[cryptography] open letter to Phil Zimmermann and Jon Callas of Silent Circle, re: Silent Mail shutdown

Benjamin Kreuter brk7bx at virginia.edu
Sat Aug 17 08:05:31 EDT 2013


On Sat, 17 Aug 2013 12:30:40 +0300
ianG <iang at iang.org> wrote:

> This was always known as the weakness of the model.  The operator
> could simply replace the applet that was downloaded in every instance
> with one that had other more nefarious capabilities.  There were
> thoughts and discussions about how to avoid that, but a simple, mass
> market solution was never found to my knowledge [0] which rendered
> the discussions moot.
> 
> I don't think the company ever sought to hide that vulnerability.
> 
> Also, that vulnerability was rather esoteric as it required quite 
> serious levels of cooperation.  So the bar was still high.

I am not sure I see how serious levels of cooperation would be
required.  Adding a backdoor to the Java applet that forwards a
passphrase or secret key to Hushmail does not sound terribly hard to
do (it sounds like less than 10 lines of code).  It sounds like
something that would almost certainly be done if the company ever
decided to build a "lawful interception" system.

-- Ben



-- 
Benjamin R Kreuter
UVA Computer Science
brk7bx at virginia.edu
KK4FJZ

--

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130817/ebe8480d/attachment.asc>


More information about the cryptography mailing list