
French government releases in-house IM app to replace WhatsApp and Telegram use - TMWNN
https://www.zdnet.com/article/french-government-releases-in-house-im-app-to-replace-whatsapp-and-telegram-use/
======
jszymborski
There was a recent episode of a Brexit podcast I was listening to where two
MPs where saying that the vast majority of their "breaking news"
communications happened over WhatsApp, which was very surprising to me.

I think France is doing an amazing job of taking control of their
infrastructure, and I don't believe it'd be hard for other governments to
follow their lead.

~~~
tornadon
I’m not too surprised to be honest. WhatsApp is king in (western) Europe. I
message all my friends, both Android and iPhone users, in WhatsApp because
it’s just accepted as the de facto standard since everyone is on it. Phrases
like “WhatsApp me” translated into various European languages are common here
and synonymous with “send me an sms.” I’m part of a lab group at my university
and WhatsApp is our main line of group communications, not Slack or email or
whatever flavor of the month team chatting service is popular these days. I
message my professor/boss as a primary contact point. He messages me to let me
know he’s running late for a meeting and vice versa. WhatsApp is just
literally everywhere here.

E: I just found an issue one of the locks in my apartment. I whatsapped the
maintenance guy my landlord employs to request him to fix it and he messaged
me back he’s gonna be here in a couple of hours.

~~~
tornadon
Also, if you ever walk through a university campus library or anywhere else
where a bunch of students are studying on their laptops, I guarantee you that
most students will have WhatsApp open in a browser or the actual desktop
version of the app itself side by side next to their other tools/PDFs/papers.

I can not state how pervasive whatsapp is around here.

------
techntoke
The company behind this is Matrix, the same one that was hacked recently due
to poor security and had their keys exposed and more. The hacker even went and
posted a bunch of their security issues on GitHub for them detailing all the
terrible decisions they had made.

~~~
IceWreck
Yeah, but the problem was poor security of Matrix.org 's own homeserver which
is the default on Riot, not with Matrix itself. Tchap should be secure enough
considering the French government is hosting it on their servers.

------
_bxg1
So long as it's open-source and E2E encrypted, I'm extremely on board with
this. Simply giving people a better option that actually has their interests -
instead of corporate interests - at heart could be a great way to solve the
social platform debacle.

~~~
basetop
The app they created is for government officials only : "Only official French
government employees can sign-up for an account".

But they open sourced the code, so you run your own version of the app. But
not sure how useful it will be if no one else is using your app. The network (
millions of users ) that whatsapp and telegram has generated is the primary
draw now for them.

~~~
geoah
You have it backwards.

Matrix [1] (the protocol and network) and Riot (the client) are both open and
used by many many people already.

The matrix team on behalf of the French goverment [3] developed a fork of the
Riot app (TChap) [4] that connects to a private network of home servers with
custom registration policies and probably other features as well.

1\. [http://matrix.org](http://matrix.org)

2\. [https://about.riot.im](https://about.riot.im)

3\.
[https://fosdem.org/2019/schedule/event/matrix_french_state](https://fosdem.org/2019/schedule/event/matrix_french_state)

4\. [https://github.com/dinsic-pim/tchap-android](https://github.com/dinsic-
pim/tchap-android)

------
kawera
And a few hours later a french researcher[1] found some embarrassing flaws[2],
including one from python's standard lib[3].

[1] [https://twitter.com/fs0c131y](https://twitter.com/fs0c131y)

[2] [https://medium.com/@fs0c131y/tchap-the-super-not-secure-
app-...](https://medium.com/@fs0c131y/tchap-the-super-not-secure-app-of-the-
french-government-84b31517d144)

[3]
[https://twitter.com/fs0c131y/status/1119143946687434753/vide...](https://twitter.com/fs0c131y/status/1119143946687434753/video/1)

~~~
Iv
tl;dr: this app is supposed to be used only for governmental staff. It does so
by checking if you have a @elysee.fr or a @gouv.fr email. He bypassed the
check by using myadress@protonmail@presidence@elysee.fr. He could access the
"public" groups normally reserved for employees.

The hole has been plugged.

~~~
Arathorn
Yup, there was a single bug here (which I wrote; serves me right for blindly
trusting a mail addr parsing library), which boils down to:

    
    
      $ python -c "import email.utils; print email.utils.parseaddr('bob@evil.com')"
      ('', 'bob@evil.com')
      $ python -c "import email.utils; print email.utils.parseaddr('bob@evil.com@gouv.fr')"
      ('', 'bob@evil.com')
    

We deployed a fix within about 90 mins of being alerted, and also released an
security update for anyone else who is in the same situation (which is very
unlikely):

[https://matrix.org/blog/2019/04/18/security-update-
sydent-1-...](https://matrix.org/blog/2019/04/18/security-update-
sydent-1-0-2/)

~~~
Iv
I am not a webdev so I may be totally out of the loop here but when I was
still in engineering school I was told to never trust a user just because of
their email because it can easily be spoofed. It is not the case anymore?

And also I am a bit surprised that government employees don't have a way to
authenticate themselves?

I thought at least the president and several military staff already had secure
phone that used the (kinda unluckily named) Isis network?

~~~
Arathorn
the way the auth works is to send an email to the gouv.fr address to get the
user to click a verification link. this should be fairly trustworthy (ignoring
the bug here where verification mail got sent to the attacker’s address :|)

------
kerng
This is good. I like the initiative of a government actually trying to help
and that they open source it. An benefit others also.

------
auvi
I'm just wondering, what will the government do when the yellow vests start
using it to organize themselves. will they shut it down?

~~~
Iv
It is a fork of Matrix' Riot.im (ironical name in that setting) anyone can use
it right now. This specific one is only for government employees and I guess
is hosted on servers that are physically controlled by the government.

------
swiley
What's wrong with plain old XMPP, imap with IDLE or even IRC with logging?

This stuff is a solved problem and the only thing that makes it complicated is
that everyone want's to run the entire client on their iPhone, which is built
by a company who refuses to cooperate with everyone.

~~~
jplayer01
One of the best things about Matrix is its encryption and focus on security
while supporting modern features users want. Not sure why anybody anywhere
should have to settle for garbage like XMPP. Hell, this is one of the purposes
of Riot or Matrix existing. Providing an open source implementation and design
as a basis to build whatever an organisation or person needs. I'm not sure I
see the problem.

------
lousken
smart, now matrix will get tons of security audits essentially for free

~~~
j1vms
Much as we have the French to thank for having adopted Thunderbird many years
ago, and also reportedly helping to improve its security features.

[0]
[https://news.ycombinator.com/item?id=988299](https://news.ycombinator.com/item?id=988299)

~~~
cmroanirgo
did not know that... and PS: that's one old post!

------
thefounder
Best feature: you don't need a phone number

