On Fri, 13 May 2016, Martin Rex wrote:
IMO, Moxie points to a number of real problems, but I think his
conclusions about the causes are wrong.
I agree.
Well, getting a jabber client _with_ support for TLS turned out to
be another royal PITA, because it wasn't available for my old Linux
distro, and compiling it my self would have required to obtain and
compile at least three dozen other libs and toolkits it depends upon,
and what my existing Linux distro had was "too old".
That must have been an epicly old server because I've been using pidgin
with TLS for many years.
I only wanted to join IETF meetings remotely, and they're public anyways,
so I was just fine without TLS and my old client, but the XMPP freaks
running this stuff seemed to be fiercly determined of breaking backwards
compatibility just for the fun of it, giving a shit about their users,
similar to the developers of the newer client software, which gave a shit
about compiling the client software on a 5 year old linux distro.
Not "just for the fun of it", but specifically for RFC-7258
There things that WhatsApp achieved in a straightforward and
user friendly manner:
- signing up as a new user is *EASY*
- getting the newest of their client software for a 5+ year old
Android (e.g. Android 4.1) is no more difficult that getting
it for bleeding edge OS releases
- Interoperability with installed base was not impaired when
rolling out the encryption-enabled clients
And a day after the announcement I tried this with a friend of mine. We
both updated Whatsapp, and we ended up with my client saying "chats are
now encrypted" and the other endpoint saying "chats are not encrypted,
the other end needs to upgrade". Two days later this problem
automagically solved itself without an app update on either end.
How could an end-to-end encryption fail in such a way? There is either
some really untrusted GUI code lying, or some server-based "trusted"
MITM happening here.
Paul