this post was submitted on 01 Dec 2023
69 points (100.0% liked)

Privacy

15 readers
13 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
 

After the Tchap project based on Matrix, the French Prime Minister asks anyone in the gouvernement to use Olvid, the only app validated by the ANSSI, with metadata encryption and no centralised architecture nor contacts discovery. But only the front-ends are open source, not the back-end.

Source: https://www.politico.eu/article/france-requires-ministers-to-swap-whatsapp-signal-for-french-alternatives/

top 25 comments
sorted by: hot top controversial new old
[–] tkk13909@sopuli.xyz 14 points 11 months ago (1 children)

Can't wait to hear how this gets hacked!

[–] pylapp@programming.dev 4 points 11 months ago (1 children)

Olvid is the only messaging application today certified by the ANSSI (the French security agency), I doubt this one will be hacked.

[–] tkk13909@sopuli.xyz 6 points 11 months ago (1 children)

It's only a matter of time.

[–] pylapp@programming.dev 5 points 11 months ago (3 children)

A matter of time, resources, knowledge, tools, energy, intels. With the ANSSI credit, good luck.

[–] read_deleuze@lemmy.ml 4 points 11 months ago (1 children)

Just because everything checks out in principle doesn't mean it's actually secure. First off, we have no certainty of the client code running; it's open source, sure, but unless they ensure reproducible builds - which, given it's on the Play store (and I assume Apple app store), they can't be, since the binaries must be signed - we have no way of knowing whether the code actually being downloaded and run is actually the same as the FOSS version. Further, even if it is, it may have intentional subtle vulnerabilities meant to be used by the French govt (so would easily pass certification by having the ANSSI be instructed top-down to overlook certain things), or it may be that the server can trigger a known bug resulting in leakage of data. At an even more paranoid level, it's possible that the encryption itself is faulty; the specification says it uses aes256 and ed25519 which is about as battle-tested as it gets, but the PRNG seems to be mostly their own innovation. It specifies a minimum of 32 bytes of entropy, which (though cryptography is not my expertise, so at this point I'm wildly speculating) is probably trivial to send or embed in some other communication with the server e.g. by ensuring the PRNG is deterministic after the first keygen and faulty in some known way and sending over a future result.

I wouldn't trust the French government.

[–] tkk13909@sopuli.xyz 4 points 11 months ago (1 children)

Seeing as the French government was going after a group of people for using Signal and other 'clandestine' behaviors, I'm with you in distrusting them.

[–] lambalicious@lemmy.sdf.org 1 points 11 months ago (1 children)

Wasn't also France behind a lawsuit in Switzerland that got Protonmail to start spying on its users?

[–] tkk13909@sopuli.xyz 1 points 11 months ago

I hadn't heard about that one but I'm not surprised.

[–] tkk13909@sopuli.xyz 2 points 11 months ago

You ever hear of nation-state actors?

load more comments (1 replies)
[–] pootriarch@poptalk.scrubbles.tech 11 points 11 months ago (1 children)

i rather doubt a government would push people out of signal-protocol apps and into Some Other App if they didn't already have a backdoor into the designated substitute

[–] pylapp@programming.dev 4 points 11 months ago

Servers are private, so we can conclude anything…

[–] gnygnygny@lemm.ee 10 points 11 months ago (1 children)

To start Europe should have secure phones made in EU.

[–] lysdexic@programming.dev 6 points 11 months ago (1 children)

To start Europe should have secure phones made in EU.

Doesn't switching instant messaging services count as a start? Switching hardware is far harder than switching software.

Also, local messaging systems also determine where your traffic goes and who controls that data. If you have a french messaging service with data centers in france routing traffic between people in France, you are in a far better shape.

[–] gnygnygny@lemm.ee 1 points 11 months ago (1 children)

When Real-Time Bidding allows foreign states and non-state actors to obtain compromising sensitive personal data about key European personnel and leaders to get location data, time-stamps, websites and apps activities; switching to a local messaging service appears to be a weak patch. You can get an overview of the actual situation here : https://www.iccl.ie/digital-data/europes-hidden-security-crisis/

[–] lysdexic@programming.dev 2 points 11 months ago (1 children)

appears to be a weak patch.

It's not a patch. It's eliminating an attack vector, and the one which is more pervasive and easier to exploit.

Security-minded people pay far more attention to what software you run than what hardware you have.

[–] gnygnygny@lemm.ee 1 points 11 months ago

You didn't read the article apparently.

[–] Cenzorrll 6 points 11 months ago (1 children)

So what are the vulnerabilities in Signal? And how is Olvid better?

[–] onlinepersona@programming.dev 16 points 11 months ago (1 children)

It's about digital sovereignty. France (or at least the prime minister) wants the government to control its own infrastructure. IMO, this is good and if they're serious, it will mean getting rid of Microsoft, Apple, Google and everything else in governmental institutions. Best case would be if they also got rid of all of that stuff in schools to teach the next generation how to use FLOSS stuff.

Seeing as they picked Olvid though... I'm not sure how serious they are about FLOSS. Probably more about keeping the money in France instead of it being siphoned off to some company in the US.

[–] MetricIsRight@lemmy.ca 2 points 11 months ago (1 children)

Forgive my ignorance, But I know FOSS, I've yet to see FLOSS, is this another acronym for Free Open Source Software or did auto correct mess something up?

[–] xav@programming.dev 4 points 11 months ago (1 children)
[–] shottymcb@lemm.ee 1 points 11 months ago

Free and free?

[–] DavidGarcia@feddit.nl 3 points 11 months ago

Olvid seems okay, but I find it weird that they advertise the fact that they don't need to trust their servers as a feature somehow unique to them. Yeah, their "lack of centralized user directory" USP is a good feature (or lack thereof), but in the end it's "yet another secure messenger", even tough their github specificially says it's not.

If it were federated (as far as I can tell it's not), then it would be a different matter. That would be a great USP. Kind of like Tox, but federated instead of P2P.

[–] Skua@kbin.social 3 points 11 months ago

Minitel 2 let's go

[–] possiblylinux127@lemmy.zip 1 points 11 months ago* (last edited 11 months ago)

Is berty still around?

Edit: they are https://berty.tech/

[–] autotldr@lemmings.world 1 points 11 months ago

This is the best summary I could come up with:


French Prime Minister Élisabeth Borne has banned widely used messaging applications WhatsApp, Telegram and Signal for ministers and their teams due to security vulnerabilities, according to a memo seen by POLITICO.

Borne set a deadline of December 8 for the government to switch to using the French app Olvid instead, which is certified by France's cybersecurity agency ANSSI.

Tchap, the government-developed secure messaging and collaboration app, launched in 2019, is also allowed.

In December, the entire government will be using [Olvid], the world's most secure instant messaging system," French digital minister Jean-Noël Barrot confirmed on X.

The government previously ordered civil servants to remove all types of social media platforms, gaming and video-streaming apps — including TikTok, CandyCrush and Netflix — from their work devices over cybersecurity and privacy concerns.

This article was updated to include details on the memo seen by POLITICO.


The original article contains 193 words, the summary contains 143 words. Saved 26%. I'm a bot and I'm open source!