperly deleted:

  • Who's the dipshit that linked to a paywall?
  • If you can get everyone to drink the same koolaid.
  • We decided to give Signal a break. It's cross device sync didn't work very well. I don't know why the download size of the package is over 90M considering it's quite limited feature set (Telegram is 1/3 of that), and it updates quite often. It still isn't available for .rpm-based distros. The final straw was when Signal app relentlessly changed the default app for .html files to itself, what kind of app does that? I know Telegram doesn't use end-to-end encryption by default, for that you have to start a 'se
  • Why do we need to standardize on an App, where we can standardized on a a Protocol which many Apps can use and talk to each other with.

    We have SMTP for email. So you can Use OutLook and I can use Thunderbird.
    We have HTTP and HTML. So you can use Edge and I can use Chrome

    If we get a common protocol then we are not tied to a company, and companies need to compete on their product. Vs relying on its user base numbers.

  • Poor choice from EU - Using Signal does not make any sense as Matrix does everything better and is truly open. French government already adopted Matrix as their default messenger.

"Here's something to think about: How come you never see a headline like `Psychic Wins Lottery.'" -- Comedian Jay Leno

Working...