Testing a new encrypted messaging app's extraordinary claims: this unofficial audit on the #Converso app looks like a book of horrors…! (poliverso.org)

submitted 1 year ago by piratepost@poliverso.org to c/privacy@lemmy.ml

5 comments fedilink hide all child comments

How I accidentally breached a nonexistent database and found every private key in a 'state-of-the-art' encrypted messenger called Converso

@privacy

But wait – it gets much, much worse

As I was finishing up the above post, I noticed something a little strange in the code – something I'd glossed over earlier. There are a ton of references to what looks to be functions related to Google's #Firestore database.

#Converso

all 8 comments

sorted by: hot top controversial new old

[-] shreddy_scientist@lemmy.ml 3 points 1 year ago

Thanks for the breakdown, I'll be sure to stay away from Converso! You should 100% check out DataBag. It's my current favorite as its pretty much selfhosted signal. Except without the need for phone numbers and while decentralized, it can be federated too. Definitely my current favorite up and comer in the messaging world

[-] sxan@midwest.social -3 points 1 year ago

TFA claims Signal is the gold standard, which raises my eyebrows, especially as th] author - in the same breath - admits Signal leaks metadata.

There are chat clients, less popular, less well funded, that don't leak metadata. Signal may be a good choice for the average non-techie, but it's hardly the gold standard for private chat.

[-] KLISHDFSDF@lemmy.ml 0 points 1 year ago

I've read from SME's that Signal is the gold standard for encrypted private messaging. I haven't seen that claim of any other messenger. What are the alternatives?

I've tried Briar and that seems like it may be good in 5+ years, but not something I'd ask non-techy people to use in its current form. Sessions dropped Perfect Forward Secrecy because it was too hard to make it work. I don't want security features dropped just because they're "hard" so that's an immediate no from me. What are viable alternatives that don't leak metadata?

[-] sxan@midwest.social -2 points 1 year ago

"Popular," and even "ease of use," are not relevant for the label of Gold Standard when we're talking about security. Functionality for purpose is relevant, but if we're allowing for weaker security in trade for ease of use then I'd say just use SMS; sure, it's not as secure as Signal, but it's a lot easier.

Reductio ad absurdum aside, there are by my count about a half-dozen systems which are more secure than Signal. Systems which don't require you to give up your phone number, or publish it, or leak other personal metadata. You mentioned one, Briar, and there's SimpleX Chat, Tox, and Jami (the latter two have been around for a few years, and IIRC Jami's been audited). There are any number of apps (web and mobile) that claim encryption and anonymity such as Confide, Onion Chat, ChatS, Speek!, Peekno, and Threema. Ocelot and retroshare.io are peer-to-peer with no central servers, and are probably (metadata) secure.

I wouldn't call any of these individually the gold standard, but several are obviously more secure than Signal.

I can't get over how any system that required such a tracable and abusable piece of PII as a cell phone number could be considered the gold standard for privacy.

this post was submitted on 17 May 2023

2 points (75.0% liked)

Privacy

31384 readers

1223 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS