this post was submitted on 08 Dec 2024
64 points (89.0% liked)
Privacy
4371 readers
9 users here now
A community for Lemmy users interested in privacy
Rules:
- Be civil
- No spam posting
- Keep posts on-topic
- No trolling
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I don't have an iOS device to know for sure but I'm fairly certain they inform you and participants in your chats about the PFS interruptions. It's a temporary problem you have to deal with to use a beta application.
One of their devs was on mastodon talking about how PFS was more complicated with their design than they expected because they need to sync up the devices. Signal took the approach of sending one message to every device and Threema sends it to one of your devices and then that device sends it to the others. From what I understand this makes the PFS session key synchronization harder for Threema so it's not implemented yet.
Right but in practical terms many of the findings cited against Threema were equally if not more doubtful. I don't know who the "big security researchers" you're referencing are, but ... as someone in the tech sector myself I do tend to agree that we've gotten to a place of really happenstance exploits being sold as if they're like the old zero days where the user doesn't have to do anything, it works 100% of the time, and the user loses control of their system.
If that quote is real ... I think they were probably just miffed that the researchers didn't discuss the fact that they were already in the later design stages of protocol improvements and made their findings sound far more plausible to exploit than they were.
There's just a double standard here too... Threema gets shit for downplaying an exploit where you literally have to have physical access to the device, but it's totally fine that signal didn't even use basic operating system functionality (the keychain) to protect data at rest -- that's a physical AND digital risk?