
The Coder Who Encrypted Your Texts - eas
http://www.wsj.com/articles/moxie-marlinspike-the-coder-who-encrypted-your-texts-1436486274
======
moxie
I get a lot of credit for the stuff that Open Whisper Systems does, but it's
not all me by a long shot. Trevor Perrin, Frederic Jacobs, Christine Corbett,
Tyler Reinhard, Lilia Kai, Jake McGinty, and Rhodey Orbits are the crew that
really made all this work happen.

~~~
tw04
Given that we have the man himself onboard - can I urge you to ask the WSJ to
remove the comment at the start of the article about WhatsApp implementing
your encryption schema? Unless I've missed something, there's absolutely no
way for an end-user to determine if their messages are being encrypted (with
whatsapp). Or how they're being encrypted for that matter. I feel like
WhatsApp latched onto your groundwork (potentially even with good intentions)
- but never actually has opened up about the implementation, opened the code
to audit, or been forthright about exactly who/how many users are covered.

I fear articles like this just make the average joe think "oh, whatsapp ==
secure" when recent events have proven that's far, far from the truth.

[http://arstechnica.com/tech-policy/2015/06/intercepted-
whats...](http://arstechnica.com/tech-policy/2015/06/intercepted-whatsapp-
messages-led-to-belgian-terror-arrests/)

~~~
davisr
"Absolutely no way"? I'm sorry to be impolite about it, but that's a bit of an
exaggeration: one could jailbreak their phone, pull the binary into their
computer, decompile it, and inspect it for implementation structures that
would be coherent with how the two or three most popular encryption algorithms
are commonly implemented. The expertise to be able to accomplish it doesn't
come cheap, but it's certainly in the realm for anyone willing to invest the
time.

If anyone out there does it, feel free to post your findings to
[http://imfreedom.org/](http://imfreedom.org/).

I'd be willing to bet that WhatsApp has some competent programmers, and looks
very similar to how Apple's built iMessage. I think everyone is entitled to
the most security possible, but unfortunately when you're at the scale of
WhatsApp, perfect security would make all that ultra-tantalizing data pretty
hard to analyze. They're a business, they have a responsibility to their
investors to grow the business, and data right now is a _big_ business.

~~~
JupiterMoon
So you've probably just broken the law by doing so. And you have to do this
everytime the app gets updates. And you have to be sure that the encryption is
actually getting used on every message. And that the key is strong and not
known to Whatsapp. And also that the recipients copy of the app is behaving
the same as yours. So I guess the question is, if you had something to hide
would you bet your life on it?

Whereas with Textsecure. Well it just works...

~~~
jsprogrammer
>So you've probably just broken the law by doing so.

By modifying your own device? I don't think so.

~~~
JupiterMoon
Many countries have laws against reverse engineering programs. Whilst I think
these laws are stupid I would prefer to just use the open source program than
mess around with the closed source alternative.

~~~
nitrogen
According to Wikipedia[0], reverse engineering is generally legal in the US:

 _In the United States even if an artifact or process is protected by trade
secrets, reverse-engineering the artifact or process is often lawful as long
as it has been legitimately obtained._

[0]
[https://en.wikipedia.org/wiki/Reverse_engineering#United_Sta...](https://en.wikipedia.org/wiki/Reverse_engineering#United_States)

~~~
aw3c2
And that is one country out of ~200.

~~~
blfr
Yes but it has 350M people living in it, half the HN, Silicon Valley, and
Moxie with his team. It's not honest to say the US is just another country
among 200.

~~~
tP5n
yep, in other words around 4% of the world's population live in the US and of
course this pales in comparison to actually large nation states, like india or
china.

------
sergiotapia
>Unfortunately, if Mr. Marlinspike’s encryption scheme can be applied to
imagery, then childporn collectors thank him too.

And there we go, highest voted comment on the article: a strawman about child
pornography. Think of the keeeds

~~~
RexRollman
"Think of the childern" is a common refrain of the coward who values safety
over freedom.

~~~
perfTerm
I wonder how many of the people on that think of the children side were either
affected as kids, had children who had some awful experience, or are of close
relation to someone who was or had kids who did. Because I could easily see
something like an awful event happening to a child really warping a persons
world view in a strong way.

On the other hand, I wonder how many privacy advocates have never experienced
anything awful in that sense.

I'm on the privacy side myself and it's true child touchers are just hearsay
for me. I know they exist, I know it happens, but it's not generally at the
forefront of my mind when thinking about much of anything really. And I really
wonder what I'd think if everytime I thought about policy I also had poor
Timmy's story echoing away for all eternity in my head.

And then I wonder for the motivations of the people for whom child touchers
are hearsay but are really opposed to privacy. Their motives must include
things like drug dealers, terrorists, a belief in their own clean slate,
money. It's pretty interesting to think about what goes on behind the scenes
of any argument that gains popular traction.

~~~
pgeorgi
I heard several survivors that were appalled of the "Think of the children"
approach because it is too often used to push an agenda that doesn't help
children at all.

For example, internet blocking of child abuse media (hot topic in Germany a
couple of years ago) doesn't help children (who aren't abused 'over the
internet' but in real life) because it routes resources away from public
education on the matter (such as encouraging victims to speak up), social and
health support (so victims that spoke up don't fall into a void) and regular
police work (so that the perpetrator gets busted).

I guess child abuse on the internet is a popular topic with policy makers
because "protecting children" is an easy way to score points in public and "on
the internet" hides the fact that this abuse happens somewhere - and closer to
any single person than they may be comfortable with. "internet" became a code
word for "somewhere else".

That's a great platform to win an election.

Now, pick any company with > 10000 employees. Just by running the numbers it
likely employs a child abuser. You work for such a company? It's likely that
one of your coworkers, maybe even somebody you deal with every day, is a child
abuser.

That's not a great platform to win an election.

------
abalone
I've had a ton of respect for Marlinspike ever since he published sslstrip, an
incredibly simple defeat of HTTPS.[1]

It's a perfect demonstration of the fundamental insecurity of the web thus
far. When an insecure communication mode (HTTP) is the default and perfectly
ok most of the time, the browser has no idea when you are _supposed_ to be
operating on a secure channel (HTTPS) but have been tricked into downgrading
by a man in the middle attack.

I can't prove it but I believe his work is a significant factor behind the
shift towards deprecating HTTP in favor of HTTPS all the time. That is the
only real solution.

[1]
[http://www.thoughtcrime.org/software/sslstrip/](http://www.thoughtcrime.org/software/sslstrip/)

~~~
juhanima
> the browser has no idea when you are supposed to be > operating on a secure
> channel (HTTPS)

Agree about the sentiment, but there are some ways to help this. The server
can for instance tell the client to always require https:

[https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)

Doesn't help if the client hasn't yet connected to the right server at least
once, though.

~~~
tzakrajs
Also, the browser can opt into HTTPS by using a plugin such as HTTPS
Everywhere.

~~~
tedks
All of these defenses post-date sslstrip/sslsniff, and if you look at mailing
list conversations in the early days of HTTPS Everywhere, you can see that it
was developed as a direct response to these attacks.

------
Strilanc
Moxie and Frederic and Christine and the rest definitely deserve a lot of
credit.

Half of me is really happy every time I see Signal getting more popular. The
other half is more like OH GOD THE STAKES ARE HIGHER NOW WHAT IF I MADE AN
EXPLOITABLE MISTAKE BETTER RE-READ SOME CODE.

But seriously, you should read the code. It's there, open for anyone to audit
after all. Maybe start somewhere random in the guts [1][2][3] and check for
things like "ereh 2# roodkcab"?

1: [https://github.com/WhisperSystems/Signal-
iOS/blob/master/Sig...](https://github.com/WhisperSystems/Signal-
iOS/blob/master/Signal/src/network/rtp/zrtp/ZrtpResponder.m)

2: [https://github.com/WhisperSystems/Signal-
iOS/blob/master/Sig...](https://github.com/WhisperSystems/Signal-
iOS/blob/master/Signal/src/crypto/EvpSymetricUtil.m)

3: [https://github.com/WhisperSystems/Signal-
iOS/blob/master/Sig...](https://github.com/WhisperSystems/Signal-
iOS/blob/master/Signal/src/textsecure/Util/Cryptography.m)

~~~
lukeh
+[Cryptography generateRandomBytes] should possibly return NSData rather than
NSMutableData.

------
hookshot
The sailing documentary they briefly mention in the article is called Hold
Fast. If there are any HN readers that are into sailing I highly recommend it.

You can watch it here:
[https://vimeo.com/15351476](https://vimeo.com/15351476)

------
nathan_long
Interesting quotes:

> President Barack Obama called [protected-messaging apps] “a problem.”

but

> Encrypted messaging was viewed [by the U.S. State Department] as a way for
> dissidents to get around repressive regimes. With help from Mr. Schuler,
> Radio Free Asia’s Open Technology Fund, which is funded by the government
> and has a relationship with the State Department, granted Mr. Marlinspike
> more than $1.3 million between 2013 and 2014, according to the fund’s
> website.

------
PhantomGremlin
Great article, not paywalled.

Here's the thing that Moxie recognizes, that many other programs don't (in any
domain):

    
    
       He says he wants to build simple, “frictionless”
       apps, adopting a Silicon Valley buzzword for
       “easy to use.”

------
nickpsecurity
Interesting article and interesting guy. I like the work he and his team does
on these apps. Unfortunately, they typically run on the type of endpoints that
everyone from script kiddies with money to High Strength Attackers can hit.
Usually alongside apps not as strong as theirs on TCB's that can at best be
described as insecure foundations.

I recommend against such apps and platforms for anything other than stopping
the riff raff. That's what I use them for. I pointed out the difference
between secure code and secure systems in this [1] writeup. Shared much of my
framework for analyzing or designing-in security in the process. The TCB of
most solutions today is ridiculous: people are building on foundations of
quicksand. There's only a few exceptions I've seen such as GenodeOS
(architecturally) or Markus Ottela's Tinfoil Chat. Markus has been unusually
alert to our concerns and updated his app appropriately even for covert,
channel suppression. Quick question: which of the many crypto apps on the
market can deliver a covert channel analysis to you at app and system level?
Answer: few to none despite it's importance over decades with a rediscovery in
past 5+ years in mainstream security.

Strong security is hard. Moxie seems awesome as a coder and good to great in
both crypto and OPSEC. Thing is, his offerings break the decades old rule of
having a strong TCB. Just like most of the rest. It's why they're usually
bypassed or broken by strong attackers. Gotta do the whole thing with concern
for each aspect of the system. TFC is a clever cheat on that even more than my
MILS scheme with a KVM and a highly-assured guard. If you don't cheat around
it, you better do it right or your users will suffer the consequences. Those
_trying_ to contain vulnerabilities of mainstream OS's and components with any
success are expending literally hundreds of thousands of dollars worth of
labor per year. It's why I push for clean-slate, hardware and software
platforms like DARPA and NSF have been funding recently (eg SAFE, CHERI
processors). Alternatives using COTS tech are pretty complex and most users
will probably fail to secure them to be honest.

[1]
[https://www.schneier.com/blog/archives/2013/01/essay_on_fbi-...](https://www.schneier.com/blog/archives/2013/01/essay_on_fbi-
ma.html#c1102869)

~~~
jsprogrammer
Anyone have a glossary?

~~~
nickpsecurity
My bad. Glad I caught it before I went to sleep. Trusted Computing Base (TCB):
everything in a system that the security argument depends on. Bigger and more
complex the worse. Tinfoil Chat (TFC). MILS = separation kernels, basically. A
more secure form of microkernel. KVM = Keyboard-Video-Mouse switch for
separate, physical devices. COTS is commercial tech and FOSS is often
developed with similarly low-quality methods. Hope that helps in your
translation of the comment.

------
glogla
I still can't get over Moxie wanting Google and Apple and Microsoft to be
gatekeepers of what you can and can't do with your device and calling
sideloading "that old broken desktop security model".

I admire your work Moxie, but sadly we stand on different sides of war on
general purpose computing. I can't help but be saddened that "the other side"
got someone so talented and dedicated.

~~~
Joeboy
I don't know about Apple or MS, but building TextSecure from source and
installing it on an android phone is about as easy as you could reasonably
expect it to be. It seems churlish to complain that there are also easier ways
to install it.

Edit: although, of course you have to trust Github or whoever if you install
from source.

~~~
Nutomic
They are actively opposing their apps to be published on F-Droid. Instead,
they prefer on proprietary services for various (imo bad) reasons>

[https://f-droid.org/forums/topic/redphone-and-
textsecure/#po...](https://f-droid.org/forums/topic/redphone-and-
textsecure/#post-12296)

------
nly
Didn't TextSecure stop encrypting SMS a while back? If you lose data
connectivity you're sending in the clear, right?

~~~
JupiterMoon
Yes. This is really annoying it was one of the major selling points - I'd got
several people to install it on this basis. They had a reason for the change
but I was un-impressed

The best thing that one can say is that it is well indicated by the UI whether
the message will be secure. Blue for encrypted. Green for clear. I've managed
to explain this to some very tech unsavy people.

~~~
AdmiralAsshat
Is that a setting? I use TextSecure, and when my data cuts out, it simply
fails to send the message and tells me. Every message I've ever sent (that I
can quickly see) has the padlock icon next to it, which I'm assuming
guarantees it was encrypted.

~~~
JupiterMoon
yes

------
dates
Sweet article! The movie about Moxie fixing up and sailing a boat was actually
was super fun to watch! I'm feeling grateful the comments section hasn't
turned into a massive argument over TextSecure dropping SMS support like the
whisper systems mailing list alwayssss is...

------
briandoll
Moxie gave a great high-level talk on cryptography and Open Whisper Systems at
Webstock this year too, for anyone that's interested:
[https://vimeo.com/124887048](https://vimeo.com/124887048)

------
ianopolous
I was a great fan of TextSecure until a few days ago. I had encouraged a bunch
of friends to install it. One of them couldn't get rid of a notification from
TextSecure about an unread message despite there being none, and eventually
they uninstalled it. Then, for the next 4 months TextSecure blackholed every
message I sent this friend without warning either them or me. They never
received a single message from me. After discovering that I uninstalled it.

~~~
moxie
You'll find that this is true for every messenger on Android, since there is
no way to detect someone uninstalling without unregistering.

TextSecure has delivery receipts so you can see when your messages aren't
being delivered, and there's a web-based unregistration flow on the Open
Whisper Systems website so that users can unregister their numbers if they've
uninstalled.

~~~
ianopolous
Thanks for the reply, Moxie. I realise I sound negative, but I do love your
work. The app gave me no indication that delivery was failing. Couldn't you
detect the failure when you try and forward on the message from your servers
(if it is a push architecture)? Happy to give you my details if you want to
look into it.

~~~
mike-cardwell
It's using the Google Android push stuff, which means to deliver a message to
a phone, Moxies server sends a message to Google to ask Google to push a
message to the phone ASAP. So he gets no feedback.

------
lisper
Not that I really want to steal any of Moxie's thunder, but if you're reading
this comment thread you might also be interested in SC4:

[https://github.com/Spark-Innovations/SC4](https://github.com/Spark-
Innovations/SC4)

Strong encryption that runs in a browser. Recently completed its first
security audit.

~~~
lugg
I've been looking for something to replace PGP-JS for a while.

Cheers.

~~~
lisper
Any feedback you have on SC4 would be much appreciated.

------
justcommenting
Kudos to moxie and team for their work and their example of positively
enabling others to speak freely, for inspiring others to build better
alternatives, and for being the change they wish to see in the world.

Also wanted to share one of the most provocative moxie-isms I've heard in
recent years from him, in reference to WL:

"What about the truth has helped you?"

------
chinathrow
So it looks like I might have understood something wrong regarding TextSecure.

Installed it, used it, uninstalled it.

Years later, a contact asks me that he "saw me in TextSecure", sent me a
message.

Obviously, I didn't get that message.

Why - o why - was/is TextSecure pretending to not know about metadata when it
does? Why could that happen? Moxie?

~~~
realusername
This problem is not specific to TextSecure, it also exist with iMessage and
whatsapp as far as I know.

You can unregister here:
[https://whispersystems.org/textsecure/unregister](https://whispersystems.org/textsecure/unregister)

~~~
wtbob
> You can unregister here:
> [https://whispersystems.org/textsecure/unregister](https://whispersystems.org/textsecure/unregister)

Well, _maybe_ you can. I spent several days six months ago trying to
unregister, and finally just accepted the fact that TextSecure will never let
me go. Oh well.

------
JoachimSchipper
Note that Open Whisper Systems is hiring:
[https://news.ycombinator.com/item?id=9813309](https://news.ycombinator.com/item?id=9813309).

------
mahyarm
Address book based social networks are nice to get a bit of bootstrapping, but
becomes pretty bad when you want to add someone as a text secure contact, or
you want to run a version without using SMS gateways. It gets pretty
complicated pretty fast compared to 'what is your username'.

I hope text secure gets usernames one day that you can associate with phone
numbers & emails.

The web-browser version is a good development, it shows that desktop and
multi-device versions are on the way.

------
teaneedz
It's awesome seeing so many privacy and secure messaging apps spring up. The
tough part is getting people to use them. I've been using Wickr (I know the
black box arguments, but they have a reasonable bounty in place) and it
doesn't require number, contact info or addy. The phone call feature of Signal
sounds interesting so I'll check it out.

------
iamthebest
I tried installing TextSecure recently but it wouldn't work without the Google
Play services.

I hadn't herd of their new app Signal. Has anyone tried it? I'm really
interested in hearing anyone's experience using it.

BTW, I ended up installing Telegram ...and it may be mere co-incidence, but I
started noticing some weird things happening that I've never seen before. I
connect to the internet exclusively via tethering to my phone and while
tethered I started seeing messages in Firefox from my desktop machine giving
warnings that were something like "Could not establish secure connection
because the server supports a higher version of TLS". My guess is that it was
some sort of MITM attack... and I was possibly targeted due to the traffic to
Telegram servers.

One other thing regarding Telegram: I really don't like that it reads my
contact list and uploads it to their server to check if my contacts have a
Telegram account. I've blocked the permission for now.

~~~
muppetman
Telegram isn't secure. There's been no public audit of their "secure" code and
most messages aren't even sent via the secure channel unless you expressly
tell it to do so.

It has a pretty UI though, so most people seem to think it's great.

~~~
bascule
Their UI is a carbon copy of WhatsApp

------
eloy
I already knew this would be an article about Moxie before clicking the link.

~~~
BuildTheRobots
As TextSecure no longer secures text messages (texts) I really _wan't_
expecting it to be about Moxie and figured it was actually about the
implementer of A5/1...

------
patcon
Thank god this man exists.

~~~
dkarapetyan
Yes, but isn't that in an of itself somewhat depressing.

~~~
baudehlo
Sadly, software is complex and security is really hard (and generally a trade-
off). See also djb.

------
btczeus
Where's the authentication process in TextSegure? Totally MITM'able. Not
secure at all.

------
em3rgent0rdr
Obama's "problem" is a "solution".

------
btczeus
There is not any evidence of encryption on WhatsApp, source code is closed so
you can never be safe.

~~~
muppetman
People have sniffed the wire for the WhatApp client (on Android, towards
another Android) and seen that it is encrypted.

But your point stands - there's no UI to indicate if it was secure or not and
the code isn't open so you can't know for sure.

~~~
ikawe
I'm ignorant. How can you prove that it's encrypted in any meaningful fashion
vs, say rot13?

~~~
lovemenot
We can disprove the existence of strong encryption with a wireshark, but
cannot prove it.

Entropy of a rot13 message would be much lower than that of a properly
encrypted channel. High entropy is not _proof_ of "meaningful encryption",
mind you, since a compressed rot13 or plaintext message would have high
entropy too.

------
yuhong
I am thinking about why encryption was only used by the military in the first
place, back when the infamous Bell monopoly on phone service existed. I think
cracking encryption was one of the reasons computers was created in the first
place, right?

~~~
tedunangst
Who could listen to people's phone calls, and how many people were concerned
about that happening?

~~~
vezzy-fnord
Breathing in on your phone has traditionally been the FBI's dominion, in any
case.

------
btczeus
This guy is not part of the solution. He is part of the problem.
[https://f-droid.org/posts/security-notice-
textsecure/](https://f-droid.org/posts/security-notice-textsecure/)

~~~
theGimp
For those interested in the rationale:
[https://github.com/WhisperSystems/TextSecure/issues/127#issu...](https://github.com/WhisperSystems/TextSecure/issues/127#issuecomment-13447074)

~~~
btczeus
From
[https://github.com/WhisperSystems/TextSecure/issues/53](https://github.com/WhisperSystems/TextSecure/issues/53)

Moxie: "I'd like to avoid distributing APKs outside of the Play Store"

Why give a single entity the power to push a malicious update anytime?

~~~
lorenzhs
that's not how the Play store (or Android) works. Moxie signs the APK, phones
will only install updates that are signed with the same certificate as the
version they already have. Google cannot modify apps.

Edit: In contrast, the F-Droid builds were built and signed by F-Droid, so
they could at any time include any code they wanted. Whom do you trust more,
the developer or some alternate app store?

~~~
Nutomic
Google could also distribute a differently signed apk to selected users. And
there's no way for users to check the signature of an apk (if they didn't have
it installed before).

And I certainly trust an open source project much more than a US company.

~~~
lorenzhs
But that angle of attack only works if they target you from the moment you
first install the app. It would be much easier to just push a modified Google
application update to your phone if that is what they wanted.

What it boils down to is that with the Play store, you can be sure that you're
not getting malicious _updates_ from some intermediary, as each developer
signs their own APKs, and Google doesn't have the keys. Whereas if f-droid is
compromised, all applications they build are compromised. That's a much
greater risk.

~~~
btczeus
You can set up your own repo.

