After fiddling with my LDAP server (which now serves NetBSD and new style Mac OS X auto mounter maps) for several hours I realised that I should finally write down my four laws of network protocols:
- Network protocols which have simple in their name are not simple.
- Network protocols which have lightweight in their name are anything but lightweight.
- Network protocols which have neither simple nor lightweight in their name are still not simple and probably also not lightweight.
- If you can use a network protocol by typing a request into Netcat the protocol is treacherous because it appears to be simple but really isn’t.
If you keep this in mind the nasty problems you will experience with various network protocols will at least not come as a complete surprise. 🙂
Yesterday a serious vulnerability in the OpenSSL cryptographic library has been made public. This vulnerability is known as the Heartbleed Bug. It is a very malicious problem because it leads to exposure of arbitrary information by any server which provides services that use OpenSSL’s SSL library to provide encryption. There are even reports suggesting that some server software can leak their private cryptographic keys due to this security hole. And as a potential attack leaves no trace whatsoever you cannot even tell whether your server has been attacked.
I don’t believe that my server was attacked. It is simply too unimportant. But security is not about believes, it is about facts. So I swallowed the bitter pill today and paid $25 to get my old SSL certificate revoked. This allowed me to request a new certificate for my brand new 4096 bit RSA key. Let’s hope that this one stays secure … at least for a while.
For a while I used the WhatsApp instant messenger as a replacement for SMS. The application had a nicer user interface than Android’s SMS application (and probably still has). The WhatsApp service also allowed me to avoid the ridiculous fees that mobile providers charge for text messages, particular to other countries. But I didn’t enjoy it for long.
A lot of sources reported how poor the security of this service was. Messages weren’t encrypted during transfer and the authentication was very weak. An attacker only had to know your phone number to get access to your messages and even send faked messages which would appear to originate from your account. But WhatsApp Inc., the company behind the WhatsApp service, didn’t try to fix these shortcomings. They instead send lawyers after the people who had reported and demonstrated these security holes. At that point of time I deleted my WhatsApp account.
To make matters worse WhatsApp Inc. have been purchased by Facebook during the past week. A company who failed to protect the privacy of their customers has been bought by a company who considers privacy an obstacle to good business.
But this could be a blessing in disguise. It raised the awareness for (the lack of) security and privacy protection in most instant messaging services. Based on this excellent review of the security of instant messaging services that are currently available on mobile platforms I tried out surespot encrypted messenger. It turns out that surespot fulfils all my requirements:
- It is available for both Android and iOS (my wife has an iPhone).
- It uses modern, strong, end-to-end encryption to protect your privacy.
- It uses push notifications which is required for reliable operation under iOS.
- You don’t have to provide any personal information to create an account. You simply pick an account name and a password.
- The client doesn’t transfer your contacts to the surespot servers. It only uses your contact information to send out invites on your explicit request.
- The user interface is decent.
It seems that I finally found the messaging solution that I was looking for. And if you value your privacy as well you might want to take a look at the surespot encrypted messenger, too.