• @radix
    link
    English
    1031 year ago

    the entire government will be using [Olvid], the world’s most secure instant messaging system," French digital minister Jean-Noël Barrot confirmed on X.

    Clearly they’re very discerning when it comes to their choice of communication apps. 🙄

    • @Cossty
      link
      English
      221 year ago

      From their Google play store page: “Olvid is the first private instant messaging application for everyone.”

        • FuglyDuck
          link
          English
          321 year ago

          the client is open source. but the server? not so much.

          in any case, if security is the concern… they should probably switch to a government-built system that only runs on gooberment devices. Will it be shitty? absolutely. But data is owned by whoever has the hardware it sits on. if it’s not your device its not your data.

          • @[email protected]
            link
            fedilink
            English
            10
            edit-2
            11 months ago

            No trust in servers Persistent security even in case of a compromised server

            From Olvid website

            They are advertising the fact that the security does not depend on the server.

            I don’t know what is worth.

            Also it’s developed by a French company, I think this is the main argument for the French government, they want to have options that does not rely on US companies.

            • FuglyDuck
              link
              English
              611 months ago

              Without the server-side code there’s no way to validate that. (This is the reason open source is preferred.)

              It’s definitely being selected because it’s French. (And has all the buzzwords,)

              • @matter
                link
                English
                411 months ago

                You’ve misunderstood. With the client code you can be sure that your messages are properly encrypted before leaving the device. If that’s done correctly, you don’t need to trust the server, because it can’t read your messages just like some attacker couldn’t. Signal is pretty similar, they didn’t update the public server source for a few years, and even with the source, we can’t know that that is what they’re actually running. But with a verified build of the client code we can know that our messages are encrypted such that, even if they held on to them until quantum computers became mainstream, they’d still be properly protected.

                • @ben_dover
                  link
                  English
                  6
                  edit-2
                  11 months ago

                  the server can store metadata though. who you’re texting, when, how often, etc. - and store that indefinitely. or even store the encrypted message, and when a flaw in the encryption is discovered 10 years later, they’re all readable. their servers could be breached and that info could be siphoned by criminals selling it to the highest bidder.

                  signals blog had an interesting post about what they’re doing to prevent these issues

                • FuglyDuck
                  link
                  English
                  1
                  edit-2
                  11 months ago

                  You’ve misunderstood. With the client code you can be sure that your messages are properly encrypted before leaving the device. If that’s done correctly, you don’t need to trust the server, because it can’t read your messages just like some attacker couldn’t.

                  It kind of depends on how keys are handled. If the key passes through their servers at all (and it probably does,) then they have access to the keys and sufficient information to decrypt it. it’s possible the app does send keys independent of their server- I don’t know- but I very much doubt it. if they were capable of sending keys without a server, chances are very good they don’t actually need the server for the messages themselves. (which would then ask why they do have a server.)

                  But with a verified build of the client code we can know that our messages are encrypted such that, even if they held on to them until quantum computers became mainstream, they’d still be properly protected.

                  Assuming they don’t have the keys. This is not a valid assumption so far as I’m aware.

                  • @matter
                    link
                    English
                    2
                    edit-2
                    11 months ago

                    It should most definitely be a valid assumption.

                    If the key passes through their servers at all (and it probably does,) then they have access to the keys and sufficient information to decrypt it. it’s possible the app does send keys independent of their server- I don’t know- but I very much doubt it.

                    The keys shouldn’t be on or go through a server anywhere, that would be an absolute joke.

                    What makes you think that private keys are being sent anywhere? This app uses a slightly modified version of the Signal protocol (because of course it does), as they describe here, section 27, page 90. Only public keys should ever leave your device, otherwise no amount of showing the code would make it secure. That’s the whole point.

                    Again, with the client code you should be able to tell that the keys are generated there and not sent anywhere.

                    As I said, with any app, just because they publish some server code does not mean that that’s what they’re running on their server - for security you have to be sure that the app is sufficiently secure on its own. Even if they were running the exact public code that “didn’t save the keys” the server could harvest them from memory.

            • @interceder270
              link
              English
              111 months ago

              I don’t know what is worth.

              Jack-shit without evidence and demonstrations.

        • @matter
          link
          English
          71 year ago

          Only the client. Though that’s probably enough to make sure messages leave your device suitably encrypted. Depending on the algos it could be quite vulnerable to hndl attacks, though, or (less likely) any undiscovered backdoors in the implementations. Of course, even for Signal one has to trust they’re using the public server code anyway, but at least we know they’re folding in a quantum-resistant algo.

        • Natanael
          link
          fedilink
          English
          411 months ago

          That thing has some of the most verbose documentation I’ve ever seen. Stuff that should be a paragraph takes multiple pages.

      • @MCk3
        link
        English
        81 year ago

        They’ve gone in on matrix pretty hard at this point

      • @[email protected]
        link
        fedilink
        English
        41 year ago

        Simplex is promising, but not ready for primetime.

        On my divest OS phone it doesn’t even run. Just launches and dies.

        Contact Discovery is still a big issue, simple x doesn’t have a solution for that yet. You have to do out of band manual addition of your contacts.

        • @[email protected]
          link
          fedilink
          English
          51 year ago

          No Contact Discovery is a feature for me.

          Interesting it does not work on your device, I have tried it on a few different phones and have not had any issues. My friends are of course using it as well, all on different devices.