The Fight Over the EFF's Secure Messaging Scoreboard

← Back to Stories (view on slashdot.org)

The Fight Over the EFF's Secure Messaging Scoreboard

Posted by samzenpus on Wednesday November 5, 2014 @01:00PM from the making-the-grade dept.

blottsie writes The Electronic Frontier Foundation (EFF)'s new Secure Messaging Scorecard is designed to answer one important question: Which apps and tools actually keep your messages secure and safe from prying eyes? The results have been mixed. In the midst of many positive reactions from technology companies and users, the scorecard stoked a wave of criticism from several prominent figures in the security industry, who deemed the effort inaccurate, misleading, and vague."

63 comments

Min score:

Reason:

Sort:

Don't buy American. by Anonymous Coward · 2014-11-05 13:02 · Score: 2, Insightful

The simple answer: If it's from the USA, it can't be trusted.
1. Re:Don't buy American. by ArcadeMan · 2014-11-05 13:11 · Score: 2
  
  That means we can't trust any versions of Windows, OS X, iOS, Android. We also can't trust Firefox, Chrome, Safari, Internet Explorer.
  So what's left? No smartphone and Linux with Opera on your computer?
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
2. Re:Don't buy American. by Anonymous Coward · 2014-11-05 13:14 · Score: 1
  
  Don't forget that linus torvalds is held captive in the US and Opera is basically a reskinned Chrome.
3. Re:Don't buy American. by Charliemopps · 2014-11-05 13:31 · Score: 1
  
  Yes
4. Re:Don't buy American. by Anonymous Coward · 2014-11-05 13:34 · Score: 3, Funny
  
  Linux is American - it is owned by Red Hat.
5. Re:Don't buy American. by AHuxley · 2014-11-05 13:42 · Score: 2
  
  A cpu thats been tested and an open OS on top.
  "How I do my computing"
  https://stallman.org/stallman-... has some ideas on that.
  
  --
  Domestic spying is now "Benign Information Gathering"
6. Re:Don't buy American. by AHuxley · 2014-11-05 13:46 · Score: 1
  
  Yes people have the option to talk about the tame brands and their expensive junk crypto :)
  People can now think about their computing needs understanding what gov and mil extras they are paying over generations of hardware and software upgrades.
  
  --
  Domestic spying is now "Benign Information Gathering"
7. Re:Don't buy American. by Anonymous Coward · 2014-11-05 13:59 · Score: 0
  
  A CPU made by the Chinese as being trustable? LOLOLOLOL.
8. Re:Don't buy American. by Anonymous Coward · 2014-11-05 14:08 · Score: 0
  
  QQ has the worst security rating. Yes, buying Chinese is so much better.
9. Re:Don't buy American. by AHuxley · 2014-11-05 14:09 · Score: 1
  
  Find an OS and cpu that can be tested. Work on your own crypto and applications. No need to accept shipped junk crypto and tame software.
  
  --
  Domestic spying is now "Benign Information Gathering"
10. Re:Don't buy American. by s.petry · 2014-11-05 15:23 · Score: 1
  
  Firefox is open sourced, you can go download and review the source code. This would seem to be fair since you have Linux on your list, yet numerous flavors are from the US. The worst Linux in my ever so humble opinion is Ubuntu which is headquartered in the UK.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
11. Re:Don't buy American. by Anonymous Coward · 2014-11-05 15:53 · Score: 0
  
  Having access to the source code doesn't mean much. Do you remember the Debian's SSL fiasco? Nobody mentioned for 2 years that it was left wide open.
12. Re:Don't buy American. by disambiguated · 2014-11-05 17:07 · Score: 3, Insightful
  
  How are you going to test a CPU? Unless you analyze the circuits physically, how are you going to do that it doesn't allow privileged instructions in unprivledged code e.g. when r14=6368696e65736520, r15=6261636b646f6f72?
13. Re:Don't buy American. by AHuxley · 2014-11-05 17:25 · Score: 1
  
  The world has seen where trusting big OS, telco and software brands has left crypto security.
  If a person wants a CPU, motherboard and OS at some point they are going to have to buy a product.
  So people have the option to go out and test and read up on other CPU products. If they like what they find, support and even buy that product.
  Real customers do that have option. Ask questions, shop around, test, buy, think, publish.
  Buying again and again from the brands that have fooled consumers for years with tame, junk crypto might not be the best idea to go on with again and again.
  A big wide world of CPU, motherboards, networking products, brands and real academic experts :)
  
  --
  Domestic spying is now "Benign Information Gathering"
14. Re:Don't buy American. by Ziest · 2014-11-05 18:02 · Score: 0
  
  Sorry but that is wrong. Linux is a kernel. Red Hat, Ubuntu, etc are distributions wrapped around that kernel.
  
  --
  Another day closer to redwood heaven
15. Re:Don't buy American. by disambiguated · 2014-11-05 18:19 · Score: 2
  
  You're right. They usually aren't, but unintentional vulnerabilities can be subtle. Intentional vulnerabilities can be subtle to the point of genius. If you're just casually reviewing code that isn't specifically known to be vulnerable, and especially if the vulnerability is intentional, it may never be discovered.
  
  This is why security sensitive functions need to be system code, not application code. System code, and hopefully coders, tend to get more scrutiny, have higher standards of quality, and have a more conservative approach in general. Repeating security functions in each application is insane.
16. Re:Don't buy American. by TrollstonButterbeans · 2014-11-05 19:27 · Score: 1
  
  I was going to mention Linus Torvalds living here. Damn. Opportunities reduced by increment of 1.
  
  --
  Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
17. Re:Don't buy American. by Eunuchswear · 2014-11-05 19:34 · Score: 1
  
  Android and iOS are not the only smartphone OS's.
  
  --
  Watch this Heartland Institute video
18. Re:Don't buy American. by coofercat · 2014-11-06 00:55 · Score: 1
  
  http://jolla.com/
19. Re:Don't buy American. by Anonymous Coward · 2014-11-06 02:49 · Score: 1
  
  Sure things, read all the source code you want, but do you trust your compiler?
20. Re:Don't buy American. by Lawrence_Bird · 2014-11-06 02:54 · Score: 1
  
  You are naive and the parent poster was spot on - there is no way for anyone outside of a chip fab company has any ability to check the physical layout of cpu microcode, cache and other subsystems.
  Your only potentially secure alternative is to use an FPGA to implement a cpu design of your own design. Good luck getting anything near the performance of a current day cpu. Note, I said your own design. Sure, there are prepackaged CPUs for Altera, etc on FPGAs but you again are in a position of having to verifty the design and also verify that it does not implement, however unlikely, some backdoor hack from the FPGA's own circuitry.
21. Re:Don't buy American. by Anonymous Coward · 2014-11-06 03:21 · Score: 0
  
  Your lying and you know it!
  It doesnt take that much to decap chips, and then all you need is a microscope and time to figure it out.
  Its been done MANY TIMES BY NORMAL PEOPLE NOT WORKING IN A CHIP FAB.
22. Re:Don't buy American. by Aaden42 · 2014-11-06 04:33 · Score: 1
  
  Right, I forgot about WinCE, I mean WinMo, I mean WinRT, I mean “just-Windows, but it’s different and doesn’t run the same apps”. That’s a much more trust-worthy option than Android or iOS. Or were you talking about WebOS (US-made, essentially defunct) or Blackberry (long standing tradition of rolling over for oppressive governments to prop up their bottom line).
  Anything else?
23. Re:Don't buy American. by Anonymous Coward · 2014-11-06 05:06 · Score: 0
  
  Your lying and you know it!
  It doesnt take that much to decap chips, and then all you need is a microscope and time to figure it out.
  Its been done MANY TIMES BY NORMAL PEOPLE NOT WORKING IN A CHIP FAB.
  Decapping and examining the shit chip in a cable box is a far cry from examining (or even knowing how to examine) and verify a modern, complex CPU like you'd find in a desktop.
  Most of the time people decapping chips are simply looking for a secret key, not verifying the whole damned thing. The number of people with that expertise is vanishingly small.
  And by "microscope" I assume you mean some variation of a scanning electron microscope, because the one you used to examine parameciums in 8th grade won't cut it. Yeah, you can fit one in your garage but can you produce one with your current pocket book? I didn't think so.
24. Re:Don't buy American. by allo · 2014-11-06 05:08 · Score: 1
  
  this. and you're saying it, as if it weren't true.
25. Re:Don't buy American. by TemporalBeing · 2014-11-06 05:52 · Score: 1
  
  That means we can't trust any versions of Windows, OS X, iOS, Android. We also can't trust Firefox, Chrome, Safari, Internet Explorer.
  So what's left? No smartphone and Linux with Opera on your computer?
  Don't forget, nearly all BIOS/EFI/UEFI software is produced in the USA too.
  
  --
  Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
26. Re:Don't buy American. by Eunuchswear · 2014-11-06 06:01 · Score: 1
  
  I use Sailfish and Maemo.
  (Ok, Maemo is kinda dead at the moment, but might get a bit more life when the neo900 is finished).
  
  --
  Watch this Heartland Institute video
27. Re:Don't buy American. by AHuxley · 2014-11-06 17:04 · Score: 1
  
  The good news AC is the the world already knows who offered junk crypto and tame OS standards over generations of products.
  So thats an easy list to start with :) Beyond that is a lot of review and testing. But no need to go back to the tame brands with their junk standards.
  
  --
  Domestic spying is now "Benign Information Gathering"
28. Re:Don't buy American. by Lawrence_Bird · 2014-11-07 04:03 · Score: 1
  
  Feeding the troll but what the heck....
  From early 2012
  
  The company aims to deliver about May 18 a second report on transistor characteristics of the CPU. It will include an analysis of the DC electrical properties of the chip’s NMOS and PMOS transistors, data on its gate and channel leakage current and performance benchmarks measured at three temperature levels.
  The analysis will include use of Scanning and Transmission Electron Microscopy, Spreading Resistance Profiling and X-ray techniques. UBM TechInsights is a sister division of UBM LLC, the publisher of EE Times.
  And that is just to see the circuitry. Good luck reverse engineering it to figure out what does what and verify there is nothing there that should not be there.
  You might also look at this for an even older take on 486 and pentium tear downs... again with no attempt at reverse engineering the logic.
Actual link to the EFF 'scorecard' by Wootery · 2014-11-05 13:10 · Score: 5, Informative

The actual 'scorecard' can be found here. No need to go to extremes and RTFA.
[Snarky comment about sloppy /. submissions.]
1. Re:Actual link to the EFF 'scorecard' by steelfood · 2014-11-05 14:41 · Score: 1
  
  Not to mention this is practically a dupe of an earlier story that actually has the link to the scorecard.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
2. Re:Actual link to the EFF 'scorecard' by Anonymous Coward · 2014-11-05 15:50 · Score: 1
  
  I'm glad you said this. It prompted me to ask myself, "What publication is this submission linking to? Why would a submitter be so sloppy?" So I looked up this "blottsie" submitter, and noticed that its submissions for the past few months all point to the dailydot.com site.
  This is good to know. I avoid these submission bots that only exist to try to drive traffic from slashdot to a specific clickbait sources. (Nerval's Lobster (dicebot), mdsolar (anti-nuke shill), MojoKid (hothardware), and cold fjord (GOP shill) are other good bot names to know and avoid.)
  Is anyone aware of other clickbait bot names on slashdot?
3. Re:Actual link to the EFF 'scorecard' by Anonymous Coward · 2014-11-05 19:05 · Score: 0
  
  What makes you think they're bots?
4. Re:Actual link to the EFF 'scorecard' by Anonymous Coward · 2014-11-06 03:57 · Score: 0
  
  They repeat the same things over and over in a monotonic voice and cannot be reasoned with.
  EXTERMINATE EXTERMINATE
Criticism seems valid by Anonymous Coward · 2014-11-05 13:17 · Score: 2, Interesting

From the article:
"The EFF scorecard gives Skype two check marks for being encrypted in transit and encrypted so the provider can’t read it."
and then:
“There are always going to be difficult cases when you’re evaluating complex software,” EFF’s Eckersley said. “There are clear indications that the NSA intercepted Skype conversations. However, we don’t know if that was a break in the cryptography itself that would allow anyone to intercept, or if it was a compelled man-in-the-middle attack where Skype was made by authorities to give out fake keys to targets.”
This is indeed strange. It seems bazaar to give a product a check mark if the EFF don't actually know. Surely benefit of the doubt shouldn't apply in such cases. In any case why not have a question mark indicator for such cases. This might also encourage companies to provide better disclosure.
1. Re:Criticism seems valid by HiThere · 2014-11-05 13:36 · Score: 2
  
  Well, since everything is marked either checked or don't use, that's not unreasonable. Granted a more accurate marking would be to just not mark it those two times. Also, with the rating given nobody who is serious about security would use skype, so it's not like they're actually misleading anyone.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
2. Re:Criticism seems valid by AHuxley · 2014-11-05 14:17 · Score: 1
  
  What was the Communications Assistance for Law Enforcement Act ready should be easy to think about.
  Product, brand, service or code on phone hardware for voice and video?
  Communications Assistance for Law Enforcement Act is clear on the expected support needed. What needs telco products have to meet will be seen under new regulations over the next years.
  https://en.wikipedia.org/wiki/...
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:Criticism seems valid by rtb61 · 2014-11-05 17:16 · Score: 1
  
  Which to bring to a fine point, there is only one somewhat successful app for securing your message and it is called legislation and just to make sure it works international treaties. The pigopolist psychopathic copyrighters have no problem getting legislation and treaties to protect their theft of the public domain and pretend they invented everything so they cab basically print money, why the hell can we not do the same to achieve the most important protection of all, legal protection for our information.
  Face it without legislation and treaties they will hack you hardware and pry before you can begin to secure it, launch man in the middle attacks, hack you software via updates and corrupt compliant software licensor's and if all that fails, grab you off the street and enhanced interrogation the information out of you or kill you in the process via 'er' natural causes.
  What security, then you have to legislate for it and provide for huge civil penalties for corporations and government agencies breaking the law. Civil penalties because they will inevitably turn around and distort criminal penalties so that somehow there is no penalty for them hacking but you try to stop you'll end up going to jail.
  
  --
  Chaos - everything, everywhere, everywhen
4. Re:Criticism seems valid by wonkey_monkey · 2014-11-05 20:55 · Score: 2
  
  It seems bazaar
  Market up to a lack of common sense.
  
  --
  systemd is Roko's Basilisk.
5. Re:Criticism seems valid by Anonymous Coward · 2014-11-05 21:48 · Score: 2, Funny
  
  >It seems bazaar
  Reminds me of an Eric Raymond aticle: "The Cathedral and the Bizzare"
6. Re:Criticism seems valid by Wootery · 2014-11-05 23:07 · Score: 1
  there is only one somewhat successful app for securing your message and it is called legislation
  Nope.
  
  1. Legislation is not an app. Calling it an app isn't helpful.
  2. Legislation would not help: the government is the one doing the spying, remember?
  3. Crypto already exists. Off The Record already exists. The problem is getting people to use secure means of communication.
  
  without legislation and treaties they will hack you hardware and pry before you can begin to secure it
  A legitimate concern, but that's a technical challenge, not a game-over.
  
  launch man in the middle attacks
  That's what proper crypto is for.
  
  hack you software via updates and corrupt compliant software licensor's
  Proprietary software vendors in particular. This stuff doesn't seem to happen as much in FOSS, but yes, it is a concern.
  
  and if all that fails, grab you off the street and enhanced interrogation the information out of you or kill you in the process via 'er' natural causes.
  
  No, they won't do this en-masse, as it's a lot of work. Also, even if they do, you'll at least know they really are spying on you individually, which is worth something. This is comparable to laws which require you to hand over crypto keys if asked: yes, they might get to spy on you, but you'll know.
  Also, claiming the government is likely to start summarily executing people who use crypto just makes you look silly. No hyperbole is necessary here.
On the one hand is the EFF... by Enry · 2014-11-05 13:41 · Score: 0

..who has a track record in this area.
On the other, we have @ioerror, The malware monster!, and @tqbf who are all well known security experts and...wait..who?
Umm... yeah we know by Anonymous Coward · 2014-11-05 13:57 · Score: 0

Good to see samzenpus is still the master duper.
Free donations to EFF by Anonymous Coward · 2014-11-05 14:21 · Score: 1

I use smile.amazon.com, which automatically takes 0.5% of the purchase price and donates it to the organization of your choice at no extra cost. You can set it up to donate to the EFF. Just make sure you always go to smile, or else the donations don't occur.
Supporting the EFF seems to be the easiest way to support our right to privacy online.
1. Re:Free donations to EFF by Anonymous Coward · 2014-11-05 23:44 · Score: 0
  
  I use smile for my local public radio station. The EFF doesn't demand all my contact info in order to accept my money.
Pidgin and OTR by Travis+Mansbridge · 2014-11-05 15:15 · Score: 1

Use Pidgin with the OTR plugin for easy chat encryption.
OpenPGP by DERoss · 2014-11-05 15:28 · Score: 2, Interesting

The scorecard gives negative marks for both PGP for Mac and PGP for Windows, for both "Are past comms secure if your keys are stolen?" and "Has the code been audited?" Both negative marks are quite wrong!!
Using the OpenPGP definition, decryption requires both a private key and a passphrase. If the private key is compromised but the passphrase remains safe, a file or message encrypted via OpenPGP cannot be decrypted. This depends, of course, on a lengthy passphrase that exists only in the user's head. My passphrase is over 20 characters long and contains upper-case and lower-case letters, spaces, and punctuation.
Older versions of PGP (a commercial implementation of OpenPGP) have indeed been audited. The source codes were made public. They were thoroughly examined by outsiders. And they were compiled and compared with the distributed binary code. I do not know if this is true of the latest versions, but the older versions contained no security vulnerabilities and still work quite well.
1. Re:OpenPGP by Carnildo · 2014-11-05 15:45 · Score: 2
  
  The scorecard gives negative marks for both PGP for Mac and PGP for Windows, for both "Are past comms secure if your keys are stolen?" and "Has the code been audited?" Both negative marks are quite wrong!!
  I don't know about the auditing, but the negative mark for "Are past comms secure if your keys are stolen?" is quite right. They're talking about forward secrecy, and PGP doesn't implement it. The basic idea of forward secrecy is that even if all the long-term secrets (passwords, keys, etc.) involved in a conversation are stolen, the person who stole them cannot go back and decrypt the encrypted messages.
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
2. Re:OpenPGP by Anonymous Coward · 2014-11-05 21:21 · Score: 0
  
  the older versions contained no security vulnerabilities
  
  I know what you meant, but that made me cringe. The auditors didn't find any vulnerabilities. Perhaps PGP is simple enough that there really aren't any, but I'm skeptical. Did they audit the generated instructions? Compilers still have bugs.
  
  Still, it's good to know it's been audited. A thorough audit goes a long way, even for future versions. Unless there is a total rewrite, auditing the diffs is much more manageable than analyzing the whole thing.
3. Re:OpenPGP by disambiguated · 2014-11-05 21:30 · Score: 1
  
  even if all the long-term secrets (passwords, keys, etc.) involved in a conversation are stolen, the person who stole them cannot go back and decrypt the encrypted messages.
  I can't wrap my head around that. The way you've described it, it isn't possible, unless the original intended recipient also can't decrypt it. There must be at least one secret somewhere that isn't compromised (the recipient's private key maybe).
  
  BTW, does your sig ever get you modded redundant? :)
4. Re:OpenPGP by disambiguated · 2014-11-05 21:53 · Score: 4, Informative
  
  Found a nice simple explanation of how this works here. There is a secret somewhere that isn't compromised, but it is ephemeral and isn't ever stored anywhere or transmitted. So that's what you meant by "long term". It's very clever. Makes perfect sense now, but it's counterintuitive, at least to me.
  
  Anyway, thanks. I learned something new, which is why I still come to /.
5. Re:OpenPGP by Anonymous Coward · 2014-11-05 23:11 · Score: 0
  
  " Compilers still have bugs."
  Dont say that. They would never dare to insert bugs there.They are the Good Ones(TM).
6. Re:OpenPGP by WuphonsReach · 2014-11-06 01:21 · Score: 1
  
  The problem with Perfect Forward Secrecy (PFS) in the case of GPG/PGP encrypted messages is that PFS requires two-way communication between the end-points at the start to securely transmit and agree on a ephemeral key for that session.
  
  That's not practical in the case of sending an encrypted email/file to someone. There is no "session" to speak of. There's no two-way conversation at the start before the file/information is transmitted.
  
  GPG/PGP is designed to defend against disclosure of data-at-rest (i.e. an email body sitting on someone's server or a file sitting on your hard drive). It just so happens that because it defends in the data-at-rest scenario that it can also help protect the contents in transit. It's very good at what it does, but trying to use it in a situation where you want PFS is a misapplication of the technology.
  
  (So yeah... the EFF folks are idiots and are lumping together apples and oranges.)
  
  --
  Wolde you bothe eate your cake, and have your cake?
7. Re:OpenPGP by Anonymous Coward · 2014-11-06 05:54 · Score: 0
  
  You might find these interesting:
  https://security.stackexchange.com/questions/53727/achieving-pfs-with-public-key-cryptography
  https://github.com/trevp/axolotl/wiki
But are the listings TRUE by SeaFox · 2014-11-05 15:50 · Score: 5, Interesting

Is the code is not open to independent review (as few of them are), is there any reason to trust the other listings? After all, we're trusting that when the maker says the software does not send messages in a way were they can intercept them, it's true, but we don't really know that to be the case.
1. Re:But are the listings TRUE by Anonymous Coward · 2014-11-06 03:48 · Score: 0
  
  This is an important point, but the EFF also pointed out that several of their criteria aren't independently verifiable. To be complete not only should the source be available, but a moderately complete external audit should be completed in order to verify many of the criteria.
This is not a troll post by Anonymous Coward · 2014-11-05 17:18 · Score: 0

If it is on the internet, it is not secure.
Nuff said folks.
1. Re:This is not a troll post by Anonymous Coward · 2014-11-05 17:30 · Score: 0
  
  Mod parent troll
2. Re:This is not a troll post by Anonymous Coward · 2014-11-05 23:11 · Score: 0
  
  My message has been hardened with Secure Messaging Scorecard and thus cannot be modded Troll.
missing WeChat by Anonymous Coward · 2014-11-05 17:26 · Score: 0

There are 600 million WeChat users but it is not listed?
Smells of slashdot advertising, USA centric drivvel