• joelimgu@lemmy.world
    link
    fedilink
    arrow-up
    29
    ·
    1 year ago

    I can understand the WhatsApp part, its a closed source app but it makes no sense to ban an open source app bc of security concerns, just order a study of the source code to validate it

    • plz1@lemmy.world
      link
      fedilink
      English
      arrow-up
      45
      ·
      1 year ago

      France wants backdoors into these apps, it’s not a lack of trust thing.

      • lysdexic@programming.dev
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        France wants backdoors into these apps, it’s not a lack of trust thing.

        If it’s trivial for a host nation to add backdoors to instant messaging services, you’d be agreeing with the government of France and you’d be pressing to migrate your communication out of the hand of third parties.

        • plz1@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I’m not a proponent of any backdoors like this. I use Signal because it puts privacy first.

          • lysdexic@programming.dev
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            I’m not a proponent of any backdoors like this.

            I’m not sure you got the gist of what I said. The point I made was that if being the host nation of an organization meant that their government can add backdoors at will, using any foreign service would automatically mean you’d be snooped by external actors.

            Regardless of where you stand on whether you want to add your own backdoor or not, by your own logic using a foreign service means your services are already compromised.

            If that’s the case, wouldn’t it make sense to simply run your own stuff?

            • plz1@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I agree. The challenge in running your own stuff is adoption. Having my item chat platform is kind of outlets if no one else is willing to switch to it for me. That’s the same problem I have with Signal when I decided to stop using anything Meta owns.

    • TWeaK@lemm.ee
      link
      fedilink
      English
      arrow-up
      20
      ·
      1 year ago

      A far better reason not to use WhatsApp is that it is run by Facebook. It was also a primary vector for Pegasus.

      • lysdexic@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        A far better reason not to use WhatsApp is that it is run by Facebook. It was also a primary vector for Pegasus.

        Aren’t you doubling down on the government of France’s position?

        I mean, the french minister did explicitly stated that “[you] cannot guarantee the security of conversations and information shared via them”.

          • lysdexic@programming.dev
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            For Signal, no.

            There is an argument to make about using custom versions of Signal that route their traffic through your own infrastructure.

            This would count as France running their own service.

            Given that Signal relies on centralized servers to route traffic, and if I’m not mistaken they use AWS in US instances, this means that your Signal traffic is being fed straight into the US security services’ infrastructure. France might be a staunch ally of the US, but they do go through great lengths to preserve their independence.

            • TWeaK@lemm.ee
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Sure, I’d be the last person to say that Signal is perfect and secure. But it’s a damn sight more secure than WhatsApp.

    • Pierre-Yves Lapersonne@programming.devOP
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      Indeed. However we can think the Olvid company, a private company, was very pushy to promote its product and made people think the other apps are worse. In fact it seems Olvid, compared to Signal, encrypt metadata and does not rely on contacts nor identity server. And because it’s a French app, “sovereignty matters” (even of ministers use Microsoft Office solutions 🤡)

      • anti-idpol action@programming.dev
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Western countries got ‘lobbying’, Eastern countries got ‘corruption’ amirite? If they really cared, they would’ve certified Tox, that I2P IM or Simplex…

        • lysdexic@programming.dev
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Western countries got ‘lobbying’

          The term “lobbying” doesn’t mean corruption. It means basically have meetings with stakeholders to discuss issues regarding policy and agenda.

          If you hold a meeting with your local city council asking for a crosswalk, you’re engaged in lobbying. If you chat with the local police chief asking for more patrols in some part or another of town, you’re engaged in lobbying.

          Now, lobbying might set the stage for corruption. If you’re talking to your city council about the need for a crosswalk and you show a video of cars speeding by an intersection, that’s ok. If instead you tell your city councilman that if he hires your construction company to build that crosswalk then you’ll pay him a wad of cash, that’s corruption.

          Lobbying is not corruption. It’s weird how the basis of any democratic system is attacked for being “corruption” to try to justify corruption in corrupt hellholes.

          • anti-idpol action@programming.dev
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            1 year ago

            Yeah yeah all is great. But we often hear about ‘corporate lobbying’ and you’ve described things mostly carried out by individuals or nonprofits. Now I’m not saying that some corporate entities cannot convince politicians to do anything without bribing them. But the purpose of any private company is creating profits for the shareholders. If they fund a biased research or fabricate evidence to prove their point in talks with governmental bodies that can result in securing more profits, but do not hand money to any politician then is it corruption or lobbying? Or what if they offer their software in exchange for providing backdoors for the government? Or if they engage in price dumping to win a government tender just so that they can overcharge elsewhere?

            • lysdexic@programming.dev
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              But we often hear about ‘corporate lobbying’ and you’ve described things mostly carried out by individuals or nonprofits.

              No, I’m describing lobbying. The definition of lobbying doesn’t depend on your market capitalization or revenue. A corporation does lobbying, just like unions do and industry representatives and community groups. If you have personal interests and want to raise awareness with stakeholders then you reach out to them.

              I mean, Wikipedia’s article on lobbying also refers to it as advocacy. From Wikipedia;

              In politics, lobbying or advocacy, is the act of lawfully attempting to influence the actions, policies, or decisions of government officials, most often legislators or members of regulatory agencies, but also judges of the judiciary.

              “Attempting to influence” is the operative principle.

              And so is “lawfully”. Which is not the same as the corruption you pinned on “Eastern countries”.

      • gnygnygny@lemm.ee
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        That shouldn’t be a job for the French administration ? How can they give credit to a private company for such sensible informations ?

      • FutileRecipe@lemmy.world
        link
        fedilink
        arrow-up
        17
        ·
        1 year ago

        Olvid is the only messaging application today certified by the ANSSI

        Is there a list of those they’ve tested, and why they didn’t meet criteria? Has Signal been tested?

        Without that info, just seems coincidental that the French government has bestowed this cert on only a French app.

          • Nia@lemmy.ml
            link
            fedilink
            arrow-up
            4
            ·
            1 year ago

            Just because everything checks out in principle doesn’t mean it’s actually secure. First off, we have no certainty of the client code running; it’s open source, sure, but unless they ensure reproducible builds - which, given it’s on the Play store (and I assume Apple app store), they can’t be, since the binaries must be signed - we have no way of knowing whether the code actually being downloaded and run is actually the same as the FOSS version. Further, even if it is, it may have intentional subtle vulnerabilities meant to be used by the French govt (so would easily pass certification by having the ANSSI be instructed top-down to overlook certain things), or it may be that the server can trigger a known bug resulting in leakage of data. At an even more paranoid level, it’s possible that the encryption itself is faulty; the specification says it uses aes256 and ed25519 which is about as battle-tested as it gets, but the PRNG seems to be mostly their own innovation. It specifies a minimum of 32 bytes of entropy, which (though cryptography is not my expertise, so at this point I’m wildly speculating) is probably trivial to send or embed in some other communication with the server e.g. by ensuring the PRNG is deterministic after the first keygen and faulty in some known way and sending over a future result.

            I wouldn’t trust the French government.

    • lysdexic@programming.dev
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      To start Europe should have secure phones made in EU.

      Doesn’t switching instant messaging services count as a start? Switching hardware is far harder than switching software.

      Also, local messaging systems also determine where your traffic goes and who controls that data. If you have a french messaging service with data centers in france routing traffic between people in France, you are in a far better shape.

      • gnygnygny@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        When Real-Time Bidding allows foreign states and non-state actors to obtain compromising sensitive personal data about key European personnel and leaders to get location data, time-stamps, websites and apps activities; switching to a local messaging service appears to be a weak patch. You can get an overview of the actual situation here : https://www.iccl.ie/digital-data/europes-hidden-security-crisis/

        • lysdexic@programming.dev
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          appears to be a weak patch.

          It’s not a patch. It’s eliminating an attack vector, and the one which is more pervasive and easier to exploit.

          Security-minded people pay far more attention to what software you run than what hardware you have.

  • pootriarch@poptalk.scrubbles.tech
    link
    fedilink
    arrow-up
    15
    ·
    1 year ago

    i rather doubt a government would push people out of signal-protocol apps and into Some Other App if they didn’t already have a backdoor into the designated substitute

  • Cheradenine@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    12
    ·
    edit-2
    1 year ago

    I downloaded and scanned it with App Manager. Google play billing, another Google something, and telemetry from someone else. Also has the Google maps api. Pass

    Edit: I use SimpleX which has many of the same features (no phone number, ETEE, lots more) but is FOSS, has no trackers, has been audited by Trail of Bits, and can be self hosted if you wish. I am very happy with it after leaving Signal.

    • FutileRecipe@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      To be fair, their job is not to 100% understand the technology, but to govern (they are politicians, not IT or SysAdmins)…and listen to subject matter experts as they make those decisions.

    • onlinepersona@programming.dev
      link
      fedilink
      English
      arrow-up
      16
      ·
      1 year ago

      It’s about digital sovereignty. France (or at least the prime minister) wants the government to control its own infrastructure. IMO, this is good and if they’re serious, it will mean getting rid of Microsoft, Apple, Google and everything else in governmental institutions. Best case would be if they also got rid of all of that stuff in schools to teach the next generation how to use FLOSS stuff.

      Seeing as they picked Olvid though… I’m not sure how serious they are about FLOSS. Probably more about keeping the money in France instead of it being siphoned off to some company in the US.

  • DavidGarcia@feddit.nl
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    Olvid seems okay, but I find it weird that they advertise the fact that they don’t need to trust their servers as a feature somehow unique to them. Yeah, their “lack of centralized user directory” USP is a good feature (or lack thereof), but in the end it’s “yet another secure messenger”, even tough their github specificially says it’s not.

    If it were federated (as far as I can tell it’s not), then it would be a different matter. That would be a great USP. Kind of like Tox, but federated instead of P2P.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    This is the best summary I could come up with:


    French Prime Minister Élisabeth Borne has banned widely used messaging applications WhatsApp, Telegram and Signal for ministers and their teams due to security vulnerabilities, according to a memo seen by POLITICO.

    Borne set a deadline of December 8 for the government to switch to using the French app Olvid instead, which is certified by France’s cybersecurity agency ANSSI.

    Tchap, the government-developed secure messaging and collaboration app, launched in 2019, is also allowed.

    In December, the entire government will be using [Olvid], the world’s most secure instant messaging system," French digital minister Jean-Noël Barrot confirmed on X.

    The government previously ordered civil servants to remove all types of social media platforms, gaming and video-streaming apps — including TikTok, CandyCrush and Netflix — from their work devices over cybersecurity and privacy concerns.

    This article was updated to include details on the memo seen by POLITICO.


    The original article contains 193 words, the summary contains 143 words. Saved 26%. I’m a bot and I’m open source!