EU Commission To Staff: Switch To Signal Messaging App (politico.eu) 46
The European Commission has told its staff to start using Signal, an end-to-end-encrypted messaging app, in a push to increase the security of its communications. From a report: The instruction appeared on internal messaging boards in early February, notifying employees that "Signal has been selected as the recommended application for public instant messaging." The app is favored by privacy activists because of its end-to-end encryption and open-source technology. "It's like Facebook's WhatsApp and Apple's iMessage but it's based on an encryption protocol that's very innovative," said Bart Preneel, cryptography expert at the University of Leuven. "Because it's open-source, you can check what's happening under the hood," he added. Signal was developed in 2013 by privacy activists. It is supported by a nonprofit foundation that has the backing of WhatsApp founder Brian Acton, who had left the company in 2017 after clashing with Facebook's leadership.
Innovative encryption is usually problematic (Score:1)
Re: (Score:2, Insightful)
I sure hope they'll include a back door in the version of Signal they're using. I mean, all the governments want back doors, right?
Re:Innovative encryption is usually problematic (Score:5, Informative)
Additionally, here is a link [iacr.org] to a formal security analysis of the protocol.
More like the other way around. (Score:2)
It uses standard solutions, plus some innovative additions. And everyone's copying Moxie since. :)
Plus, TLS is just fundamentally wrong for a peer to peer network anyway. Apart from having too many moving parts and optional inferior bits left in for backwards compatibility.
Keep calm, look at the code, and never underestimate Moxie. :)
Very bad description (Score:5, Interesting)
It's ok to stick with the proven encryption protocols. Rolling their own sounds like a recipe for disaster.
So many errors in this quote:
- Signal hasn't invented a new encryption at all. It's using the industry established AES under the hood for the actual encryption step.
- Signal hasn't invented other cryptographic function either, it's using well researched and studied primitives (e.g.: curve 25519).
- What Moxie Marlinspike has done is to evolve the handshake, from OTR (off the record, previously used by e.g.: pidgin to encrypt message atop of legacy messaging networks) and evolve it into the Axolotl Ratchett (among other, better for out-of-sync offline message, multiple participants chats, etc.). This evolution has been done in the open, with review being done by others, etc. it has been rolled very carefully and very slowly.
In short, it's not "I hAVe inVEntED a NEW ENcryptIOON!"
It's reviewed and audited work tha thas been done on sound bases.
Also:
- Actually, Facebook has said that they use the exact same encryption protocol for WhatsApp and Messenger. The interesting part isn't the encryption (or more precisely, the handshake, as mentionned above), as that part has been taken up by the competition.
- The interesting part is the opensource part. From the beginning Signal has been developed in the open and has been reviewed. There are audits having been done on the code, we know the code is safe for use. And because it's opensource you can even compile your own. Or have a special repository like F-Droid do the compilation for you.
- Meanwhile, WhatsApp and Messangers are blobs. You have to trust Facebook's promises that they actually implement the protocol. For what you know, they might actually only be pretending but actually implementing a double ROT-13 based encryption. Or they might be running the Signal protocol straight from Open Whisper systems and implementing a perfect end-to end encryption channel to your smartphone app, but then implementing a backdoor in said app that will leak the "perfectly securely received" content back to any government agency. Or any advertiser.
But you have to trust Facebook. Because there's no way to check the closed source blobs (save for extensive reverse engineering of the whole app's binary/bytecode to see if it really does what FB pretends it does).
So TL;DR:
No it's not the algorithm itself that is important to the EU.
It's the fact that its developed openly which gives to important critical consequences:
- It can (and has been) reviewed and deemed good by professionals in the field.
- You can have ways to verify that your are actually running safe code and not need to take Facebook's words for it.
Re: (Score:3)
I agree with the premise in most cases. I like the http://www.moserware.com/2009/... [moserware.com] solution to this problem: "I ____ promise that once I see how simple AES really is, I will not implement it in production code even though it would be really fun. This agreement shall be in effect until the undersigned creates a meaningful interpretive dance that compares and contrasts cache-based timing and other side channel attacks and their countermeasures."
Now having seen https://en.wikipedia.org/wiki/... [wikipedia.org] talk a numb
Signal should not be used by government agencies (Score:5, Insightful)
Re:Signal should not be used by government agencie (Score:4, Interesting)
Interestingly enough, the UK Conservative party, wannabe nemisis of the EU has also switched to Signal at the same time as Whatsapp is going to give the UK police access to your messages [pcworld.com].
You were saying?
Re: (Score:2)
Interestingly enough, the UK Conservative party, wannabe nemisis of the EU has also switched to Signal [theguardian.com] at the same time as Whatsapp is going to give the UK police access to your messages [pcworld.com].
You were saying?
(now with clickable link for conservatives)
Re: (Score:1)
Interestingly enough, the UK Conservative party, wannabe nemisis of the EU has also switched to Signal [theguardian.com] at the same time as Whatsapp is going to give the UK police access to your messages [pcworld.com].
You were saying?
(now with clickable link for conservatives)
The difference is that I can vote them out - and will try to do so at every opportunity. I couldn't do anything about how the EU was run while we were in it.
UK politicians are in for a rude awakening as the effects of Brexit start to dawn on the electorate. I hope.
Re: (Score:1)
Re:Signal should not be used by government agencie (Score:5, Informative)
Oh, you definitely could. [wikipedia.org]
Now you definitely can't. *winning*
Re: Signal should not be used by government agenci (Score:1)
Re: (Score:3)
Your pig ignorance of the EU workings is amazing. Its typical of a far left or far right ignoramus who cannot research or understand any facts presented to you
It's a simple fact that the EU Parliament has no law-making powers; it can only pass or reject the laws that come down from the commission. And the standard reaction of the commission to a democratic vote going the wrong way is to have it again.
Techno-fascism: fascism for being opposed to democracy (as opposed to simply not supporting it), Techno for the fundamental belief that "expertise" should rule, not merely advise and any errors are always implementation problem, never faults in the theory. Lagarde is
Re: (Score:1)
But the UK parliament is super-awesome, so voting for MPs is so much better than voting for MEPs. Surely the Conservative apparatchiks running the UK will listen to you now.
Re: (Score:2)
But the UK parliament is super-awesome, so voting for MPs is so much better than voting for MEPs. Surely the Conservative apparatchiks running the UK will listen to you now.
The thing is, they will have to eventually. That's not the case for the EU commission.
If it wasn't for the EU-supporters trying (typically) to overturn the result of a democratic vote they didn't like, we wouldn't even have the bloody Tories in power now. After years of seeing their vote discounted, it became apparent to many people that the only way to honour the referendum was to vote the Conservatives back in. Even some people who voted to stay in were so offended by the actions of these anti-democrats t
Re: (Score:2)
You can not vote out an UK politicians from his office.
I couldn't do anything about how the EU was run while we were in it.
Of course you could. You could the exact same things you do in your country, vote for the right people.
However you can not vote whom my elected government appoints as commissioner ... oops, and neither can we vote about yours, only you can.
Why did you not read a wiki page before rage quitting?
Re: (Score:3)
UK Conservative party is a separate entity then the UK government and is not subject to public records law.
However, it is still an interesting point.
Re: (Score:2)
Communications within a government agency should be preserved and archived for compliance with public records law. If they want confidentiality of communication, then they should fork the signal project, modify it to record and upload all messages to a government archives site in a way analogous to how government emails preserved for public records
This is the EU we're talking about - EU subjects don't need to know what their unelected rulers are saying.
Ah, that old chestnut again. You must have missed the most recent European Parliament election [wikipedia.org] that all us Europeans voted in during May last year.
Re: (Score:3)
Classic anti EU rhetoric. The commission is controlled by the EU governments which are elected and controlled by their respective parliaments. And we have an EU parliament which controls the commission.
Re: (Score:3)
not only that, but the commission is build by each national government appointments that are later approved by both the EU parliament and European council. People vote directly for the parliament, directly vote for the their own national government and their head of stated.
They may not vote directly for the commission (the main complain), but they also do not vote directly for their government ministers and support staff and people usually do not complain.
The main real problems is the lack of transparency
Re: Signal should not be used by government agenci (Score:1)
Re: (Score:2)
Re: (Score:1, Offtopic)
> Not sure if Signal allows for this, but it's no different than Whatsapp...
> except that teh Zuck is not reading along
Not by default but it's open source, as @layabout was saying.
What'sapp modifies the axolotyl ratchet to allow an extra copy that can be unsealed with Facebook's key plus either user's key, for "abuse reporting". A two-key system could be maintained in an EU system for archiving and investigations but without either participants' cooperation.
The problems are twofold: using a non-EU sy
Yes, it absolutely does. (Score:2)
It has a daily achival feature that encrypts properly with a passphrase and everything. Right now it canâ(TM)t save to the external card yet, so you have to automate that e.g. with Tasker.
Although it can also be set to stay below x messages and delete the rest, and you can send âvanishingâoe messages. (The latter of course being snake oil like DRM.)
Re: (Score:3)
If anybody can read a message I send except the intended recipient, it's not end to end encryption, by definition.
Re: (Score:1)
I agree, in addition to the archiving, we shouldn't allow any government secrecy outside of the war department, or there will be no oversight.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
They said for public communication not sure if that means they should use it for their personal communication like when sexting with your wife, her sister, interns, mother-in-law or for official communications with the public.
Re: (Score:3)
Communications within a government agency should be preserved and archived for compliance with public records law.
Only communications which are public records. Not all communications between government employees have to become part of a public record:
only if there is some government business contained in the communication, And in that case, it is the the responsibility of the sender/creator of that record to make sure that record gets preserved for the retention period and not improperly deleted:
who did it? (Score:2)
You are correct. (Score:2)
I guess he tried to appeal to the clueless.
A well-meant act that generally does more harm than good.
Now only (Score:2)
If only it was as usable as Telegram (Score:1)
How about an Open Protocol (Score:2)
Why do we need to standardize on an App, where we can standardized on a a Protocol which many Apps can use and talk to each other with.
We have SMTP for email. So you can Use OutLook and I can use Thunderbird.
We have HTTP and HTML. So you can use Edge and I can use Chrome
If we get a common protocol then we are not tied to a company, and companies need to compete on their product. Vs relying on its user base numbers.
Re: (Score:1)
It is from the previous millennium. I have the memory of a dinosaur.
https://xmpp.org/ [xmpp.org]
Matrix exists (Score:2)
Poor choice from EU - Using Signal does not make any sense as Matrix does everything better and is truly open. French government already adopted Matrix as their default messenger.