How does "open protocols and publicly documented cryptosystems" help when the carriers are mandated by law to have backdoors so they can fulfill "lawful intercept" requests? You're better off treating it as untrusted and using your own encryption on top (eg. Signal).
Implementing a legally-mandated wiretap requirement like CALEA doesn't require you to break your protocol (i.e. the transport layer). It is implemented at the application layer, on the server. You can still have cryptographically secure communication between client and server while complying with wiretap laws.
If you're concerned about your government intercepting your communications with a warrant, there's not really anything you can do except move to an E2E encrypted app like Signal. But if you're OK with only being monitored if a judge signs a warrant, then the GP's suggestion helps.
These protocol backdoors are more dangerous than application-level wiretaps because anyone can find and use them; they might be private at first, but once they are discovered there's usually no way to fix them without moving to a new protocol (version).
Protocol breaks seem to me to be more in the category of "added by the NSA through subterfuge or coercion in order to enable illegal warrantless surveillance", which I find much more concerning than publicly-known processes with (at least in theory) established due process like CALEA wiretaps.
> You're better off treating it as untrusted and using your own encryption on top (eg. Signal).
But yes, this is a sensible approach to the world-as-it-currently-is.
It doesn't help against the local authorities. But it will help against criminals and foreign authorities. E.g. most of the worlds capitals are packed with IMSI-catchers and passive eavesdropping devices operated from embassies. This spying on foreign soil would be impossible if mobile phones were any good with regards to security.
And signal isn't really very helpful in this scenario, because it doesn't properly protect against MitM attacks.
How does signal fail to protect against MITM attacks? Given that it's end-to-end encrypted, wouldn't an attacker have to force a change of keys to MITM you? In which case you should be notified by signal that the keys were recently changed.
Signal only implements a very weak form of trust-on-first-use for keys. So there is no authentication and no security for a first contact. Subsequent communication can be protected by meeting in person and comparing keys, which nobody knows about. Signal doesn't ever tell you about this necessity and doesn't have any option to e.g. pin the key after manual verification or even just set a "verified contact" reminder.
Being warned about a changed key is only sensible at all if the one before that was verified. Otherwise, how do you know everything wasn't MitMed in the first place? Also, most users ignore the warning if the next message is "sorry, new phone, Signal doesn't do key backups". Which everyone will understand and go along with because they either don't know about the danger there. Or because they know Signal really doesn't do shit to provide authentication continuity through proper backups.
Signal is only suitable for casual communication. Against adversaries that do more than just passive dragnet surveilance, Signal is either useless or even dangerous to recommend. It is intentionally designed just for this one attack of passive dragnet surveilance, nothing else. Please don't endanger people by recommending unsuitable software.
> So there is no authentication and no security for a first contact.
Note that the only alternative is to trust a third party to identify people to you. I guess you might have forgotten to mention that. Or, as seems more likely, you don't realise you're trusting a third party... But of course if you do trust a third party to identify people to you, you wouldn't need this Signal feature, so...
> Signal doesn't ever tell you about this necessity and doesn't have any option to e.g. pin the key after manual verification or even just set a "verified contact" reminder.
Signal does, in fact, explain how this works, provide a "Verified" flag you can set on contacts, and automatically prompt you if the Safety Number changes for contacts you've marked as verified, as well as removing the flag if that happens.
> Signal really doesn't do shit to provide authentication continuity through proper backups.
Leaving copies of your data around to enable "authentication continuity" aka enable seamless Man-in-the-Middle attacks is exactly opposite to Signal's actual goal here.
> Note that the only alternative is to trust a third party to identify people to you.
No, the proper alternative is blocking or discouraging sensitive communication until an in-person verification has taken place.
Also, you are always trusting a third party. You have to trust the Signal people (maybe), you have to trust Intel and their SGX (lol, look for some papers on those) and you have to trust your phone vendor. Proper security educates people about whom the are currently having to trust. Spinning it like no third party needs to be trusted for Signal to operate is dishonest.
Earlier you claimed that users will just ignore safety measures, and now you say that of course they'll obey them.
> You have to trust the Signal people (maybe), you have to trust Intel and their SGX
You don't have to trust either. SGX only gets involved if you are willing to trust it in exchange for having quality-of-life features which are optional. The sort of person who never verifies Safety Numbers probably should take that deal, the sort of person who needs Safety Numbers to protect them from the Secret Police should consider carefully.
The most important thing SGX is doing for you is making guesses expensive. If your Signal PIN is a 4-digit number then SGX's expensive guesses make it impractical for an adversary to just try all the combinations, but if your Signal PIN is 12 random alphanumerics then that's too many guesses to be practical anyway even without SGX.
>And signal isn't really very helpful in this scenario, because it doesn't properly protect against MitM attacks.
I suppose it depends on where exactly the Middle here is, but for basic MitM of the physical network, if nothing else shouldn't the TLS connection to Signal's servers be sufficient?
Encryption in cellular systems is to protect over-the-air signals. It's irrelevant when it comes to 99% of legal interception because for that law enforcement simply asks the network operator to share the plaintext traffic from within the network.
If you want that no-one be able to evesdrop then yes you have to have your own encryption on top. These days a lot of data already goes through TLS but for instance standard voice calls are obviously transparent to operators.
