[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wickr vs stef's seven rules of thumb to detect snakeoil

To: [email protected]
Subject: Wickr vs stef's seven rules of thumb to detect snakeoil
From: [email protected] (Seth)
Date: Sun, 01 Feb 2015 22:03:13 -0800
In-reply-to: <[email protected]>
References: <[email protected]>

On Sun, 01 Feb 2015 18:57:01 -0800, Seth <[email protected]> wrote:

> Searched the cpunk archives and was surprised to find no mention of  
> wickr yet.
>
> I thought I'd run it through stef's seven rules of thumb to detect  
> snakeoil so here goes:

Yikes, just found this excellent video review of Wickr and it's not  
flattering:

https://www.youtube.com/watch?v=GDq7GJWKyqc.

The presenter sums it up as "this is really a classic example of what can  
happen when you try to do your security in secret, and nobody really looks  
too closely at what you're doing."

Main flaws claimed to be found by reviewer:

Password stored on servers
hardware binding is a joke
caught using static AES key
Were not signing their messages
TOFU (Trust On First Use) architecture
Crappy TLS implementation
Wickr servers using PHP scripts

I'd say the verdict leans towards snake-oil so far.

Follow-Ups:
- Wickr vs stef's seven rules of thumb to detect snakeoil
  - From: [email protected] (rysiek)

References:
- Wickr vs stef's seven rules of thumb to detect snakeoil
  - From: [email protected] (Seth)

Prev by Date: Spies LEVITATE infohounds, filesharers, and Glee watchers
Next by Date: PSA: Archive of [email protected]
Previous by thread: Wickr vs stef's seven rules of thumb to detect snakeoil
Next by thread: Wickr vs stef's seven rules of thumb to detect snakeoil
Index(es):
- Date
- Thread