Come è stata compromessa IronChat?

5

In che modo IronChat è stato compromesso?

link

Dutch police have revealed that they were able to spy on the communications of more than 100 suspected criminals, watching live as over a quarter of a million chat messages were exchanged.

The encrypted messages were sent using IronChat, a supposedly secure encrypted messaging service available on BlackBox IronPhones.

IronChat ha utilizzato il protocollo OTR.

link

IronChat, based on Xabber (Android)

Il segnale si basa anche sul protocollo OTR. Anche il segnale è compromesso?

In 2013, the Signal Protocol was introduced, which is based on OTR Messaging and the Silent Circle Instant Messaging Protocol (SCIMP).

    
posta Chloe 15.11.2018 - 01:10
fonte

1 risposta

3

TL; DR

Al momento non ci sono informazioni pubbliche su come sono stati letti esattamente i messaggi, ma tutto indica un'attuazione errata del software e una cattiva progettazione dell'interfaccia utente.

Non c'era un problema con l'OTR, c'era un problema con l'implementazione di esso. Su nakedsecurity.sophos.com

For one thing, the app warned users about possible message interception in teensy type, worded in such a way that an average user wouldn’t understand, he said, if they read the smaller font at all. The warning:

Encryption is enabled, but conversation partner is not authenticate

E arstechnica.com

An article published by Dutch public broadcaster NOS said a version of the IronChat app it investigated suffered a variety of potentially serious weaknesses. Key among them: warning messages that notified users when their contacts’ encryption keys had changed were easy to overlook because they were provided in a font much smaller than the rest of the conversation. While crypto keys often change for legitimate reasons, such as when someone obtains a new phone, a new key might also be a sign a third party is trying to intercept the communications by encrypting them with a key it controls.

Per segnale nelle stesse notizie

The Signal app, for instance, encrypts messages using the recipient’s public key before it leaves the sender’s device. As a result, messages that pass through Signal’s central servers can be decrypted only by the recipients’ private key, which is stored only on the recipients’ individual devices. In the event law enforcement took control of the server, they would be unable to read the content of messages without substantially updating the Signal app and waiting for targets to install the update. Even then, they would be able to read only messages sent after the update was installed. Earlier messages would remain unreadable.

    
risposta data 15.11.2018 - 13:14
fonte

Leggi altre domande sui tag