[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TIMB vs TextSecure



On Sat, 2014-03-01 at 09:07 +0100, Felix Eckhofer wrote:
> Hey.
> 
> Am 01.03.2014 08:23, schrieb Gordon Morehouse:
> > With the news hitting some tech sites about TIMB, I went digging
> > around briefly to find the reasoning for rolling something anew rather
> > than backing e.g. TextSecure. (I know there are serious questions
> > about the security of Telegram.)
> > 
> > I'm sure there is a good reason, but what is it?
> 
> Using Tor gives you a few properties that no other instant messaging 
> solution can currently provide.
> 
>   - The IM server can not learn your IP.
>   - A network observer can not learn that you are using IM (just that you 
> are using Tor).
>   - You cannot block the IM service without blocking Tor.
> 
> Furthermore, there are (in my opinion) still some serious problems with 
> TextSecure, most importantly:
> 
>   - Only phone numbers as identifiers.
>   - Sends your address book to the server in full (hashed, but that 
> doesn't mean anything for phone numbers). No opt-out if you want to use 
> the push transport.
>   - Requires Google Play to be installed and uses GCM for notifications.
> 
> Though moxie has plans to address these problems, they currently exist.

These aren't "problems" -- TextSecure was designed to address a
different use case than Tor.

TextSecure is a drop-in replacement for the Android text messaging app,
and only incorporated data-channel messaging because it's impossible to
write custom text message clients on iOS, as far as I can tell.

For text messaging, anonymity in the Tor sense doesn't make sense. Phone
numbers are the only identifier you have for obvious reasons.

If you to be anonymous, TextSecure obviously isn't for you, but SMS
messaging also isn't for you. ChatSecure exists in the mobile space for
exactly this purpose.

If you want to be able to passively upgrade the security of a
communications channel nearly all people use, TextSecure is the right
tool.

I think a lot of Moxie Marlinspike's approach to security is laid out in
this Defcon talk: https://www.youtube.com/watch?v=eG0KrT6pBPk


-- 
Sent from Ubuntu

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk