Indeed.
P2P, E2EE, LoRa + HF + Inet bridge
Quote Tweet
We need an open source, multi-device, end-to-end encrypted messaging app that doesn't rely on phone numbers.
3
4
27
Conversation
It has a lot of issues. It uses long-term identity keys without automatic authorized key rotations, and even worse, it doesn't use session keys so there is no forward secrecy. It has a lot of bad cryptography including current generation keys still having SHA-1 fingerprints, etc.
It's not a good building block for anything else. It's massively overly complex and packed with weaknesses/vulnerabilities.
age is a proper standard and CLI tool for anonymous authenticated encryption. signify/minisign for simple signing or OpenSSH signing for more flexibility.
1
Shouldn't use those CLI tools for secure messaging which should have properties like forward secrecy and properly designed session verification.
Matrix E2EE is quite good for message data but metadata isn't encrypted and it's federated not P2P with most using enormous servers.
1
Show replies