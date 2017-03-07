reply
* Google products that must be used in secure environments should be used with circumspection; this revelation makes that emphatically clear.
* Compare the security of Android - which we now know to be 'owned' by the US Government - with the security of iOS, which was the subject of a public and gruesome lawsuit about a year ago because the Fed could not hack iOS. My post on this topic: http://www.nodisclaimers.com/2016/03/apple-might-be-forced-t...
* Please be aware that the Chrome browser does not offer a secure local storage protocol for its developers - if you using browser extensions or applications that store your password, it means that password is stored in plain text on your drive. Combine this with the revelation in today's papers, it gives you strong reason to suspect these passwords may be compromised. https://developer.chrome.com/extensions/storage
* For instance, the Mailvelope browser extension explicitly uses local storage to store your private PGP keys. Consider them compromised. https://www.mailvelope.com/en/faq
*Compare this to Safari, which offers secure local storage at OS level security: https://developer.apple.com/library/content/documentation/To...
Taken from my blog post I posted just now: http://www.nodisclaimers.com/2017/03/regarding-todays-wikile...
Disclaimer: I have just released and am in the process of continued work on an encrypted communications service called GibberIt: http://gibber.it . Criticism, feedback welcome; yes I am a practicing information and technology attorney; no I am not your attorney; no I am not speaking on behalf of my firm; my opinions are my own and subject to update upon the presentation of persuasive arguments or evidence.
According to the statement from WikiLeaks, government
hackers can penetrate Android phones and collect
“audio and message traffic before encryption is applied.”
The interception happens prior to the encryption being applied. Think of it as a dongle on the wire between your keyboard and the computer. It doens't matter if the computer is secure - the message is intercepted prior to any encryption.
This is, what I am assuming, has happened here.
Given Google's stance of not encrypting local storage in any way that I am aware of, this is fundamentally unsurprising. I have long been saying that Android is insecure and that storing passwords in Chrome is dangerous. It is why I programmed my secure communications system, GibberIt, not to store its passwords in Chrome.
Disclaimer: yes, I am the author of GibberIt; yes I am a practicing information and technology attorney; no I am not your attorney; no I am not speaking on behalf of my firm; my opinions are my own and subject to update upon the presentation of persuasive arguments or evidence; yes feedback on anything is welcome.
reply