jdev - 2020-02-18

  1. debacle

    Is there a good abstract about the 96 vs. 128 bits OMEMO mess? Which explains, why clients should move to 96 bits and how things went wrong? TIA!

  2. Ge0rG

    96 bits?

  3. Ge0rG

    ah, 12 bytes. I was confused for a brief moment

  4. Ge0rG

    debacle: https://twitter.com/iNPUTmice/status/1228950491805167617

  5. pep.

    debacle, TL;DR: You only need to move to 12 if you want Monal to read you

  6. debacle

    Ge0rG Nice, first people use a medium, that prevent them from communicating in complete sentences. Then they work around it by sending many messages :-) Thanks anway!

  7. debacle

    pep. Yes, and I think Monal 5.0.1 just solved the problem anyway.

  8. pep.

    did it?

  9. Ge0rG

    I still think that the best solution to the OMEMO problem is to disable OMEMO

  10. pep.

    I doubt that's an OMEMO-only issue

  11. debacle

    Ah, no that's the other way around!

  12. pep.

    I mean this one specifically yes. Not this kind of issue though

  13. debacle

    *ChatSecure* 5.0.1 fixed 12 bytes IV receiving.

  14. pep.

    debacle, yeah, so my TL;DR holds :)

  15. debacle

    Monal is still "broken" by not receiving 16 bytes.

  16. debacle

    let's hope, there is a way for a new Monal version to accept both

  17. debacle

    pep. Unfortunately, at least two of my contacts use Monal. And it's my fault!

  18. pep.

    Maybe an incentive to push Debian to do exceptional releases? :P

  19. debacle

    pep. exceptional Debian release because of an Apple app. I'm so ashamed :-)

  20. pep.

    ha ha ha

  21. moparisthebest

    debacle: limitation in Apple's crypto API precludes them from accepting 16 byte IVs with it, and France's stupid laws prevent them from using another crypto lib, so I doubt monal will fix it

  22. jonas’


  23. debacle

    moparisthebest Sounds horrible!

  24. moparisthebest

    jonas’, which bit do you want clarification on?

  25. jonas’

    moparisthebest, what’s got france to do with that? I mean, which law is that?

  26. moparisthebest

    https://monal.im/blog/omemo-and-french-laws/ and https://monal.im/blog/monal-4-3-is-coming-out-in-about-a-week-even-in-france/

  27. moparisthebest

    as I understand it, france requires him to get approval from the prime minister to "distribute a crypto library" OR he can use apple's supplied API, since that's distributed by Apple who already has said approval

  28. jonas’

    that’s not really cleared anything up

  29. moparisthebest

    https://monal.im/blog/monal-4-3-is-coming-out-in-about-a-week-even-in-france/#comment-29385 not even that one?

  30. jonas’


  31. jonas’

    because that doesn’t explain which french law and with which rationale forces GCM implementations to register somewhere

  32. moparisthebest

    > import of a means of cryptology which does not exclusively provide authentication or integrity control functions are subject to a prior declaration to the Prime Minister (Google Translate of French law)

  33. moparisthebest

    larma pasted that in dino channel earlier ^

  34. lovetox

    yeah and why cant i distribute my app on appstore, but every distro in the world can ship as much crypto libs as it wants to france users

  35. moparisthebest

    jonas’, basically apple has to approve or deny your app right? and they would not approve it for france without said certificate

  36. moparisthebest

    lovetox, iirc it's about shipping crypto *from* france, not *to*, I don't know, ask Apple

  37. moparisthebest

    > use restrictive shit OS / Ecosystem

  38. moparisthebest

    > surprised when it turns out to be restrictive and shitty

  39. lovetox

    im not a smartphone user, but this appstore monopole leads to weird stuff

  40. jonas’

    ISTM that france is the problem here, not iOS

  41. Zash

    why not both?

  42. moparisthebest

    french laws require apple to do this though, I guess

  43. moparisthebest

    or at minimum apple believes they are required to do this per french law

  44. lovetox

    seems to be a law to just limit encryption on smartphones

  45. lovetox

    they probably dont care about desktop

  46. lovetox

    but still weird, at this point why would you still trust apples crypto lib?

  47. moparisthebest

    *yet (or don't have a great way to enforce it, yet)

  48. jonas’

    or desktop is irrelevant

  49. jonas’

    my bet for "the year of the linux desktop" is when the desktop has become so irrelevant that it’s only used by nerds ;)

  50. lovetox

    but yeah good plan, force all application to use a single lib

  51. moparisthebest

    it was 2009, when everyone had a phone, running linux, sitting on top of their desk (otherwise known as their desktop) :P

  52. lovetox

    then outlaw that lib

  53. lovetox

    boom no encryption anymore :)

  54. moparisthebest

    lovetox, why outlaw it, it's an "approved" lib (maybe even backdoored :))

  55. moparisthebest

    only thing better than outlawing encryption is telling everyone you are encrypting while secretly sending copies to yourself

  56. pep.

    happy to see we're discussing the stupidity of French laws. I wonder if Anu would join us in protests. Anyone else interested? We have spare pitchforks!

  57. moparisthebest

    Anyone who willingly owns an iPhone is used to bending over I assume

  58. larma

    I think the reason why Apple cares so much about the apps in their App Store is that they are considered the entity importing when downloading the app on an iPhone in France. For Linux distributions and most desktop software, it is the end user doing the import when downloading the software. The reasons why Apple can not argue the same are probably that a) they don't allow any third party software to download apps from the app store, and b) they don't allow to download apps from third party sources. Their closed ecosystem kind of implies that they actually control what is downloaded and installed on the phone so they can be held liable. IANAL though ;)

  59. pep.

    So that would also happen with any other store thingy? Android, Microsoft? (Steam? etc., who knows what games include nowadays :p)

  60. moparisthebest

    But all those you can download apps without using the stores

  61. moparisthebest

    I don't know legally if that makes a difference or anything

  62. Zash

    Something like common carrier regulations where if you do mess with stuff, you're on the hook for the legality of it.