
Wire messenger server code open-sourced - vasili111
https://github.com/wireapp/wire-server
======
fullsage
The title for this post should be changed to "a piece of the wire messenger
server code open sourced." Most of the source is not open source, you can't
run your own.

Also, holy shit they're storing a lot of information about their users:

* All of your contacts.

* Unencrypted profile information for everyone.

* Every active conversation you have.

* Every archived conversation you have.

* The frequency that you communicate with your contacts ('top contacts').

* Every group that you're in.

* The unencrypted titles and avatars of everyone's groups.

Wonder what will be in the _rest_ of the database schema if they open source
it.

~~~
gpm
So I checked if this matches their privacy whitepaper [0] that claims to list
what they store. It almost does, with one notable exception and one minor one.

* All of your contacts.

Wire contacts, they only store non-wire contacts in a hashed form, and there's
an opt out for non-wire contacts.

* Unencrypted profile

(Isn't this just profile picture (which is shown to people you haven't
connected with), and name anyways?) They do say so in the privacy policy.

* Every active conversation you have.

Specifically they claim to store:

Who/when it was created, who is involved (which seems critical to be able to
route messages), and conversation name

* Every archived conversation you have.

I assume they store the same as for non-archived conversations, seems
necessary to be able to add new devices.

* The frequency that you communicate with your contacts ('top contacts').

Ya... that's not listed as far as I can tell. Arguably "aggregated usage
statistics"... but it's not really aggregated.

* Every group that you're in.

This is the same as conversations... they clearly need to know this to route
messages.

* The unencrypted titles and avatars of everyone's groups.

Titles is listed. Avatars of groups isn't... seems like a minor oversight
though given that they're like a profile picture, and profile pictures are
publicly available.

[0]
[https://wire.com/resource/Wire%20Privacy%20Whitepaper/downlo...](https://wire.com/resource/Wire%20Privacy%20Whitepaper/download/)

~~~
fullsage
> _So I checked if this matches their privacy whitepaper [0] that claims to
> list what they store. It almost does, with one notable exception and one
> minor one._

Maybe it's good that they've documented this somewhere, but I don't think most
Wire users read white papers. I'm a dev and I was surprised. Their outward
facing marketing didn't lead me to think they track all my contacts and the
state of every conversation I am having. It very clearly suggests the total
opposite.

They need to do much better than this if they want people to think they take
security/privacy seriously.

>> * Every group that you're in.

> _This is the same as conversations... they clearly need to know this to
> route messages._

Why? That's not true for Signal from what I can tell.

~~~
gpm
> Maybe it's good that they've documented this somewhere, but I don't think
> most Wire users read white papers.

In the sense of "most users don't read privacy policies", sure.

It's pretty clearly linked in their privacy policy as "this is where you
should go for information", I know I'm not the only wire user who read it
before installing it.

> Why? That's not true for Signal from what I can tell.

Ya... I think I overstated it. It's the easiest way to route messages but it's
not the only way.

------
cageface
Great to see an example of practical, real-world Haskell out in the wild. It's
surprisingly readable. I'm more motivated to finally knuckle down and learn
the language.

------
lngnmn
Shit. I have never believed that someone would really build and run a Haskell-
based back-end in production. Respect and kudos. Classy as fuck.

~~~
mrkgnao
Isn't there some music-learning app too? Chordify, I think it was called.

------
infodroid
It's great to see more Haskell code being used in production.

~~~
mbrubeck
And a little bit of Rust, too!

[https://github.com/wireapp/wire-
server/tree/master/libs/libz...](https://github.com/wireapp/wire-
server/tree/master/libs/libzauth/libzauth)

~~~
Siimteller
If you're into rust then their crypto is all in Rust
[https://github.com/wireapp/proteus](https://github.com/wireapp/proteus)

------
raindev
I'm supper happy about Wire taking this step. Has someone done a security
analysis/review of Wire yet? It would be interesting to read.

~~~
walterbell
[https://medium.com/@wireapp/wires-independent-security-
revie...](https://medium.com/@wireapp/wires-independent-security-
review-61f37a1762a8)

~~~
zedred
Probably worth mentioning this is a paid report for one library they use, not
the Wire app.

~~~
Siimteller
The post states that the app level review is coming. As a comparison afaik
Signal only has protocol review available, no implementation review.

Edit: typo

------
graffitici
This is fantastic news. If I understand things correctly, we can now host the
Wire server on our own VM, and use the clients to connect to it, correct?
We'll have full control over the end-to-end encrypted network?

~~~
fullsage
No most of the source is still missing.

------
larrysalibra
This is really great to see. Kudos to the Wire messenger team for taking this
step.

------
y0ghur7_xxx
there is something i never understood, maybe someone can help me: what makes
wire better than xmpp? why do we need yet another protocol for chat?

~~~
feld
XMPP is terribly fragmented and the clients all suck.

~~~
unicornporn
I just tried [https://conversations.im/](https://conversations.im/) and I must
I'm very impressed.

~~~
jhasse
The clients on everything except Android all suck.

~~~
Xylakant
To add to that, try enabling omemo across 4 different OS (Andoid, iOS, MacOS
and Linux) and you'll want to burn all of your devices. Messages showing up on
some devices randomly or not, etc. nice thing in general and I really like the
idea of xmpp, but not exactly user-friendly for non-technical folks.

------
Propen
Hoping more and more people start to show their support for services such as
this one by joining and bringing friends. They are running circles around
Signal lately.

~~~
zedred
I was hopeful at first. A large VC funded company with a big full time team
_should_ run circles around a small open source effort, but their security is
still way behind Signal. I was also quickly put off by their "less than
honest" marketing.

~~~
walterbell
Could you share details on "security is still way behind Signal"?

Edit: found previous discussion,
[https://news.ycombinator.com/item?id=13132157](https://news.ycombinator.com/item?id=13132157)

~~~
zedred
I haven't directly explored the source for either in little while, so I should
take a new look. I might be a little out of date, but the things that I have
seen second hand recently confirmed my earlier conclusions.

Like I recently saw an announcement from Wire that calls are now secure, but
they had been advertising them as secure all along! I had even spent time
looking through the code but didn't know that calls weren't authenticated.
_Now_ are they really secure? I don't know, they said that before too, and the
source is so hard to follow. Then I saw a post that showed they weren't even
doing cert pinning, which is so basic.

I wanted to like it, but the more I looked the more I felt like "security" was
just sprinkled on as an after thought.

~~~
walterbell
Did you see that they implemented CBR for audio calls and submitted patches to
both Signal and WebRTC?

[https://medium.com/@wireapp/call-security-constant-bit-
rate-...](https://medium.com/@wireapp/call-security-constant-bit-rate-
encoding-and-improving-webrtc-a85be6caa43a)

~~~
JshWright
In 2017... CBR has been a thing in secure calling apps for ~5 years now.

~~~
walterbell
Can you recommend some iOS/Android apps which support CBR?

~~~
JshWright
Silent Phone is both Android and iOS compatible, and we have used CBR codecs
since we launched (in 2012).

~~~
walterbell
Thanks for the pointer ($10/month), did not know this was available without
buying a Blackphone.

------
otoburb
How will Wire make money and stay viable while maintaining this level of
service?

~~~
giancarlostoro
Also mind the license. It means anyone competing with Wire has to comply with
the AGPL which is specific to servers. If you modify the code, you must
publish it, whilst Wire can retain their own modifications to the server.

~~~
seagreen
Weirdly I think free licenses are great for businesses to use and open
licenses are great for personal projects.

If I'm writing a hobby project, I want it to help the ecosystem as much as
possible. If businesses want to use it then great! So MIT.

If I'm running a business my main goal is to survive. I want to help the
community as well, but I obviously can't do that if I go broke. "Put on your
own oxygen mask before helping others" and all that. So *GPL, because it lets
me balance those goals.

~~~
giancarlostoro
I'm not arguing against it or anything just pointing it out. AGPL keeps the
lights on whilst still letting others play with it and contribute.

~~~
seagreen
I understood you! I just wanted to add a few reasons why I (generally an open
> libre guy) don't mind the AGPL in this case.

~~~
giancarlostoro
Understood, I only worry about AGPL if I'm working on a similar product for
commercial work I would absolutely avoid looking at the code. Some licenses
are fine for some companies, others are a nightmare. Apparently D had that
issue for example.

------
giancarlostoro
I'm wondering if the clients will allow you to select any server or if you
have to rebuild the apps just to do that. Never used Wired, but I am very
interested.

~~~
Siimteller
One of the details we haven't quite settled on yet. Safe to assume that once
all of the server code is open then at first you'd need to roll your own apps
pointing to the right server.

Since a lot of the interest for self hosting comes from companies then a
nicely packaged version is somewhere in the future.

