I'm pretty sure Whisper Systems never get any private keys, because the private ...

jpollock · on Feb 24, 2014

Legal intercept legislation would likely require them to patch customer systems to allow the reporting of the key.

anaphor · on Feb 24, 2014

If you're really paranoid then you should build the code yourself from github, not just install the version on the play store.

bduerst · on Feb 24, 2014

In a compiler that was compiled by someone else. /tinfoil hat

TacticalCoder · on Feb 25, 2014

That's why in the future we'll be using compilers which are open-source and using deterministic builds and double-compilation (or "n-compilation") : )

sneak · on Feb 25, 2014

I recently discovered that there are no basic deterministic OS image builds (like a bootable .iso) with just a toolchain and wget and gpg and a shell.

I was surprised; seems like a good basic target.

LeonidasXIV · on Feb 25, 2014

Debian has an ongoing project for this, https://wiki.debian.org/ReproducibleBuilds driven by Lunar from the Tor project.

albeertoni · on Feb 24, 2014

Intercept legislation that applies to makers of non-interconnected (i.e., doesn't touch the PSTN) chat functions is extremely unlikely. I'm guessing whisper falls into that category.

I use Silent Circle myself, but I assume on Whisper you can't just type in a normal mobile number and have the chat message go to the right person. If you can, then those chats at least are subject to intercept, and maybe the other chats (whisper-whisper chats) are too. I don't remember how all those rules shake out/how courts have decided.

pbhjpbhj · on Feb 24, 2014

Wouldn't the relevant TLA just tell Google to enable the backdoor and then sniff the necessary keys from the device ...

privong · on Feb 25, 2014

Upon compiling TextSecure from source and installing it on my phone (I don't have the play store), I've discovered it requires the Play Store to do the "iMessage" style messaging over data. I guess the encryption is still done on-phone before being sent through whatever data API, but I still wonder if that (the play store being installed) might enable key-sniffing? Perhaps that's somewhat negated by users having a strong passphrase though?