“We need transparency. Until it is more transparent, Skype should be assumed to be insecure, and not safe for those whose physical safety depends upon confidentiality of their calls.”
Chris has also covered my own work, in asking those reporting on my research to be more inquisitive and patient, allowing security research to be audited before declaring it secure. For this and for his position on Skype, he is to be lauded. Chris has also been helpful in introducing me to experts such as Matthew Green and has expressed interest in getting my research audited.
It is therefore baffling when Soghoian, who has built a well-deserved reputation for himself as a privacy, security and transparency advocate, ignores the principles of security by design and transparency specifically and possibly uniquely in the case of Silent Circle, a competitor to Skype that claims to encrypt all phone communications. I have serious problems with Silent Circle, whence I concluded that due to the project’s closed nature:
”…there exists no method of verifying the effective security properties of Silent Circle, or to verify if, at all, the application does anything more or less than what it says it does. [...] Silent Circle stands in the same area as Skype: both promise encryption and yet offer no method to verify the security, integrity and reliability of their claims.”
I’ve made a big deal of my disappointment with Silent Circle in public, to the point where eventually Silent Circle began releasing some of their source code — an exciting and promising move. However, their source code remains released only in incomplete chunks and definitely is lacking.
The difference between security by policy and security by design
Soghoian’s patronage of Silent Circle is baffling because he goes to great lengths to defend a project that can so far only be defended by its policies and not by its design. This is an important difference, one that an expert such as Soghoian must be aware of: Silent Circle can adopt policies of accountability, security and transparency, but those policies depend on trust and do not promise a software design that is open source and that can be peer-reviewed for transparency. While Chris has lauded Silent Circle with praise for their (good) policies, he does not address the woefully lacking design front.
Seeing as Chris had previously written about Skype demanding more transparency and even had written about my own work demanding more peer review, one would expect him to cast a similar view on Silent Circle. However, in the wake of some analysis of Silent Circle’s protocol this morning, Chris immediately responded by tweeting a policy-based defence of the same protocol.
A few weeks ago, I emailed Chris asking him why, while he had written extensively on transparency requirements for Skype and peer review requirements for my own research, he had chosen to cast a blind eye on Silent Circle. His response was to publish my emails to him publicly and falsely accuse me of soliciting for a “hit piece.” This was especially unacceptable behaviour. Soghoian is endangering his claim of independence. Chris accused me of seeing Silent Circle as a competitor to Cryptocat — Cryptocat is a free web instant messaging service whereas Silent Circle is a smartphone app for voice communication. I believe Skype to be a more proper competitor to Silent Circle.
I do not believe that any project should be immune from the requirement for open code review, no matter its policies or the personal reputation (or connections) of its creators. Just as security experts have asked for transparency and peer review from Skype, they should ask for the same from Silent Circle instead of focusing solely on the project’s policies. For me, this is a matter of ideology for the cryptography community, one that I believe is necessary to maintain an atmosphere of open, transparent cryptography software development.
The dangers of ignoring security by design
Silent Circle has continued to target activists without having its complete source code open for public review. In that article Silent Circle claims:
“Users don’t even have to be worried about Silent Circle being coerced into doing wiretapping, [...] [No one] will have the ability to decrypt your communications across our network – ever.”
Without openly reviewable security by design, we cannot know that these claims are true. My own project, Cryptocat, recently fixed critical security bugs that were only discovered due to the project being openly reviewable by design. Had we followed Silent Circle’s design philosophy, open-source volunteers would have been unable to publicly review our work and discover the critical flaws that we later fixed. And as such, Cryptocat would have remained carrying dangerous vulnerabilities.
Silent Circle cannot be defended until it addresses security by design in the same excellent fashion in which it addresses security by policy.