On Fri, 13 May 2016, Martin Rex wrote:
IMO, Moxie points to a number of real problems, but I think his conclusions about the causes are wrong.
I agree.
Well, getting a jabber client _with_ support for TLS turned out to be another royal PITA, because it wasn't available for my old Linux distro, and compiling it my self would have required to obtain and compile at least three dozen other libs and toolkits it depends upon, and what my existing Linux distro had was "too old".
That must have been an epicly old server because I've been using pidgin with TLS for many years.
I only wanted to join IETF meetings remotely, and they're public anyways, so I was just fine without TLS and my old client, but the XMPP freaks running this stuff seemed to be fiercly determined of breaking backwards compatibility just for the fun of it, giving a shit about their users, similar to the developers of the newer client software, which gave a shit about compiling the client software on a 5 year old linux distro.
Not "just for the fun of it", but specifically for RFC-7258
There things that WhatsApp achieved in a straightforward and user friendly manner: - signing up as a new user is *EASY* - getting the newest of their client software for a 5+ year old Android (e.g. Android 4.1) is no more difficult that getting it for bleeding edge OS releases - Interoperability with installed base was not impaired when rolling out the encryption-enabled clients
And a day after the announcement I tried this with a friend of mine. We both updated Whatsapp, and we ended up with my client saying "chats are now encrypted" and the other endpoint saying "chats are not encrypted, the other end needs to upgrade". Two days later this problem automagically solved itself without an app update on either end. How could an end-to-end encryption fail in such a way? There is either some really untrusted GUI code lying, or some server-based "trusted" MITM happening here. Paul