You are here

You are here

EU switches to Signal: One rule for elites, another for plebs

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings Industry analyst and editor, RJAssociates
 

The EU’s European Commission (EC) wants its staff to stop using untrustworthy messaging apps, such as WhatsApp. Instead, they’re instructed to move to the open-source Signal app.

Moxie Marlinspike (pictured) created Signal out of the ashes of RedPhone and TextSecure. It’s a strongly encrypted IM system, with code that’s been independently audited.

But think of the irony: Governments around the world are trying to prevent people from using uncrackable end-to-end encryption, yet this quasi-unelected institution seems to think it’s a special case. In this week’s Security Blogwatch, we light the flaming pitchforks.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Carlotta’s Face.

[ Get up to speed with TechBeacon's guide to a Modern Security Operations Center. Plus: Learn how to defend against insider threats with Interset and CrowdStrike. ]

E2EE is bad, unless it’s good

What’s the craic? Laurens Cerulus reports—EU Commission to staff: Switch to Signal:

The instruction appeared on internal messaging boards in early February, notifying employees that "Signal has been selected as the recommended application for public instant messaging." The app is favored by privacy activists because of its end-to-end encryption and open-source technology. … It is supported by a nonprofit foundation.

After a series of high-profile incidents that shocked diplomats and officials in Brussels and across the Continent, the European Union is beefing up its cybersecurity standards. … Commission officials are already required to use encrypted email to exchange sensitive, non-classified information.

The use of Signal was mainly recommended for communications between staff and people outside the institution. … Promoting the app, however, could antagonize the law enforcement community.

Ain’t that the truth? Michael Allison is like rain on your wedding day—Signal is seen as more secure than WhatsApp:

It's ironic … that government bodies are switching to apps like this while law enforcement agencies rail against the adoption of encryption.

And John Porter carries the story forward—It’s the recommended app for public instant messaging:

The initiative comes as the EU is attempting to lock down the security of its communications in the wake of high-profile hacks. In June 2018, BuzzFeed [said the EU] embassy in Moscow had been hacked and had information stolen from its network. Later that year, The New York Times reported that the EU’s diplomatic communications network had been hacked over the course of a three-year period in a display of the “remarkably poor protection” given to official communications.

Signal is generally considered to be one of the most secure messaging apps available. It’s open source, uses end-to-end encryption by default, and unlike WhatsApp, it doesn’t store any message metadata or use the cloud to back up messages.

Remind me where this came from. Daniel Phillips is all about the background—EU commission is stepping up its privacy game:

In development since 2010 and first launched on Android and iOS in 2014, Signal was designed to ensure chats, group messages, and any included files are secured by end-to-end encryption. Because of this, the app has earned a reputation of being one of the most secure messaging clients around, and is now favored by American whistleblower Edward Snowden and many other security analysts.

Developed by the Signal Foundation, and prior to that by Open Whisper Systems, Signal uses the cryptographic protocol known as the Signal Protocol as the basis of its security. As an open-source protocol, cryptographers have had the chance to look into exactly what makes Signal tick.

Where’s the Brexit angle? Here’s AleRunner:

Interestingly enough, the UK Conservative party, wannabe nemesis of the EU has also switched to Signal at the same time as WhatsApp is going to give the UK police access to your messages.

And adrianoslo is slightly sarcastic:

Uhm, what about child pornography? EU commission should use a messenger with a backdoor so that secret service could take a look … in case someone is using their messenger to share pictures of naked children.

Tell me more about beefing up the EC’s cybersecurity standards. bambataa obliges:

I once worked in the Commission, briefly. Technical security seemed to be non-existent.

Once all of the interns got invited to the U.S. embassy to meet the Ambassador. … On the way out the nice embassy staff gave us goodie-bags.

Complete with handy pen drives.

Basically everyone was giving away free pen drives in Brussels then. I would be surprised to find that the U.S. didn't already have access to a large number of EU institution computers.

But what’s so special about Signal? DrYak lays it all out for us:

It's using the industry established AES under the hood for the actual encryption … using well researched and studied primitives (e.g.: curve 25519). [But] it's not the algorithm itself that is important to the EU.

What Moxie Marlinspike has done is to evolve the handshake, from OTR (off the record, previously used by e.g.: pidgin) … and evolve it into the Axolotl Ratchett (among other, better for out-of-sync offline message, multiple participants chats, etc.). This evolution has been done in the open, with review being done by others, etc. it has been rolled very carefully and very slowly.

There are audits having been done on the code, we know the code is safe for use. … You can even compile your own. … Meanwhile, WhatsApp and Messenger are blobs. You have to trust Facebook.

Meanwhile, sschueller notes an oint in the flyment:

This is as secure as purchasing a machine from Crypto AG. … They should at least compile their own version and not something that comes from an US based app store under US law.

The moral of the story?

End-to-end encrypted communication has come of age. It’s not just for security pros anymore.

[ Learn how to practice zero trust security with TechBeacon's guide. Plus: Join top experts in this July 7 Webinar to learn how get to zero trust access control with low friction. ]

And finally

What’s it like to be face-blind?

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Steve Jennings/Getty Images for TechCrunch (cc:by)

[ Learn how to supercharge your behavioral analytics with CrowdStrike EDR in this Webinar. Plus: Get the State of SecOps Report. ]