close
  • Ar chevron_right

    Amid backlash from privacy advocates, Meta expands end-to-end encryption trial

    news.movim.eu / ArsTechnica · Thursday, 11 August - 17:46

Meta is ever so slowly expanding its testing of end-to-end encryption

Enlarge (credit: Getty Images)

Meta is ever so slowly expanding its trial of end-to-end encryption in a bid to protect users from snoops and law enforcement.

End-to-end encryption, often abbreviated as E2EE, uses strong cryptography to encrypt messages with a key that is unique to each user. Because the key is in the sole possession of each user, E2EE prevents everyone else—including the app maker, ISP or carrier, and three-letter agencies—from reading a message. Meta first rolled out E2EE in 2016 in its WhatsApp and Messenger apps, with the former providing it by default and the latter offering it as an opt-in feature. The company said it expects to make E2EE the default setting in Messenger by sometime next year. The Instagram messenger, meanwhile, doesn’t offer E2EE at all.

Starting this week, the social media behemoth will begin testing a secure online storage feature for Messenger communication. For now, it’s available only to select users who connect using either an iOS or Android device. Users who are selected will have the option of turning it on.

Read 7 remaining paragraphs | Comments

SIKE is one of the new algorithms that NIST recently added to the post-quantum cryptography competition.

It was just broken , really badly.

We present an efficient key recovery attack on the Supersingular Isogeny Diffie­-Hellman protocol (SIDH), based on a “glue-and-split” theorem due to Kani. Our attack exploits the existence of a small non-scalar endomorphism on the starting curve, and it also relies on the auxiliary torsion point information that Alice and Bob share during the protocol. Our Magma implementation breaks the instantiation SIKEp434, which aims at security level 1 of the Post-Quantum Cryptography standardization process currently ran by NIST, in about one hour on a single core.

News article .

  • Sc chevron_right

    Facebook Is Now Encrypting Links to Prevent URL Stripping

    news.movim.eu / Schneier · Monday, 18 July - 14:49

Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.

Mozilla introduced support for URL stripping in Firefox 102 , which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser’s Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes , but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.

Facebook has responded by encrypting the entire URL into a single ciphertext blob.

Since it is no longer possible to identify the tracking part of the web address, it is no longer possible to remove it from the address automatically. In other words: Facebook has the upper hand in regards to URL-based tracking at the time, and there is little that can be done about it short of finding a way to decrypt the information.

  • Sc chevron_right

    NIST Announces First Four Quantum-Resistant Cryptographic Algorithms

    news.movim.eu / Schneier · Wednesday, 6 July - 16:49 · 1 minute

NIST’s post-quantum computing cryptography standard process is entering its final phases. It announced the first four algorithms:

For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation.

For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS-Dilithium , FALCON and SPHINCS+ (read as “Sphincs plus”). Reviewers noted the high efficiency of the first two, and NIST recommends CRYSTALS-Dilithium as the primary algorithm, with FALCON for applications that need smaller signatures than Dilithium can provide. The third, SPHINCS+, is somewhat larger and slower than the other two, but it is valuable as a backup for one chief reason: It is based on a different math approach than all three of NIST’s other selections.

NIST has not chosen a public-key encryption standard. The remaining candidates are BIKE , Classic McEliece , HQC , and SIKE .

I have a lot to say on this process, and have written an essay for IEEE Security & Privacy about it. It will be published in a month or so.

  • Sc chevron_right

    Samsung Encryption Flaw

    news.movim.eu / Schneier · Wednesday, 2 March, 2022 - 20:45 · 1 minute

Researchers have found a major encryption flaw in 100 million Samsung Galaxy phones.

From the abstract:

In this work, we expose the cryptographic design and implementation of Android’s Hardware-Backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices. We reversed-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. We present an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. We demonstrate working key extraction attacks on the latest devices. We also show the implications of our attacks on two higher-level cryptographic protocols between the TrustZone and a remote server: we demonstrate a working FIDO2 WebAuthn login bypass and a compromise of Google’s Secure Key Import.

Here are the details:

As we discussed in Section 3, the wrapping key used to encrypt the key blobs (HDK) is derived using a salt value computed by the Keymaster TA. In v15 and v20-s9 blobs, the salt is a deterministic function that depends only on the application ID and application data (and constant strings), which the Normal World client fully controls. This means that for a given application, all key blobs will be encrypted using the same key. As the blobs are encrypted in AES-GCM mode-of-operation, the security of the resulting encryption scheme depends on its IV values never being reused.

Gadzooks. That’s a really embarrassing mistake. GSM needs a new nonce for every encryption. Samsung took a secure cipher mode and implemented it insecurely.

News article .

  • Mo chevron_right

    Movim 0.20 - Skiff

    Timothée Jaussoin · pubsub.movim.eu / Movim · Saturday, 19 February, 2022 - 10:25 edit · 3 minutes

I was used to #release a new version of #Movim twice a year. Skiff is an exception. One year of work was required to release the 20th major version of the project.

The main reason is mostly based on the amount of work and adjustments required to integrate the main feature of this release: the support of end-to-end #encryption through the implementation of OMEMO.

So let's dive in all the new exciting features that you will discover in this major release.

OMEMO

The technical part was already extensively covered by the dedicated article End to end encryption in Movim - OMEMO is (finally) there!.

The user experience and flow is not very different than on other XMPP clients, if Movim detects that you can start an encrypted conversation with a contact a small lock icon will be displayed next to the chatbox. You can always choose to toggle it back to have a non-encrypted discussion.

The new redesigned chatbox

It is also possible to see all the encryption fingerprints in the Contact drawer under the dedicated "Fingerprints" tab. You can also enable and disable encryption to each fingerprint manually there. Movim is displaying the last message sent or received and the client linked to the fingerprint to help you with your configuration. But rest assured, those settings are only for those that wants to configure in detail their encryption levels.

OMEMO Fingerprints

End-to-end encryption is also available for group chats, the flow is exactly the same as for single contacts.

There is some chances that you encounter encryption issues in some cases, even after a lot of debug and refactoring end-to-end encryption is a really complex beast that is difficult to handle. Feel free to open a ticket with all the details to reproduce the issue if you encounter one.

I'd like to thank again NLNet for their help on this project ! With the funding I was able to free-up time to finally integrate end-to-end encryption in Movim.

NLNet Logo

Posts

A few changes were made regarding the posts and their integration within Movim.

The post publication form was slightly redesigned and now allows several images, files or links to be attached. Linked to that change, post cards were also redesigned with a more compact design.

Multiple attached pictures

The public Communities and Blog pages now have the same 2-columns design as their private version. The displayed Communities and Contacts information are also now more compact.

Two column design for the public pages

The tags were redesigned and are now more clearly visible and navigable.

Now design for the tags

Chat

The contacts and chatrooms drawers were redesigned and now include some really useful information. Pictures and links sent in conversations are now quickly available in dedicated tabs.

Redesigned chat drawer

Chat bubbles are now properly displaying quotes and support message styling.

Chat bubble with styling

A big refactoring was also done regarding how the edited messages are handled in Movim. This refactoring allowed messages to be edited in Group Chats and the support of several edits on a single message (which caused some weird message duplication bug).

Chatrooms

Chatrooms administrators can now manage affiliations and ban/unban users.

Changing affiliation for a user

You can now prioritize your most important chatrooms on top of the list with the pin feature.

Pinned chatrooms

...and many other things

The old Movim API code was fully removed. It had been left untouched for years and not really used nor up-to-date anymore.

When you are in a chat conversation, the other chats counter is displayed on the back button.

The internal picture library was rewritten and simplified, it now supports transparent avatars. All pictures are now compressed in WebP by default.

Admins can now fully disable the registration feature. It is quite useful if you have a dedicated Movim setup and a specific separated flow to register your users (using an internal LDAP in a company or school for example).

Plenty of new emojis were integrated with the support of Unicode 13.0.

Movim is now a Progressive Web App

Movim used to have some "native" apps, on desktop and Android. All those app are now deprecated and replaced by work that was done to make Movim a full Progressive Web App. From any browsers you can now install Movim as an app on your phone or desktop in a single click.

Conclusion

Lots of other small improvements and features were integrated in this release but not listed there, it's time for you to discover them. Enjoy this new version!

That's all folks!

  • Ar chevron_right

    WhatsApp “end-to-end encrypted” messages aren’t that private after all

    news.movim.eu / ArsTechnica · Wednesday, 8 September, 2021 - 21:33

WhatsApp logo

Enlarge / The security of Facebook's popular messaging app leaves several rather important devils in its details. (credit: WhatsApp )

Yesterday, independent newsroom ProPublica published a detailed piece examining the popular WhatsApp messaging platform's privacy claims. The service famously offers "end-to-end encryption," which most users interpret as meaning that Facebook, WhatsApp's owner since 2014, can neither read messages itself nor forward them to law enforcement.

This claim is contradicted by the simple fact that Facebook employs about 1,000 WhatsApp moderators whose entire job is—you guessed it—reviewing WhatsApp messages that have been flagged as "improper."

End-to-end encryption—but what’s an “end”?

security and privacy page seems easy to misinterpret.' src='https://cdn.arstechnica.net/wp-content/uploads/2021/09/whatsapp-end-to-end-screenshot-640x141.png' >

This snippet from WhatsApp's security and privacy page seems easy to misinterpret. (credit: Jim Salter )

The loophole in WhatsApp's end-to-end encryption is simple: the recipient of any WhatsApp message can flag it. Once flagged, the message is copied on the recipient's device and sent as a separate message to Facebook for review.

Read 14 remaining paragraphs | Comments

index?i=mM8-5GQzxAI:A6MEMK1_Qo8:V_sGLiPBpWUindex?i=mM8-5GQzxAI:A6MEMK1_Qo8:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • chevron_right

    Avoid Windscribe VPN (Toronto-based)

    Mathias Poujol-Rost ✅ · Tuesday, 27 July, 2021 - 16:20

Via https://nitter.fdn.fr/dangoodin001/status/1419799335206752260

#encryption