They care in as much as they seem to believe that they alone will hold the keys and their own privacy would never be impinged. They're also very, very stupid.

Encryption has been legal in the west for that whole period too.

They only had access to private conversations for the last 100 years. Since telephone lines exist

Encryption in transit is HTTPS, that's not end to end.

What the bill is saying is we can't read your letters in the middle so we will read them over your shoulder instead. How comforting...

As soon as she said it was to protect the children™, it was obvious it was BS.

> "[...]we want you to invest in technology to get around this [encryption] problem, just for child abuse and sexual exploitation not for anything else"

uh huh....

She then goes on to say "we're not ending encryption in any way". So to phrase it all in another way: "we're not taking away the locks on your doors, all the doors will just use the same key."

[removed]

I’d love to see a paper linked, because that sounds absurd from the outset, lol

You should probably read the article.

This is most like a case of this. If authorities got into the phone of any participant in that group chat they could read it.

That the thing with all these apps, they're very user friendly for the user of the phone - just open the app and everything is available (unless you have a separate code in the app - typically opt-in).

If authorities want access (to communications), and the messages are not securely encrypted, they will find a way.

It's not difficult to encrypt data such that others will not find a way. But sometimes people don't.

The UK government is a vague organization.

Do you know who that is? Can you trust them with your information? Would you send them a copy of every message that you send anybody?

No, no, and no.

The military uses encryption that follows the same rules as other encryption.

They are generally more careful to make sure their crypto systems are secure. In theory.

The German military had a really good crypto system in WW2, and it was broken partly because humans made mistakes.

“Military grade” as in outsourced to the cheapest source and likely to be hugely overpriced when delivered?

These days, when it’s encrypted, a significant amount of time has to be put into decryption. So significant that the decrypted material will be irrelevant. (65 million years later, it doesn’t matter)

The difference is that signal is open source, whatsapp is not. Signal you can verify their encryption, whatsapp you just have to blindly trust.

No need to trust signals words, the source code is open source. You can know how every bit of data is processed for the version you are using and in what format it leaves the device.

If you don't trust the Play Store app distribution (which ideally you should not trust), compile the app from source nd you have complete control of the app as if you yourself have made the app for yourself.

Even signal can't themselves do anything fishy. The can almost give government most basic information like which time my app connect to them nd my ip because I connected to their servers.

TLDR It's not based on propriety model where you need to trust the app for what it is doing.

With signal complete privacy is in users hands and the message are encrypted when leaving the app. It's not possible for signal servers to know message content by design.

Bruh.. Lol

You clearly don't understand how encryption works to be commenting on the subject matter. Especially when you openly admitted:

> I'm not sure how exactly Signal and these other messaging apps implement their encryption

For starters, both Signal and WhatsApp use the Signal Protocol: an encryption standard that was engineered by Signal in-house. Also, Signal is open source meaning that anyone can verify their source code on how the app was constructed. Signal wouldn't tamper with their code and even if they did, Signal is set up in such a way that any adversary that wanted to snoop would need the device itself to discover the messages.

Do more research my friend.

You can't offer a back door without risk that others will use it.

If you produce messages that can be read by two keys, the recipient or key XYZ which is held by the UK government then anyone who gets that XYZ key can decrypt every message.

On top of that, the politics of back doors are just too problematic. If you give the UK a back door then Russia can come to you and demand one too. Any government, by establishing a precedent that they get a back door opens up to services giving access to their enemies too.

There's no such thing as a secure back door.

A back door is code for "other people can read your message that you thought was secure".

> I'm not sure how exactly Signal and these other messaging apps implement their encryption, but they could easily claim end to end encryption while offering governments a "back door" to decrypt and read everyone's messages.

You should have stopped at "I'm not sure how exactly Signal and these other messaging apps implement their encryption," because you go on to say something that's completely wrong. Signal can't decrypt anyone's messages. The devices that are talking to each other across Signal's infrastructure use local public and private keys that Signal as a company doesn't possess.

The most that Signal could do is make the Signal software take the cleartext messages after decryption and send them somewhere, but the Signal applications are open and auditable, and something like that would be discovered, and would mean the death of the company.

If it’s e2e encrypted then by definition no middle man can access the unencrypted data, only the two ends. No matter how much the server/government/anyone listens in. Of course they can still get the data after the decryption on one end, so the sending device has to be trusted itself.

They have the ability to attach ghost users, the reason they say is moderation/spam, but no backdoor needed with that. The ghost user is able to decrypt like a regular user and syphon out the info.

This was proven with WhatsApp not too long ago and Signal also has the ability to attach users.

Any "secure" encrypted messenger that allows more than 1 to 1 connections will always have the potential for the "ghost user" problem.

System level some use additional connections/recipients for spam/moderation and the moment you allow any invisible/visible group users in, there is a massive potential for an exploit.

Additionally you have the potential for forking off messaging to other users at the system level for either oversight or spam/moderation/other. Some of the compromised systems out there use this very well.

A sneaky way some of these "secure" messaging apps are also doing this is ghost participants in the chat that can essentially syphon off the messages even without a compromised client. The ghost participant is always under the guise of moderation or anti-spam or telemetry or some other proprietary shim.

> The code shows that the messages were secretly duplicated and sent to a “ghost” contact that was hidden from the users’ contact lists.

Lots of "secure" messaging apps do this for intel and surveillance and not just the white hats.

Other areas that "secure" messaging apps have holes in is the anti-spam/moderation systems that need to view messages and in the clients themselves who have access to the unencrypted content. This is also taking place in other client apps as well: VPN, password managers, extensions, wallets, even build systems and more. Many like VPNs have logs sent elsewhere but deleted locally -- access to entire machine and all network access. People are way too trusting of "secure" systems/apps that are very common today based on trust.

All of these apps/systems would pass code checks, reviews, security inspections and essentially be encrypted/"secure" though a copy is sent off to another area for review. At runtime the leak is in the direction of the data.

Then you also have governmental oversight that opens up holes that can be exploited.

On Ghost Users and Messaging Backdoors

> to add a “ghost user” (or in some cases, a “ghost device”) to an existing group chat or calling session. In systems where group membership can be modified by the provider infrastructure, this could mostly be done via changes to the server-side components of the provider’s system.

> I say that it could mostly be done server-side, because there’s a wrinkle. Even if you modify the provider infrastructure to add unauthorized users to a conversation, most existing E2E systems do notify users when a new participant (or device) joins a conversation. Generally speaking, having a stranger wander into your conversation is a great way to notify criminals that the game’s afoot or what have you, so you’ll absolutely want to block this warning.

> While the GCHQ proposal doesn’t go into great detail, it seems to follow that any workable proposal will require providers to suppress those warning messages at the target’s device. This means the proposal will also require changes to the client application as well as the server-side infrastructure.

> (Certain apps like Signal are already somewhat hardened against these changes, because group chat setup is handled in an end-to-end encrypted/authenticated fashion by clients. This prevents the server from inserting new users without the collaboration of at least one group participant. At the moment, however, both WhatsApp and iMessage seem vulnerable to GCHQ’s proposed approach.)

WhatsApp users can now ghost group chats and delete messages for days WhatsApp's latest updates support increased privacy and second-thoughts.

Other messengers also have issues.

Signal + Telegram

• Default settings in Telegram aren’t encrypted, same with Signal

• Both sides of a Signal or Telegram conversation have to both have the encryption on

• Anti-spam filter has to check actual content (proprietary and third party in some cases)

• Shrouded spectator connections to your chat that may not be visible to you -- part of moderation/spam proprietary hooks. You could have a perfectly clean secure software platform that can still be exposed via normal usage to get data on client or with someone that has access to your comms unencrypted.

• Connected through your phone number and also your location which narrows it down to exactly you, this is more damning than using ADID, UDID or MAC as this WILL follow you across everything.

• Users have to be identity validated before they use the app beyond ID bridging.

• They might be bought someday by someone more unscrupulous with data, all that history going to a private equity firm.

• Clients have full access to unencrypted data, as well as the server with private keys

• Even if you trust them now they may not be trustable in the future, see LastPass for an example or Auth0 or ad blockers/extensions or VPNs or even password managers that you trust. All of those need a client on your machine that will have access to elevated permissions and your unencrypted data as they are clients.

• Source code is delayed after builds. Open doesn't mean much to the end binary if they are putting in proprietary areas and the hash/checksum will be different all the time. Who knows what is in it.

• Signal gets location, number, identity and more and where you are at. Extreme example: if they know when you shit, they can stage a robbery from third party actors and craigslist style contractors while you’re taking a dump, technically. They know when you’re out for the evening.

• Also if you have location tracking off they still have IP and device identifier as well as geofenced notifications that don't need the location permission always on. Geofenced location can wake up the app at any time.

• Signal is recommended by Edward Snowden, Glenn Greenwald, Jack Dorsey and Elon Musk as well as many other potentially sketchy people. Originally these guys were played nice but the people behind them are sketch (Elon being authoritarian funded for instance). Edward Snowden is in Russia and Glenn Greenwald can't say a bad word about Putin. Sketchy that they are the featured testimonials as well as people connected to them.

• Telegram is funded by Pavel Durov who is essentially Russia's Zuckerberg who is also authoritarian funded. Durov made VK (Russia's Facebook from same MailRU/DST Global funding) and then made their "secure" messenger. Brian Acton ran WhatsApp, bought by Zuckerberg, then made Signal a "secure" messenger. Similar story, same sketchiness even if Signal is less sketchy than Facebook/WhatsApp/Telegram. If someone from Facebook/Meta broke off now and created a "secure" messenger would you believe it and use it now? nah. You think the guys that build social media surveillance aren't just better at it with messengers, a big risk. Alarm bells should be going off if you have good opsec.

• Telegram feature exposes your precise address to hackers - Messenger maker has expressed no plans to fix location disclosure flaw.

There are NO secure messaging apps, none, unless you wrote your own encryption and shared it with the third party and encrypted before sending outside of that system entirely. If you send an email, that had like PGP that would have worked for a while until the backdoor (Phil Zimmerman was in decades long cases relate to this). But if you make your own encryption and are sending messages in the clear you will get visits so really only military/intel are allowed that. Spy/intel agencies do that all the time but they shroud the messages in content like in the Illegals Program

There is a reason why these "secure" messengers all exploded in the 2010s...

If you think that there are any secure messengers, you are naive. There is always a way to get access to the input, side channel or through a temporary/targeted hole like how Russia/Saudis/MBS/Trump did with Bezos and WhatsApp. That is another area where these "secure" messengers are compromised, in targeted attacks or temporary holes which just happened recently where 1900 people were compromised and they were targeting 3 numbers in it. There is also the social hole where any member of that chat would also have copies.

> Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.

What is the ownership % for Android tablets vs iPad I wonder? I sort of just assumed Android tablets were no longer a thing. Do they run android still or is it ChromeOS?

Well that's lame.

Just download the apk and install it manually

What are you using a work laptop for non-work messaging for?

Well considering you can exfiltrate data through the app I suspect your security team would remove it anyway.

That's great. You don't want to give them access to it anyway.

Is it possible to use homebrew?

It’s UK, not US.

These guns in the schools?

British comedy.

vs. American comedy.

Clowns to the left, jokers to the right.

TIL. Thank you!

And TBH because no one outside the US still uses SMS/MMS.

Probably because it’s extremely expensive too

[removed]

NIST is the entity heading the crypto competitions, the two I’m aware of/contributed to on are Light Weight Crypto (LWC) for small embedded IoT devices and Post Quantum Crypto (PQC) for larger devices like computers and such aimed at securing our devices from quantum attacks that can easily break RSA and cut AES times in half.

The competition sites I know of

https://csrc.nist.gov/Projects/lightweight-cryptography

https://csrc.nist.gov/projects/post-quantum-cryptography

There are links to the remaining algorithms in the finalists/round 4 respectively.

CRYSTALS-DELITHIUM for pqc digital signature is already being used in some new specialized processor among a couple others. CRYSTALS-KYBER is likely to replace RSA.

Last I looked into it I think GRAIN-128 AEAD will be the new LWC alg.