Dark Arc @ Dark_Arc @social.packetloss.gg

Hiker, software engineer (primarily C++, Java, and Python), Minecraft modde

---

Read more

Posts

78

Comments

2,258

Joined

2 yr. ago

Moderating

---

As you said, if PFS can be disabled by enabling a feature on the receiving end it's by security practices not enabled, in the industry that's called a downgrade attack and considered very bad practice.

I don't have an iOS device to know for sure but I'm fairly certain they inform you and participants in your chats about the PFS interruptions. It's a temporary problem you have to deal with to use a beta application.

One of their devs was on mastodon talking about how PFS was more complicated with their design than they expected because they need to sync up the devices. Signal took the approach of sending one message to every device and Threema sends it to one of your devices and then that device sends it to the others. From what I understand this makes the PFS session key synchronization harder for Threema so it's not implemented yet.

This was their initial tweet: „There’s a new paper on Threema’s old communication protocol. Apparently, today’s academia forces researchers and even students to hopelessly oversell their findings“

The issue with Signal Desktop however, required full file system access to your device at which point, there is nothing stopping the attacker from simply using a key logger, capturing your screen, etc.

Right but in practical terms many of the findings cited against Threema were equally if not more doubtful. I don't know who the "big security researchers" you're referencing are, but ... as someone in the tech sector myself I do tend to agree that we've gotten to a place of really happenstance exploits being sold as if they're like the old zero days where the user doesn't have to do anything, it works 100% of the time, and the user loses control of their system.

If that quote is real ... I think they were probably just miffed that the researchers didn't discuss the fact that they were already in the later design stages of protocol improvements and made their findings sound far more plausible to exploit than they were.

There's just a double standard here too... Threema gets shit for downplaying an exploit where you literally have to have physical access to the device, but it's totally fine that signal didn't even use basic operating system functionality (the keychain) to protect data at rest -- that's a physical AND digital risk?

I think that's a characterization of what happened but not necessarily a good representation of what actually happened.

Yes, some researchers in Zurich found vulnerabilities. Yes they down played them ... because you still couldn't read anything. They were also already working on a new protocol before those researches wrote their paper and yes I'm sure they made some tweaks based on their findings.

This is their response; I'd hardly call it "insulting" https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement

You could say the same thing about Signal's response to their "desktop security scandal" earlier this year (of which Threema wasn't vulnerable and Signal repeatedly refused to acknowledge as a problem).

yet it still doesn't support critical features like full forward secrecy

They do support PFS (perfect forward secrecy) though their new multi-device solution doesn't yet support it.

https://threema.ch/en/blog/posts/ibex

This is the same protocol they were already working on when the "researches they insulted" released their research finding issues with the old protocol.

Threema is also far more active with third-party audits than any other group: https://threema.ch/en/faq/code_audit

They severely mishandled vulnerabilities by insulting the security researchers, then introduced a new protocol they built with the advice given to them for free from the SAME researchers before that, and yet it still doesn't support critical features like full forward secrecy.

IMO this entire sentence is just wrong.

IMO, they wouldn't

I'd also recommend taking a look at Threema.

I think their product direction is a bit better. Particularly as Signal still shows a message that they don't back sync messages before you paired devices "for your security" ... Threema also doesn't back sync messages in their beta multi device setup, but that seems to be more less of a product stance and more of a "we just don't do it yet."

Threema is definitely missing some features like emoji reactions, stories, and a builtin cryptocurrency (which depending on your stances might be pros or cons).

Both apps have definitely gotten better over the years; I think Threema's multi device support has really drained resources on their side so there hasn't been as much outward feature work. I'm hoping it won't be terribly long until that changes.

Then not to be aggressive about it, but go get qualified or stop spreading FUD honestly...

Yeah we also just REALLY need to protect every game company at this point because Tencent seemingly has infinite pockets and China sure isn't upset about that.

Yes, they did give that exact example just with the opposite political framing.

I've had friends 20 or 30 years older for well over a decade.

... your son is an adult. I think you're being the weird ones about this personally.

Yeah, I think with all the bugs this year... They don't really deserve it sadly

I would phrase that as "don't count out people with tattoos." There are definitely some people with tattoos that you still don't want to talk to (100% agree in 2024 though, tattoos themselves do not mean someone's a bad person and some of those folks are lovely) haha

Yeah I'm with you. Just reinforcing the cockpit doors is enough to take care of the majority of the problem.

They can bomb a plane but they can also bomb a bus or a subway.

As someone that was 6 when 9-11 happened, I think this country majorly overreacted and made the state itself one step closer to an authoritarian nightmare.

Yeah this is captured by the "need" with a bunch of up votes in this thread... The average person just doesn't "get it."

I'm not sure there's any other good reaction than the one you had.

Maybe he was just "checking you out" and being very untactful and impolite about it (i.e. he's just awkward).

Maybe he was looking at something else near you ... but probably not.

But also maybe, he's not right in the head and was thinking about doing more than just looking...

My advice (as a guy) is either:

• Look for another person nearby (or a couple/group), voice your concern, and ask them to walk with you away from the situation.
• If that fails, just do your best to leave but stay situationally aware.

I'm also going to add, that "look for help thing" includes looking for random guys that weren't creeping you out that might be walking by. I know there's the whole stranger danger thing that most of us were raised with, but ... most guys are not rapists. If you just look for a normal looking dude (or someone that really looks like they've got their shit together) and ask them... I'd say 9/10 they'd be more than happy to get you out of that situation.

We need to (as a society) normalize women letting guys know about problematic men.

Gamers do this stuff -- what feels like -- all the time now. I don't get the DLC hate. Not every instance of "give me more" needs to be an entirely new full price game.

Is that a callback?

Well that's certainly an encouraging thumbnail...

That's exciting! I wonder how long until this makes it to the release branch?

I wish they went into more detail; this just basically confirms stuff we already were pretty sure was happening.

The crazy part is Mozilla basically invented that idea with Prism back in the day ...

I don't think that's an accurate statement. It sounds like he's giving them a fortune, just not an unbelievable fortune that would give them and their children's children's children a fortune.