Discussion:
[whispersystems] Second factor for reregistration
Laurence Berland
2015-09-30 19:38:56 UTC
Permalink
See:

https://github.com/WhisperSystems/TextSecure/issues/3988

I'm sorry to bounce this to the mailing list but I suspect moxie has
notifications off for closed bugs. I'm curious *why* this isn't going to be
done, in part because if the issue is simply time/feature priority, this
might be something I'd be willing to work on. If there's another reason I'd
like to understand it.
Sam Kierstead
2015-09-30 21:00:01 UTC
Permalink
Dealing with the police is all about situational comfort and epistemic control. The police and intelligence folks don't like to be locked out of things. The iOS lock is technically sufficient but a in-app key would be valuable to human beings. Apparent transparency is how to win.
Whatchu think Moxie?
Thanks for the interest Laurence.
1/0

Sent from my iPhone
Post by Laurence Berland
https://github.com/WhisperSystems/TextSecure/issues/3988
I'm sorry to bounce this to the mailing list but I suspect moxie has notifications off for closed bugs. I'm curious *why* this isn't going to be done, in part because if the issue is simply time/feature priority, this might be something I'd be willing to work on. If there's another reason I'd like to understand it.
Laurence Berland
2015-09-30 21:24:09 UTC
Permalink
Okay. Moxie has asked that we discuss this here, not on the issue tracker.
No problem.

The way I see it:
1) Connor is right that users should not ignore key mismatch warnings. If
they do, that's on them. Fair enough. However I'm still concerned that
people I haven't previously conversed with will think they're conversing
with me because of trust on first use.

2) I agree that this additional complexity would confuse most users. I'd
like to think that since it wouldn't be the default, people who choose to
turn it on would be careful enough to not lose their passwords, but of
course there's a small chance anyone will still lose it, and a process to
recover from that might be potentially quite cumbersome.

3) I'm curious how registration is going to work when the browser plugin is
ready. That is to say, when users can have more than one simultaneous
device. If each additional device gets tofu treatment, then anyone who can
temporarily get access to your phone number to do the sms verification
would be able to quietly listen in on a conversation that appears to me to
be secure. But this is very speculative because I know nothing about how
that feature is going to work, or even if it's still on the roadmap.

Apologies if I've missed some of the best practices, this is my first
attempt at wading into TextSecure development.
Post by Laurence Berland
https://github.com/WhisperSystems/TextSecure/issues/3988
I'm sorry to bounce this to the mailing list but I suspect moxie has
notifications off for closed bugs. I'm curious *why* this isn't going to be
done, in part because if the issue is simply time/feature priority, this
might be something I'd be willing to work on. If there's another reason I'd
like to understand it.
Christopher Sheats
2015-09-30 22:06:02 UTC
Permalink
I concur with this risk analysis of #3, presuming there is no
verification process. It then becomes a weaker system than iMessage.
Related: The Four Critical Security Flaws that Resulted in Last Friday's
Hack

https://blog.cloudflare.com/the-four-critical-security-flaws-that-resulte/

"You can mitigate these risk if you are a user by enabling two-factor
authentication, ideally relying on Google's Authenticator App rather
than anything that passes through the phone company's network."

Christopher
Post by Laurence Berland
Okay. Moxie has asked that we discuss this here, not on the issue tracker.
No problem.
1) Connor is right that users should not ignore key mismatch warnings. If
they do, that's on them. Fair enough. However I'm still concerned that
people I haven't previously conversed with will think they're conversing
with me because of trust on first use.
2) I agree that this additional complexity would confuse most users. I'd
like to think that since it wouldn't be the default, people who choose to
turn it on would be careful enough to not lose their passwords, but of
course there's a small chance anyone will still lose it, and a process to
recover from that might be potentially quite cumbersome.
3) I'm curious how registration is going to work when the browser plugin is
ready. That is to say, when users can have more than one simultaneous
device. If each additional device gets tofu treatment, then anyone who can
temporarily get access to your phone number to do the sms verification
would be able to quietly listen in on a conversation that appears to me to
be secure. But this is very speculative because I know nothing about how
that feature is going to work, or even if it's still on the roadmap.
Apologies if I've missed some of the best practices, this is my first
attempt at wading into TextSecure development.
Post by Laurence Berland
https://github.com/WhisperSystems/TextSecure/issues/3988
I'm sorry to bounce this to the mailing list but I suspect moxie has
notifications off for closed bugs. I'm curious *why* this isn't going to be
done, in part because if the issue is simply time/feature priority, this
might be something I'd be willing to work on. If there's another reason I'd
like to understand it.
Loading...