Signal's protocol is "great" so why don't

It's only secure because it isn't open source.

File: IMG_20160715_171201.jpg (9KB, 300x300px) Image search: [Google]

9KB, 300x300px

Yes

>>55668355
u seem to be mistaken senpai the only for a closed source thing to be secure would be that their is only one incineration,one copy that is heavily encrypted that not even the man behind it could decrypt it

>>55668342
Ever heard of XMPP with OMEMO?

>>55668355
>It's only secure because it isn't open source.

Axolotl is open source you dumb nigger.

>>55668403
Only works with one Android client

What is Silence?

>>55668595
Not an IM client.

>>55668342
To become popular messenger app should "just werk" and have huge ad budget.
Open source don't have money, not allowed into appstore/playmarket, and tinfoil-hat paranoics cant make it easy to use (eg without phone number and push services).

>>55668342
what's stopping /g/ from just removing the google play services and the phone number requirement? aside from that it's safe no?

>>55669536
Because the dude goes apeshit, see libresignal

You're free to! Just don't use the Signal name and servers, or Moxie will bitch at you.

>>55669634
libresignal failed because this >>55669653 no one is stopping the libresignal devs from using their own servers, of course they'll need some money for it but that's why donations exist in the first place

>>55668342
>truly anonymous
Important point: the Signal protocol (Axolotl) does not provide anonymity. It does not protect metadata.

An overlay network on top of that potentially could, but be aware that garlic/onion routing (as in I2P or Tor) is designed to support interactive low-latency sessions, and is not resistant to a global passive attacker performing correlation or confirmation. If you're willing to tolerate a little more latency (in my own tests so far, my test users are, for everything except voice and video) as in the partial connection scenario Axolotl was designed for, a stronger form of mixnet can provide that protection.

I am working on that. I am over 10 years into the research, and more research is needed, but we are now beginning to get close to some kind of usable designs. However I'm having to design forward enough for the future that I'm also thinking post-quantum exchanges would be a good idea too, and turning my attention to possibly NTRUPrime, or the Ring-LWE ones like NewHope, or even that supersingular isogeny elliptic curve one that looks extraordinarily interesting. Curve25519 is great now, but I think by the time I'm done, and looking forward to the amount of time I'd like the crypto to be solid, I maybe want to hedge my bets by securely combining both (agl and co is experimenting with this in Chrome for Google, using NewHope).

If you want to actually design a practical network, proof against Nation State Adversaries doing mass surveillance, including social network analysis, you've got a very hard problem on your hands indeed.

However I do feel that OP has a solid idea and this would be a benefit. I use Signal as a phone messenger, but I'd far prefer to have something more IRC-like as I really, really don't like the phone number requirement; phone numbers are a potential attack vector on several levels.

t. helped Trevor Perrin review Noise, a strong transport layer framework.

>>55668342
But it's written in Java.

>>55670411
well fuck, how hard it will be to develop an application that fits what you just wrote? and how hard it's going to be to make servers for it?

>>55668355
BTFO by
>>55668418

>>55670488
https://github.com/WhisperSystems/libsignal-protocol-c

>>55668342
Why don't you do it yourself then?

>>55671509
The solid and obvious idea that it'd be really great to do what is basically Tox-but-uses-Axolotl? Maybe not that hard. You could probably work from Tox.

Bear in mind that any P2P messenger like that without additional protection means that any random with an appropriate tool can look IP addresses up from nyms - just like with Skype before it went centralised again.

I'm not saying that's inappropriate for an interim solution, as long as (like Tor, I2P and other tools) everyone is clearly aware of what it can and can't do, and no-one writes security cheques promises that the technology can't actually cash.

Lots of people need solutions that address the most immediate and obvious problems now. I really commend Moxie's fantastic efforts for that (although I disagree with him on syndication, or that phone numbers should be the only ID for Signal).

The comprehensive solution I'm working on, in a way that addresses the aspects of the threat model I raise? A lot harder than Signal and Noise: those are merely two useful components among many.

It requires probably 2-5 years more research I think, including some very hard security proofs, and after - or ideally partially in parallel with that - actual development of a secure reference implementation (beyond simple research prototypes) with solid, secure code. Considering people's lives rely on this type of thing, this definitely shouldn't be some "move fast and break things" type summer project from a couple of interns. Sorry. Proper science and engineering is hard and takes a bloody long time. I'm playing the long game here: someone has to. But I've broken components of prototypes out and helped with a few other projects along the way.

My general design is autonomous and decentralised, with full participant "nodes" and mobile/low-bandwidth/low-energy "points" (borrowed terminology from oldschool FidoNet Technology Networks). I would not/cannot/should not run any servers.

File: wallhaven-8376.jpg (277KB, 1920x1200px) Image search: [Google]

277KB, 1920x1200px

>Not using XMPP + OTR

>>55668342
It's implemented in Signal you dumb fuck.

>>55672290
Google Services Framework/phone number dependencies

>>55672290
>>55672418
Signal (app) is also completely centralized

>>55668342
If it's connected to the internet. It is no longer secure or private.

>>55672034
>no centralized servers
how do they start conversation ?

>>55668355
It's only secure because it is open source.

Just like all the unbreakable things today. Everything closed source gets broken constantly

>>55672483
go be an idiot somewhere else

File: 1459230022134.jpg (18KB, 298x296px) Image search: [Google]

18KB, 298x296px

>>55672034
hope to see your project como to life anon, so we're fucked atm? is there something we can do?

>>55672625
>It's only secure because it is open source.
How many anons on /g/ are qualified to audit FOSS code?
Do either of you ever spend any time actually auditing code on FOSS projects?
The fantasy that "experts" with years of experience spend countless hours scanning open source code for bugs is rubbish. Even popular and heavily used code included in commercial products is constantly called out by vulnerabilities exposed by exploits. If it wasn't for the exploits the bugs would go unseen.