• matter@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    11 months ago

    It should most definitely be a valid assumption.

    If the key passes through their servers at all (and it probably does,) then they have access to the keys and sufficient information to decrypt it. it’s possible the app does send keys independent of their server- I don’t know- but I very much doubt it.

    The keys shouldn’t be on or go through a server anywhere, that would be an absolute joke.

    What makes you think that private keys are being sent anywhere? This app uses a slightly modified version of the Signal protocol (because of course it does), as they describe here, section 27, page 90. Only public keys should ever leave your device, otherwise no amount of showing the code would make it secure. That’s the whole point.

    Again, with the client code you should be able to tell that the keys are generated there and not sent anywhere.

    As I said, with any app, just because they publish some server code does not mean that that’s what they’re running on their server - for security you have to be sure that the app is sufficiently secure on its own. Even if they were running the exact public code that “didn’t save the keys” the server could harvest them from memory.

    • FuglyDuck@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      2
      ·
      11 months ago

      Again, with the client code you should be able to tell that the keys are generated there and not sent anywhere

      then no one- including the intended recipient- can decode them without that physical device. kinda defeats the point of a messenger service. The codes have to be sent somehow. Either it’s sent along their servers, or the recipient’s device directly.

      I really don’t care to get into it. Just know that if you’re using a generic, stock device… any message you send should be considered compromised. depending on the app, and the device in question, it may (but not necessarily) require physical access to the device. but, by it’s very nature, the messenger service meant to be decoded and read. it is fundamentally permissive in nature.

      Is it secure enough for France’s needs? Probably. does it mean it’s the best? Probably not.

      • matter@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        You seem to be a bit confused about how asymmetric encryption works. There is no need for private keys to be transmitted for a messaging service to work. I encourage you to read about the difference between public and private keys in asymmetric encryption. They are generated in pairs, such that when something is encrypted using a public key, it can only be decrypted using the corresponding private key. So it’s not correct to say that the message can’t be decrypted by the intended recipient - they are in fact the only party who can, but even the sender can not.

      • jimbolauski@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        There are cryptographic methods which allow me to send you a public encryption key which is mathematically related to a private decryption key. Brute forcing the private key is possible but computationally expensive. An AES 256 key has 2^256 different keys that would need to be checked it would take Frontier, the fastest supercomputer right now can do 1.1e18 calculations per second 5.1e78 seconds 2.32e71 years.