Hi Josh,
nice to hear someone from the official OWS team chime in!
Post by Joshua LundPeople seem to be completely forgetting about initial download integrity
and ongoing security updates, which are quite important for an
application like this. Chrome Packaged Apps make this seamless and easy
for users.
Until NW.js natively supports some kind of secure update process, it's
not really ready for this use case. If you find yourself thinking things
like "But Open Whisper Systems could come up with their own bespoke
distribution and update process!" then you should also quickly start to
realize that this is not a "fairly trivial" problem, especially for a
team of their size.
According to Moxie, this has been ready to go (at least for the Android
version) for close to two years now:
https://github.com/WhisperSystems/Signal-Android/issues/127#issuecomment-36066056
Yet nothing has been released, with Moxie actually saying at some point
that an official Gapps-free version might never happen because of some
changes in Android 6.
Post by Joshua LundAsking Signal's target demographic to download a zip file, verify its
GPG signature or checksum, and manually keep their installation up to
date on a consistent basis? This is the same type of wishful thinking
that led to GPG's terrible user experience. The current approach is both
easier and more secure.
At this point people can go full dev and compile their own/JavaJens
modified version from scratch, getting the source code unsigned and only
TLS-protected from Github. The amount of people beeing able to AND
willing to do this for every update is negligible. The security
properties are also not great, because x509 is broken beyond comparison.
Also JavaJens seems to be a great guy and contributer, but any
additional party in the distribution process greatly increases the
possibility of introduced weaknesses.
Or your just download the GCM-free version on F-Droid by xmikos with
similar problems.
Could you elaborate why OWS prefers to ignore those problems instead of
rolling out the apparently finished distribution and update mechanism in
a "websocket only" build and plastering the app and distribution point
with "BATTERY HUG WITH DELAYED MESSAGES, PLEASE USE GCM VERSION FROM
PLAY STORE"?
Apparently it wouldn't be much additional work AND it siginficantly
reduces the attack surface of those currently using third party builds.
Average users with GCM will likely never end up at this distribution
point and if they do, they can be easily convinced with clear wording to
use the channel intended for them.
Post by Joshua LundA sample size of fifteen entire people might sound really impressive,
but in order for mass surveillance to become a thing of the past we will
need millions. In my opinion, Signal has millions of users precisely
because the development team has made incredibly deliberate and smart
decisions that balance security with usability. In the meantime, simple
workarounds are available, and the Axolotl protocol will also continue
to spread into more esoteric packages that are "ideologically pure."
Some of them are even written in Go! :)
The current approach works only for the newbies it's intended to. It
doesn't work for the important demographic of either very advanced and
busy users or kinda advanced but sophomoric users. Those are generally
the ones advocating for their non-technical friends to use tools like
Signal in the first place. And they would of course also like to be able
to interact with their friends on their own terms (FOSS all the way). If
Signal continues to deny them a way to do so, they'll either continue
using less secure distribution and update mechanisms or less secure
alternative apps, driving their friends away from Signal or not
introducing them to it at all.
I guess what I'm asking for is: do you have any knowledge if it is still
planned to implement the "ready to go" distribution and update mechanism
at some point?
An official roadmap would probably alleviate many such requests.
Kind regards,
curve25519