
Zendo Is My New Favorite Secure Messaging App - coloneltcb
http://techcrunch.com/2015/03/24/one-time-pads-ride-again/
======
mark_l_watson
Nice article.

I like the idea of getting people to at least start using private
communication, where appropriate. The end of the article lists some great use
cases for private communication (sharing passwords, etc.)

------
classicsnoot
so, my understanding of crypto comes solely from HN comments, articles and
Cryptonomicon. I assume i will be wrong on most points:

1)if someone is somehow monitoring the mobileP2P connection between you and
your friend they could conceivably crack the 256 RSA jumble to obtain the
1time pad

2)if someone gains access to your device they could obtain the QR image and
(1)

i bet there are other possibilities via hardware and ????

from my lay POV, this does seem like a promising idea.

~~~
Lx1oG-AWb6h_ZG0
I think the article addresses the first concern: the radio connection is
encrypted with the AES key in the QR code that is scanned optically. As for
the second, if they are in the device, you're already screwed: they might as
well intercept the keyboard/camera/mic instead of hacking the app. Same for
hardware access.

------
classicsnoot
can anyone way in on how Zendo stacks up to TextSecure?

~~~
AlyssaRowan
Well, Zendo is not open source, and it uses "one time pads" \- classic signs
of snake-oil cryptography (Vernam ciphers are information-theoretic secure _if
done properly_ \- but impractical for almost every use case, because they
really just amount to secret-splitting - and _the_ most fragile crypto
primitive, because if you do even one thing slightly wrong, they're _awful_ ).
It also doesn't look to be forward-secure, unless I'm misunderstanding
something from 2 minutes of research. And it needs manual setup.

So _very_ poorly, I'm thinking.

TextSecure/Signal can present/scan a QR code in-person to do a public key
fingerprint verification that way.

I'm sticking with TextSecure/Signal, thanks.

~~~
classicsnoot
As for me, i am tired of being ignore by TS after months of prompt responses.

i believe they cover your concern(s) in the article but i am merely a
youngling.

I like TS, but the lack of support for correcting group mms issuers with wifi
enabled as well as ditching encrypted SMS means i am jumping ship.

