I'm not immediately seeing any insight into whether this covers conversations initiated in-browser. If this does exist, it'd be interesting to see how they've tackled the security of crypto logic in-browser and compare it to what Cyph has in place for in-browser code signing.
Edit: Yep, this seems device-to-device; there doesn't seem to be a web component here. Still useful given how many people use messenger primarily via phone, and I suspect implementation wasn't hard given WhatsApp did it first. It would be neat to see if Messenger and WhatsApp are ever bridged through this.
Because if you serve the library responsible for the encryption from the server, an attacker can perform a man in the middle attack and change that library. This will change when browsers will start implementing the web crypto api. https://www.w3.org/TR/WebCryptoAPI/
If you're dropping by defcon, you should catch the talk. There'll be very little focus on this mechanism specifically since we want to share a bunch of things people can actually freely use (and this isn't one of them), but you can catch Ryan afterwards and spark a conversation to find out more.
Well, the keywords there are next to. Like @remy_ implied, you need a mechanism for guaranteeing that the logic you're executing in-browser is protected from server compromise. That's where the Cyph example came in, since as far as I can tell, Cyph is the team to have hacked together a solution to that dilemma, though Cyph also is not using the Signal Protocol right now.
Anyway, there's an upcoming defcon talk which'll lightly touch on how web standards were mangled and viciously abused to make that happen, but since the talk is deliberately not vendor-specific, the focus on it will be brief. Disclaimer on my end is that I was involved in the initial review of their code-signing implementation. https://www.defcon.org/html/defcon-24/dc-24-speakers.html#Za...
Cyph's solution for this, last I saw it, is a Rube Goldberg machine of rolling HPKP pins used in attempt to keep the application from reloading itself from its own servers. It's incredibly complicated. And no matter how much asm.js you use, it's still crypto running in a browser instance. There are other very significant problems with browser crypto --- problems that even affect Chrome Applications.
You and I+Cure53+others will probably always disagree on this topic since you've always been the primary catalyst for dissent on this, but it's not at all complicated nor deserving of the analogy to a Rube Goldberg machine.
It's been well vetted enough. It might be a hack, but it's a sufficiently effective hack. We can agree to disagree :)
You coming to either Black Hat or DEF CON? Let me at least connect the two of you after the AppSec Glory talk.
I can't tell if you're talking about browser crypto (in which case my perspective is shared by a large number of crypto engineers) or Cyph's weird caching scheme, in which case a couple people from Cure53 are the only ones who have ever tried to evaluate it.
I think he was only (or mostly) talking about the latter, which I would agree isn't very complicated at all (it's just deleting and regenerating keys/certs on an interval).
As to the former, are you referring to specific known side channel attacks against asm.js/wasm, or just the usual XSS risk?
One would hope that the founder of the company trying to bring that weird secure caching attempt to market would believe that it wasn't very complicated. :)
Of course, if you've filed for patents on this, as was suggested upthread, that somewhat cuts against that argument, doesn't it?
lol, I'm definitely biased given that I'm long since familiar with the idea and wrote the implementation, but I think it's more conceptually counterintuitive/clever/weird than it is actually complicated in terms of having many moving parts.
WebSign does have a patent pending on it (I think it's fair enough to say that the whole system of accomplishing in-browser code signing this way was non-obvious), but HPKP Suicide itself doesn't. Bryant (eganist) and I are actually disclosing and open sourcing implementations of a few non-code-signing applications of HPKP Suicide at Black Hat and DEF CON next month.
> WebSign does have a patent pending on it (I think it's fair enough to say that the whole system of accomplishing in-browser code signing this way was non-obvious),
For one, device-native binaries have to be signed in order to actually run on the phone (well, without introducing some other tweak such as explicitly permitting unsigned applications).
Implementing this with JS is far, far, far more difficult, and the only solution known (touched on in my other comments) still pisses people off because it's running in a web context that, if improperly mitigated, can still facilitate disruption via code injection i.e. XSS.
That said, we're all conveniently ignoring the fact that all of this assumes that the devices themselves haven't been owned. If you think you're a target of entities capable of getting into a fully patched phone, you've got bigger problems.
So this is "whomever is signing the app gets compromised" vs "whomever is hosting js gets compromised". Right?
Facebook could afford a security team just as capable as Apples security team, and make sure the js server remains secure. And if they can't, their own signing procedure can get compromised before the app is uploaded to Apple for review.
Because the binary is served from a marketplace that works with an app that you trust and that will verify the package signature. Or, the web browser does not behave like a package manager.
So it would need a browser plug-in instead of just a web page? That seems fair enough. Extra kudos if they manage to use a standard plug-in for several websites. Maybe we can even get some kind of standard for this.
I made the comparison to Cyph for a reason. Every time Cyph comes up, there's some amount of lively debate about whether they've actually got working in-browser code signing (which they filed a patent on). I'd argue they do, but I'm also one of the guys who reviewed the implementation.
Even if they have been able to successfully get in-browser code signing working, how can they possibly gaurantee no leakage of data? I mean, there are so many inroads, from mitm to rogue browser plugins... It seems (near) impossible to secure them all.
Rogue browser plugins can be discounted as that's tantamount to a compromised device in the context of a downloaded E2EE app. MITM, well it's E2EE with trust-on-first-use for the crypto logic and implements the works when it comes to web security protocols, such as HPKP. There's enough mitigation there. TOFU in this context would mean once you visit once, the logic that's pinned in the browser then performs signature validation on crypto logic from then on.
No one's gonna get it perfectly right. Signal's probably the closest in terms of the cleanness of the protocol. It'd be neat to see Cyph implement the Signal Protocol in-browser as well, but that's neither here nor there. Ultimately, all of this will shift an attacker's focus away from owning the messaging application (or any component of it, be it the servers, the connection, etc.) to owning the devices and the users directly.
Your next technical battles will be in device security and user-friendly secure authentication. Your existing wars against your users (think phishing) will continue to heat up.
This is a weird response. The comment you replied to suggested (very accurately) that there are lots of different ways that browsers leak information, and gave the example of rogue plugins. You (accurately) dismiss rogue plugins, and then go on to write as if that were the only, or even the most important, vector for leaks. But, obviously, no.
Can you cite some other ways browsers leak information besides browser plugins? It's you who are making the extraordinary claim, that Cyph has come up with a way to make browser crypto reliably secure. I think the onus should be on you to demonstrate how carefully you've thought this out.
I'll make you a deal: if you name all the ones I know about, I'll tell you so. :)
Reading the technical docs now (https://fbnewsroomus.files.wordpress.com/2016/07/secret_conv...).
Edit: Yep, this seems device-to-device; there doesn't seem to be a web component here. Still useful given how many people use messenger primarily via phone, and I suspect implementation wasn't hard given WhatsApp did it first. It would be neat to see if Messenger and WhatsApp are ever bridged through this.