Messenger billed as better than Signal is riddled with vulnerabilities:
Academic researchers have discovered serious vulnerabilities in the core of Threema, an instant messenger that its Switzerland-based developer says provides a level of security and privacy "no other chat service" can offer. Despite the unusually strong claims and two independent security audits Threema has received, the researchers said the flaws completely undermine assurances of confidentiality and authentication that are the cornerstone of any program sold as providing end-to-end encryption, typically abbreviated as E2EE.
Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta's WhatsApp messenger. It's among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.
Researchers from the Zurich-based ETH research university reported on Monday that they found seven vulnerabilities in Threema that seriously call into question the true level of security the app has offered over the years. Two of the vulnerabilities require no special access to a Threema server or app to cryptographically impersonate a user. Three vulnerabilities require an attacker to gain access to a Threema server. The remaining two can be exploited when an attacker gains access to an unlocked phone, such as at a border crossing.
(Score: 1, Flamebait) by JoeMerchant on Wednesday January 18 2023, @01:26AM (17 children)
In this world of "legal puffery" - who in their right mind would buy a product based only on what the seller claims it can do?
Anybody here ever use PowWow [wikipedia.org]? 24 years later, I would expect any serious "security oriented" messenger software to be open protocol, open source, and openly evaluated by independent reviewers as to its vulnerabilities or hopefully lack thereof.
But maybe I'm living in a fantasy world [wikipedia.org].
🌻🌻 [google.com]
(Score: 2) by MostCynical on Wednesday January 18 2023, @02:21AM
"billed as" means "promoted" or "marketed" or outright "lies were told"
(PT Barnum wants a word...)
expect press release from the company: "no security breaches of our production system had been recorded"
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by bzipitidoo on Wednesday January 18 2023, @02:23AM (2 children)
A huge case of legal puffery is HIPAA, to protect patients' medical info. When people think about it at all (which is seldom), most suppose there is some federal agency that audits and verifies claims that some security is good enough for HIPAA. There isn't. That would take too much money and too much work. HIPAA is based entirely on the fear of being sued should there be a leak. Providers of what are claimed to be HIPAA compliant services could be lying their rear ends off, and as long as no one notices, and sues, they'll get away with it.
(Score: 2) by HiThere on Wednesday January 18 2023, @04:06AM (1 child)
Sorry, but my doctor said that there was a federal list of HIPAA approved programs. Microsoft Windows was on the list. I believe that the version I was told was approved was XP, but I can't recognize MSWind versions by sight. (Well, this *WAS* a decade or more ago, so I suppose things may have changed. It's just that being on the list didn't imply any actual level of security. All it implied was that the doctor couldn't be sued for using it.)
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Informative) by darkfeline on Wednesday January 18 2023, @09:15AM
HIPAA are laws that list large penalties for violations (YMMV, but in theory they could rack up very quickly as it is per instance of violation). HIPAA compliant means that they won't violate HIPAA. There's no certification, but false claims would likely result in both civil and criminal lawsuits.
Join the SDF Public Access UNIX System today!
(Score: 2, Disagree) by Mykl on Wednesday January 18 2023, @02:53AM (10 children)
I don't think it's a requirement for a product to be open source in order to be security oriented. I would call that "FOSS Marketing" - i.e. a falsehood presented as truth to advance another agenda.
I do agree that you can't take the vendor's word on anything about their product at all - independent review and assessment is definitely required.
(Score: 4, Informative) by JoeMerchant on Wednesday January 18 2023, @03:13AM (7 children)
I do think it's a requirement for a product to be open source in order to be security oriented, if it's not how can you possibly rule out the existence of backdoors?
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Wednesday January 18 2023, @09:16AM (2 children)
I've seen a number of cases where exploits/vulnerabilities have been undetected in OSS for DECADES.
You can do it within reason even with closed source. Just try to make a contract with the company where if there's a backdoor found within the next X years the company gives you Y USD dollars and the company allows you to get a 3rd party to reverse engineer their stuff. If the company doesn't want to do that, then you can safely assume there are backdoors.
Then you pay someone clever Y/10 to look for backdoors or serious exploits.
You could do something similar with OSS too of course.
(Score: 3, Interesting) by JoeMerchant on Wednesday January 18 2023, @02:03PM
>I've seen a number of cases where exploits/vulnerabilities have been undetected in OSS for DECADES.
Sure, but at least the opportunity to look for them is present.
How many closed source products are reverse engineered to find ALL exploits - especially those intentionally obfuscated?
🌻🌻 [google.com]
(Score: 2) by JoeMerchant on Wednesday January 18 2023, @02:08PM
>Just try to make a contract with the company where if there's a backdoor found within the next X years the company gives you Y USD dollars and the company allows you to get a 3rd party to reverse engineer their stuff. If the company doesn't want to do that, then you can safely assume there are backdoors.
>Then you pay someone clever Y/10 to look for backdoors or serious exploits.
Yeah, just try that. Meanwhile, updates roll out every "Hot Patch Tuesday," and if the company is small enough to be bullied into such a contract they can just bankrupt rather than pay.
>You could do something similar with OSS too of course.
The point isn't that OSS is inherently secure, the point is that it's at least cooperative enough to let you, or anyone you hire, try to find the vulnerabilities, and for a popular OSS you might even get lucky and have others finding exploits for you. Closed source? Good luck getting the vendor to even admit a vulnerability exists after outsiders publish exploits for it.
🌻🌻 [google.com]
(Score: 2) by SomeRandomGeek on Wednesday January 18 2023, @09:01PM (3 children)
The open source model is a good one, but there are other models. For example, the user can get a contractual guarantee that the manufacturer will be liable for security failures of their product, and that the manufacturer will carry insurance so they can't just go bankrupt and stick the user with the bill when their product turns out to be crap. Then the incentive for good security and the responsibility for good security are in the same place, with the product manufacturer and the insurer.
(Score: 2) by JoeMerchant on Wednesday January 18 2023, @10:11PM (2 children)
>the user can get a contractual guarantee that the manufacturer will be liable for security failures of their product, and that the manufacturer will carry insurance so they can't just go bankrupt and stick the user with the bill when their product turns out to be crap.
You ever try to buy insurance like that? Lloyds will write anything, but they may also bill you 100% of the max payout in a very short time for premiums.
🌻🌻 [google.com]
(Score: 2) by SomeRandomGeek on Wednesday January 18 2023, @11:45PM (1 child)
Which is why most folks go for a third choice: Assume the risk themselves, and hope for the best.
(Score: 2) by JoeMerchant on Thursday January 19 2023, @02:01AM
>hope for the best.
If you really need security, that's an awesomely irresponsible choice. (And, I agree, the most common...)
🌻🌻 [google.com]
(Score: 4, Informative) by HiThere on Wednesday January 18 2023, @04:09AM
What you should say, rather, is that being open source isn't sufficient to ensure security. If it's not open source, then all you have is the vendor's word for how secure it is. I suppose it *could* be secure anyway, but you couldn't know it was secure.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by sjames on Wednesday January 18 2023, @04:13PM
If it isn't open source, how is that independent review and assessment supposed to happen?
(Score: 3, Insightful) by Barenflimski on Wednesday January 18 2023, @03:25AM
There is nothing wrong with living in a fantasy world. You just have to be careful who you let in so they don't ruin it.
(Score: 3, Informative) by Samantha Wright on Wednesday January 18 2023, @06:18AM
Don't worry; it's not like Switzerland's reputation is at stake after the last time [bbc.com].
(Score: 3, Funny) by hendrikboom on Wednesday January 18 2023, @02:46AM (1 child)
How do PGP and GPG over ordinary email compare?
(Score: 2) by Sjolfr on Wednesday January 18 2023, @03:29AM
No comparison.