Hacker News new | past | comments | ask | show | jobs | submit login

"How can we be sure a 3rd party implements the encryption properly" is the counter-argument.

How would you refute that? Trust users to check that some code is the same on both devices? What would prevent a bad actor from MITMing the whole thing from the start?




> What would prevent a bad actor from MITMing

It's not man-in-the-middle, it's man-on-the-end. If your chat app wants to spy on you, there is nothing you can do, but at least it becomes obvious and easy to analyze because it's client side code. It's not a counter argument to interoperability. You need to trust both sides, the same way web works.


Hmm, but it’s OK to trust that web browsers implement TLS properly? And your router isn’t MITMing you? Or your SSH app exfiltrating all your server information? Why is this different?


> And your router isn’t MITMing you

Can it do so if the encryption and key management is at the client?

> Or your SSH app exfiltrating all your server information

That's a small niche, and most service don't expose SSH to public.

> OK to trust that web browsers implement TLS properly

hmm, you may have a point, maybe they'll ensure that only whitelisted browsers can access it, like Chrome with DRM for HTML. Only purpose is public safety. /s


Pretty simple actually, it either decrypts successfully or it's not implemented correctly. Same way push notifications work.


FWIU, this[1] was decrypting imessages successfully. But was also storing all your imessages in a serverside database accessible to the server (instead of being e2e encrypted like imessage is supposed to be) and leaking the authentication token to access the imessages over unencrypted HTTP.

https://arstechnica.com/gadgets/2023/11/nothings-imessage-ap...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: