Follow

INFOSEC PEEPS:

How's Wire for Infosec/OpSec? Any reasons I should be concerned about it? It's run by a private company but would they be able to turn anything incriminating over to feds if asked? Do they have policies around it? Is the protocol trustworthy or is it like telegram?

Please lmk! Thank you!

@shel

okay so

Wire GmbH is a Swiss corp

on signup they have
- your provided e-mail address
- your source IP address
- optionally your phone number if you sign up that way
- hashed+salted account password
- optionally your avatar picture

All messages and calls are E2E by a variant of Signal's E2E protocol. This is a proven and trustworthy protocol.

They have been 3rd party audited, and also a security whitepaper that goes into more detail.

wire-docs.wire.com/download/Wi

wire.com/en/security/#audits

@packetcat @shel ALSO: Messages (and iirc call start/ends) are passed along through their infrastructure, which means they have ability to access the metadata:
- who talked
- to who
- when
- how much

They might very well not COLLECT that data, and also there would likely maybe be jurisdiction issues with handing that data over to US authorities (IANAL), but no TECHNICAL barriers.

(This is the case for 100% every current normal chat platform.)

@packetcat @shel The field of development currently dealing with this metadata stuff is "Metadata-Resistant" stuff.

The most stable thing in the field right now is Briar (Android only*): briarproject.org , aimed at maintaining secure comms against adversity (e.g. has a Local Mesh mode).

The next most promising thing is OpenPrivacy.ca 's Cwtch (Android and all Desktop, active alpha),
aimed at being a groundwork for safe group converations/spaces.

@er1n If it doesn't that I've COMPLETELY misunderstood large parts of their self-description.

@packetcat @shel
* On Briar's platform availibility: v1.2.7 on Android and very stable/tested there, but that's it for stable -- there's a desktop app that's had it's first Alpha a month ago, is packaged for Linux but is GTK, Python, and Java so portable. iOS is by its design relatively hostile to the design necessities iirc, but they'll take a crack if they get funding.

@packetcat @shel I also wanna specifically say more about Open Privacy ( openprivacy.ca ) and rec them as a group to keep an eye on, because they're a Canadian non-profit who are EXACTLY the type of people needed here, specifically working on crypto, infosec analysis/tools, and metadata-resistant applications with marginalized groups and protest/rebellion as their announce target demographic.

They're extREMELY fricking GREAT.

@packetcat @shel (Other recent Open Privacy projects include Lockbox, specifically designed for very auditably securing mutual aid group webforms: openprivacy.ca/blog/2020/04/14 )

@gaditb @packetcat I really need something that supports both Android and iOS

@shel uses libratchet last I recall, partially owned by US nationals

advertised as like slack but with signal-like encryption. their backend is written by serious programmers but may contain flaws. has been audited in the past.

that's from memory

@shel if you pay for service, they'll have your name and billing info. The end-to-end encryption protocol is based on Signal's double-ratchet protocol. As a non-expert, I'd guess they're as unlikely to be able to hand over plaintext messages as Signal or Apple are. Highly resourced attackers will always find a way, if they care about you personally. The most secure way to communicate remains using one-time pads and dead drops.

@shel my friend says: some metadata is stored in plain text & has been quietly(?) migrated from swiss to US facilities

¯\_(ツ)_/¯

Sign in to participate in the conversation
snouts dot online

snouts.online is a friendly, furry-oriented, lgbtq+, generally leftist, 18+ sex-positive community that runs on mastodon, the open-source social network technology. you don't need a snout to join, but it's recommended!

snouts is supported by its community! check us out on patreon!

special thanks this month to these snouts! it's thanks to you we're able to make this place what it is! ❤️

@owashii@snouts.online | @hyperlink@snouts.online | @jay@snouts.online | @caymanwent@snouts.online | @devan@snouts.online | @stellarstag@snouts.online | @shadow8t4@snouts.online | @asonix@asonix.dog

@furkachi@snouts.online | @knightly@snouts.online | @phenokage@snouts.online | @wolfpede@snouts.online | @shooshy@snouts.online | @doubledensity@snouts.online