Another article, much better and presents in more detail that Olvid was audited on an older version and chosen because it was French and they applied for it (French) https://www.numerama.com/tech/1575168-pourquoi-les-ministres-vont-devoir-renoncer-a-whatsapp-signal-et-telegram.html

Google translate link original post : https://www-lepoint-fr.translate.goog/high-tech-internet/les-ministres-francais-invites-a-desinstaller-whatsapp-signal-et-telegram-29-11-2023-2545099_47.php?_x_tr_sl=fr&_x_tr_tl=en&_x_tr_hl=fr&_x_tr_pto=wapp

The translation has some mistakes but good enough to understand the context.

Here is a short summary :

Olvid passed a 35d intrusion test by Anssi (French cybersecurity state organisation) experts or designated experts, with code examination without finding any security breach. Which is not the case of all other 3 messaging apps (either because they didn’t do any test, or because they didn’t pass).

This makes WhatsApp, signal and telegram unreliable for state security.

And so government members and ministerial offices will have to use Olvid or Tchap (French state in house messaging app).

More detail in the article.

  • stimut@aussie.zone
    link
    fedilink
    English
    arrow-up
    2
    ·
    11 months ago

    Interesting, thanks for that.

    The first link you posted states that the master key is stored. It also states that the information on the page doesn’t match the official blog from Signal, but that they’ve gathered their information from the source code, so I assume it’s correct. It does make me wonder why Signal doesn’t say that they store the master key though 🤔

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      11 months ago

      You don’t have to trust blogs, do the experiment yourself, make a new signal account, send a message, set a pin, delete the app, reinstall, recover from pin, and send a message again… the signing key doesn’t change. That is proof the key is in the cloud.

      Signal DOES say its in the cloud, but they use the Corporate partial truth… SVR is for “personal data” … which the key is. They don’t emphasis it, because its such a bad idea, when they implemented this there was a big security online outrage… which seems to have died down.

      Signal is a good enough protocol for daily use, but not good enough for nation states, or the truly security conscious. Signal is a step in the path to federated democratic private communication but not the destination.