Not So Secret: Analysis of KakaoTalk's Chat E2EE Feature

&gt; Use a more robust E2EE chat app instead (e.g., Signal). Ideally, run your own messaging server if you can (e.g., Signal server).<p>If you are more serious about security and privacy, don’t use an app that still uses a broken protocol (SMS) that’s vulnerable to different types of attacks as your main ID. Use Matrix or similar instead.

&gt;In addition, KakaoTalk does not immediately notify users if the other parties’ public key has changed...<p>The suggested alternative (Signal) at one point changed such warnings so that that they are much easier to miss and&#x2F;or ignore[1]. They are now shown in tiny light grey text and the user no longer has to acknowledge the warning at all. So not a great counterexample...<p>It seems that these type of things go through a natural evolution. First security at the expense of usability and then later usability at the expense of security. We really need to come to terms with the hard problem of E2EE usability rather than continue to engage in this constant waffling...<p>[1] <a href="https:&#x2F;&#x2F;signal.org&#x2F;blog&#x2F;verified-safety-number-updates&#x2F;" rel="nofollow">https:&#x2F;&#x2F;signal.org&#x2F;blog&#x2F;verified-safety-number-updates&#x2F;</a>

Thanks for this! Some feedback on the images: perhaps you can &quot;bake-in&quot; a white background. Your diagrams are transparent PNGs, which is fine when the webpage is white, but when in dark mode it makes the images hard to read (as now we have black text and drawings against a dark background).

Good article. I&#x27;d say the broader points here are:<p>- the old adage &quot;don&#x27;t roll out your own cryptography&quot; (even if you&#x27;re one of the biggest conglomerate in one of the world&#x27;s wealthiest country).<p>- not a single person I know use this secret chat feature - it&#x27;s sadly still quite rare in Korea to meet a privacy minded person even (especially?) in tech-focused groups, people use Telegram (which might be worst)