GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Untitled attachment

Download link

Notices where this attachment appears

  1. Embed this notice
    F. Maury ⏚ (x_cli@infosec.exchange)'s status on Wednesday, 21-May-2025 06:29:05 JST F. Maury ⏚ F. Maury ⏚
    in reply to

    @delta

    > What does PFS have to do with minimizing metadata?

    Absolutely nothing. You are correct.

    The thing is the research behind this talk is an unpaid independent research, done on my free time. So I had to set some arbitrary criteria to filter the dozens of applications to study. If people want me to study a specific application, my rate is 500€/day (which is lower than my standard rate; a sacrifice I am willing to make because I think there is a social value to this work).

    My belief is that E2EE, PFS and ephemeral messages are the minimum requirements for a secure messaging application to be taken seriously.

    These are beliefs. Some people might have different beliefs and that's obviously OK.

    So when people ask me "Have you considered Delta Chat?", my answer is "lol, no, they don't even have PFS; let's talk about serious applications".

    The truth is I did fund Delta Chat, studied it and even contributed to its translation. There is value in Delta Chat, and I am not denying it. But if I have to use an application to secure my communications, Delta Chat is not a valid option for me. Sorry.
    ---
    > Can you link a real-world case where PFS played a role and protected someone from repressive persecution?

    PFS protects against the recovery of past communications that were recorded and ultimately decrypted after the attacker gets access to the key material. People able to setup dragnet surveillance are generally working for intelligence services and law enforcement. They don't tend to brag about their methods in the press.

    Still, the NSA (Prism) showed to the world that there are nations recording large amount of Internet traffic. Pegasus showed that mobile phone surveillance and key extraction are a thing.

    The (almost) general adoption of ephemeral messages shows that the public is aware that when law enforcement forcefully unlocks your phone, you don't want to have your personal conversation lying around. But what about your key material?

    Well, if you don't have PFS, law enforcement will get their dirty hands on it... and with that, they will get access to all past conversations that you thought were confidential because you used ephemeral messages.

    My point is ephemeral messages are pretty much useless if your adversary recorded your encrypted conversations and you don't have PFS.

    So do I have a real-world case where PFS played a role? No.
    Do I know real-world cases where ephemeral messages prevented law enforcement from accessing someone's data? Yes.
    Do I know real-world cases where traffic was recorded and decrypted on the side thanks to the lack of PFS? Yes. I even worked for a company building surveillance appliances that do that... (not being too proud about that but hey... not having PFS is a serious flaw in my book).

    In conversation about 9 days ago from infosec.exchange permalink
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.