You can’t verify the binaries it’s actually running and the protocol shouldn’t r... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		dustyharddrive on Jan 10, 2023 \| parent \| context \| favorite \| on: Three lessons from Threema: Analysis of a secure m... You can’t verify the binaries it’s actually running and the protocol shouldn’t rely on a trustworthy server anyway. IMO the biggest problem with any of these E2EE apps is using them with iOS users. Apple makes it impossible to extract and inspect the packages without jailbreaking, so most projects don’t bother with reproducible iOS builds.

tptacek on Jan 10, 2023 [–]

As the paper demonstrates, you did in fact need to trust the Threema server in some respects.

dustyharddrive on Jan 10, 2023 | [–]

Yeah :(

but that’s why I said “shouldn’t” instead of “doesn’t”.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact