Secure messaging has brought end-to-end encryption to the masses. At the Centre, we close key security gaps with the end-user in focus.
Secure messaging has brought end-to-end encryption to the masses, but there is a key loophole in the security architecture of modern messaging applications: the authenticity of the keys being used.
At the Centre for Cyber Trust, we made two proposals to strengthen key authentication, underpinning our solutions with insightful usability research.
SOAP is an OpenID Connect-based authentication protocol, which we applied to messaging applications.
SOAP is an OpenID Connect-based Social Authentication Protocol, which we applied to messaging applications. When performing social authentication, users verify that their chat partner controls accounts at different identity providers (IdPs) which they know are controlled by their intended chat partner. Using social authentication, users can verify, for example, that their messaging application chat is not intercepted by a MITM. By building on top of the popular OpenID Connect protocol, SOAP automates the authentication ceremony and does not require adoption from any OpenID Connect-IdP.
We entrust our digital devices with many of our intimate secrets. We likewise assume that these stay confidential as we send them to our friends through private messaging apps. Russian users now learned that this assumption is fragile.
In a suspected government wiretap , an actor inserted itself between them and the servers. The trust users had in the messaging application was betrayed and sensitive conversations exposed.
While such stories seem rare, consider that only the ones caught are reported.