Closed n8fr8 closed 6 years ago
vanitasvitae
commented
7 years ago In general that would be really nice, but I don't know, how much "critical" code is in smack-omemo. The "hardcore" crypto is actually in libsignal, but many eyes on the code can't hurt and who knows, maybe there are security flaws in smack-omemo as well... :)
n8fr8
commented
7 years ago I am curious about some of the flaws they discovered with replay attacks, "last resort" keys and so on... that seems outside of libsignal though, right?
vanitasvitae
commented
7 years ago OMEMO does not use last resort keys, since the server does not delete keys. There is not much crypto stuff going on outside of libsignal, so I'm confident ;)
vanitasvitae
commented
7 years ago I thought a little about it. I think an audit would be nice indeed. Theres still some work to do, but for the future its sure a good idea 👍 so if you know how to initiate something like this, let me know :)
vanitasvitae
commented
6 years ago The latest rework (still wip) made the code way more readable and clean. I really hope those will be included in smack 4.2.3, as I'm sure an audit will profit from these changes.
Maybe we should get these guys to take a look! https://pwnaccelerator.github.io/2017/signal-part3.html