John McAfee releases secure anti-surveillance messaging app ‘Chadder’

Or use TextSecure and RedPhone: <a href="https://whispersystems.org/" rel="nofollow">https:&#x2F;&#x2F;whispersystems.org&#x2F;</a> (<a href="https://github.com/WhisperSystems/TextSecure/" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;WhisperSystems&#x2F;TextSecure&#x2F;</a>)

Some observations:<p>- This uses an external service &#x27;scrambls&#x27; (<a href="https://scrambls.com/" rel="nofollow">https:&#x2F;&#x2F;scrambls.com&#x2F;</a>) which seems to do per-message symmetric key management. Therefore, the owners of this service can read all your messages.<p>- The thing which seems to be sent along with the ciphertext is an &#x27;XID&#x27; which is sent to scrambls and exchanged for the raw AES message encryption key. There doesn&#x27;t seem to be any binding to the recipient in this step(?)<p>- The encryption of messages is AES-CBC with PKCS#5 padding. There is no message integrity, so therefore this provides no confidentiality under CCA2.<p>In conclusion, this is the sort of thing you should expect from a secure messaging app. (TextSecure excepted.)

Having access to source is no guarantee of security or correctness (see Heartbleed) but relying on any of these secure messaging apps seems optimistic. Writing correct crypto code is hard and John McAfee&#x27;s involvement offers no assurances.

Free software is a prerequisite for software to be &quot;anti-surveillance&quot; and I see no indication that Chadder is free software.

So that&#x27;s an iPhone screenshot on what appears to be a Nexus 4 without the navigation buttons with the android contact icons but there isn&#x27;t even an iOS version yet. The first screenshot in the playstore shows the windows phone version and the second is the actual android version, what?

Why do people keep releasing messaging applications? These things rarely, if ever catch on.<p>Awaiting the inevitable HN thread about how Chadder is flawed.

McAfee ceased to be a brand that you&#x27;d want to be associated with a while ago, I wonder what they intend to achieve by attaching their reputation to his.<p>Toxic doesn&#x27;t even begin to describe it, he&#x27;s the IT world equivalent of a rogue.

If the source code isn&#x27;t available then any claims to being secure should be treated cautiously. For instance, how do we know that there aren&#x27;t heartbleed-style errors in this anti-surveillance app?

Isn&#x27;t McAfee back in the US? You can&#x27;t trust crypto tools that are closed source form the US. The current state of laws make that impossible. [1] [2]<p>[1] <a href="http://en.wikipedia.org/wiki/National_security_letter" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;National_security_letter</a> [2] <a href="http://en.wikipedia.org/wiki/Patriot_act" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Patriot_act</a>

I think the biggest problem here is that the application claims to be &quot;anti-surveillance&quot; yet it doesn&#x27;t really solve the surveillance problem, namely meta-data.<p>If anything this application <i>helps</i> surveillance by filtering out the communication from &quot;regular&quot; communication.<p>We have had encrypted messaging for ages now. I cannot tell what&#x27;s new here.

Anyone care to explain how this is supposed to work? If Chadder don&#x27;t store or transmit the key, how does the person I&#x27;m sending a message to have it?<p>The ambiguity in the way the video explained it makes me a bit suspicious.

Oh wow. It uses a very innovative REST key exchange protocol.<p>Encryption:<p><pre><code> * Messages are encrypted with AES 128 CBC * Random key for each message * The AES key is sent to the server, and exchanged for some key-id * They key id is prepended to the message </code></pre> Decryption:<p><pre><code> * Split message into key id and encrypted part * Download key from server * Decrypt message </code></pre> Edit: Decompile it to see for yourself

Anything that claims to do &#x27;APP X&#x27; with &#x27;encryption&#x27; these days should not put itself out there without posting a full (and RECENT) security audit by an un-biased third party.<p>Otherwise, I&#x27;m going to assume you are still leaky as hell, make mistakes and have not cleaned up your code, etc.<p>And no, claiming you are &#x27;open source&#x27; doesn&#x27;t cover it (And I Don&#x27;t even have to refer to Heartbleed here)

When is the iOS client going to be released? It&#x27;s kind of interesting that this comes up on HN and at the same time a security leak [0] in the iOS email client is found.<p>[0] <a href="http://www.macrumors.com/2014/05/05/ios-7-email-attachment-encryption/" rel="nofollow">http:&#x2F;&#x2F;www.macrumors.com&#x2F;2014&#x2F;05&#x2F;05&#x2F;ios-7-email-attachment-e...</a>

Do the phones have to be online at the same time in order to send the first key or does a Chadder server distribute the keys to each pair of users but simply not store the key after it&#x27;s distribution?<p>Sorry if this question sounds ignorant, the details and best practices of encryption are way over my head.

Even if it&#x27;s not directly relevant to the product in question but I always think it&#x27;s a bit weird to promote a &quot;secure&quot; product and don&#x27;t even have SSL enabled on your own website. It&#x27;s not like it&#x27;s expensive to get a simple certificate these days.

I&#x27;m confused. Does this app uses public key encryption? if so, how do I obtain the actual public keys of all my contacts? Do we have to personally meet and exchange the public keys?

They didn&#x27;t even capitalize his last name properly:<p><pre><code> We are also very excited to announce our partnership with John Mcafee and Future Tense Central!</code></pre>

So the client is open source but the server and backend isn&#x27;t, same as Telegram? What is the point? That and McAfee doesn&#x27;t exactly inspire confidence.

wow, that&#x27;s a distracting background. Also the video doesn&#x27;t explain how the key exchange works, and isn&#x27;t that the important&#x2F;hard bit?

Only explanation they give is that it &quot;uses encryption&quot; and that should make the app trustworthy? Is this a joke?

Is the name McAfee supposed to be a plus ? Isn&#x27;t he kinda crazy these days ? That&#x27;s a red flag in my book.

If that&#x27;s how they designed the website, I&#x27;m a little scared to download the app.<p>Also, no iOS?

I thought he is in prison? Or at least under investigation?

So how does it do that encryption? Through magic?

Nothing against John McAfee, I have no idea what happened in Belize, and he can probably have a wonderful career as a reality TV star or a similar effort.<p>But I wouldn&#x27;t touch a security product he offers with a 20 foot pole. Literally I wouldn&#x27;t even visit the site, let alone hover my mouse over the download link.<p>And no, not because of McAfee Antivirus, but despite it.