2y ago

The French government doesn't consider WhatsApp, Signal or Telegram secure enough, replaced by Olvid (Google translate link in post text)

www.lepoint.fr

Les ministres français invités à désinstaller WhatsApp, Signal et Telegram

Another article, much better and presents in more detail that Olvid was audited on an older version and chosen because it was French and they applied for it (French) https://www.numerama.com/tech/1575168-pourquoi-les-ministres-vont-devoir-renoncer-a-whatsapp-signal-et-telegram.html

Google translate link original post : https://www-lepoint-fr.translate.goog/high-tech-internet/les-ministres-francais-invites-a-desinstaller-whatsapp-signal-et-telegram-29-11-2023-2545099_47.php?_x_tr_sl=fr&_x_tr_tl=en&_x_tr_hl=fr&_x_tr_pto=wapp

The translation has some mistakes but good enough to understand the context.

Here is a short summary :

Olvid passed a 35d intrusion test by Anssi (French cybersecurity state organisation) experts or designated experts, with code examination without finding any security breach. Which is not the case of all other 3 messaging apps (either because they didn't do any test, or because they didn't pass).

This makes WhatsApp, signal and telegram unreliable for state security.

And so government members and ministerial offices will have to use Olvid or Tchap (French state in house messaging app).

More detail in the article.

37 comments

- I'm sure there are more attack vectors than that though
  
  Exactly. "Security assuming nobody fucked up" isn't enough
- Signal does store the decryption keys in the cloud. Using their SGX enclaves. Which have their own issues. Signal SVR I believe they call it.
  You can turn off signal pins, which still stores the decryption keys in the cloud, but then they're signed with a very long pin which is good enough.
  From a government perspective, signals a no-go, the SGX enclaves are completely exploitable at the state actor level. You just have to look at all of the security vulnerabilities to date for SGX enclaves.
  
  Do you have a reference for Signal using SGX for keys?
  Everything I could find was about metadata and private data, e.g. contact lists (which is what the SVR thing that you mention is), but nothing about keys.
I don't know much but what I do know is when a government endorses a secure messaging service, it's definitely not secure.
- They’re using it themselves, not forcing citizens to use it. It’s when they force citizens to use an app they claim is secure that I am distrustful. I would assume their intentions are more pure when it’s their own state security rather than their citizens’ privacy.
Not being able to inspect their code vs no passing are different things.
- Are they? If you want to know if something is secure enough to use then not being able to examine the code should obviously disqualify it.
  
  Sure it does, but that doesn’t make it bad.
  Open source code is not the only solution to secure communication.
  You can be extremely secure on closed source tools as well.
  If they found specific issues with Signal aside from not being allowed to freely inspect their code base, I suspect we would be hearing about it. Instead I don’t see specific security failings just hat it didn’t make the measure for their security software audit.
  As an example of something that is closed source and trusted:
  The software used to load data and debug the F-35 fighter jet.
  Pretty big problem for 16 countries if that isn’t secure… closed source. So much s you can’t even run tests against the device for loading data to the jet live. It’s a problem to sort out, but it’s an example of where highly important communication protocols are not open source and trusted by the governments of many countries.
  If their particular standard here was open source, ok, but they didn’t do anything to assure the version they inspected would be the only version used. In fact every release from that basement pair of programmers could inadvertently have a flaw in it, which this committee would not be reviewing in the code base for its members of parliament.
They had Tchap that may not be perfect but is open source (based on matrix/element), hosted in France and already used by 400 000 ppl from the public services... Why pay for a new app? Don't get it...
on one hand they are trying to illegalize encrypted messaging on the other they're saying that it's not secure? 😅
- That is an European proposition, and not French at all. France can stand for or against that.
  
  https://edri.org/our-work/8-december-case-why-is-encryption-on-trial/
  
  Affaire du « 8 décembre » : le droit au chiffrement et à la vie privée en procès
  Affaire du 8 décembre : le chiffrement des communications assimilé à un comportement terroriste
Another article, much better and presents in more detail that Olvid was audited on an older version and chosen because it was French and they applied for it (French) https://www.numerama.com/tech/1575168-pourquoi-les-ministres-vont-devoir-renoncer-a-whatsapp-signal-et-telegram.html
- Honestly at the security level, critical infrastructure, which messaging is, is something every country should have independently. So it makes complete sense for the French government to set up their critical messaging infrastructure inside of France with a French company who cannot be compelled by external intelligence agencies.
it's not surprising to see this reaction after learning that their allies were spying on them through nsa
deleted
- Tchap is the messaging app made for the French gov.
Olvid 26, rue Vignon 75009 Paris France
Lmao big surprise.
It’s not open source…big no no for me 🤷‍♂️
- Looks like it is: https://github.com/olvid-io/olvid-android/blob/main/LICENSE
  
  Yup I did see they were on GitHub but when I looked the iOS repository is months (and several releases) out of date.
  I’d expect an open source project to be working in public…not in private and updating their public repositories later down the line
- I feel like for internal government communications you might not want it to be open source.
  Doesnt mean everyone else should want to use it.
looks like you have to buy the paid version to make calls 🤷

37 comments