Security on UT
-
@arubislander I was talking about the Telegram servers and how you don't know what happens with your conversations once they reach their servers. As far as I know, Signal (Axolotl) is much trustworthy and I think deserves more attention and work. Invest energy in Teleports might be a dead end since the servers might be compromised.
-
@C0n57an71n Different tools for different purposes. Communication on Telegram should be considered the same as talking to people in a public space. What is shared is not confidential, so it doesn't need to be secure. It should be viewed the same as our communication on this forum.
If what is communicated vitally needs to be reliably and verifiably secure, then yes, Telegram might not be the best platform.
But then again, what platform really is, unless you are hosting the servers yourself. And even then you need to know what you are doing.
The peer-to-peer protocols are better, as there is no server to cache your messages, but even so, the sender or recipient could be compromised without their knowledge ...
-
"Trust no one, do nothing"!
How can we know ubports devs are trustworthy people, all of them?
Maybe one of them just put backdoors everywhere!OPEN SOURCE, is the only answer, and that people of open source community who can read the code are globaly good, not evil.
It's because of that i can trust the whole open sourced projects.If telegram is open sourced, then "everybody" can see how its protocol is secured, or not.
-
@Keneda yes, telegram is open source, but not what whappens in the servers. That is why Axolotl should be pushed forrward. It's better to improve your security than work against it. And about that: is this the reason why now all webapps and links opens in Onion by default?
-
@C0n57an71n said in Security on UT:
is this the reason why now all webapps and links opens in Onion by default?
No, this is an issue, last installed webbrowser becomes the default one.
https://forums.ubports.com/topic/3997/links-from-webapps-are-opening-in-onion-browser-default-instead-of-morph/12?_=1592570382834 -
@Keneda So uninstalling both and reinstalling them backwards will solve it?
-
I don't think you can uninstall Morph browser. It comes bundled as a .deb in the root filesystem.
π¦πΌ π³π± πΊπΈ πͺπΈ
Happily running Ubuntu Touch
Google Pixel 3a (24.04 preview)
JingPad (24.04 preview)
PinePhone OG (20.04)
Meizu Pro 5 (16.04 DEV) -
@arubislander I was thinking the same...
-
@arubislander said in Security on UT:
I don't think you can uninstall Morph browser. It comes bundled as a .deb in the root filesystem.
Ohhhhh, with a little R/W on the rootfs using UTΒ³ and a little of command line magic, you'd probably can uninstall it, but i don't think that would be a good idea :beaming_face_with_smiling_eyes:
-
@C0n57an71n
To answer the why push Telegram instead of Signal ?There is not really a push. The choice of Telegram was made because people used this platform and it was possible to port it to UT.
That was a choice by opportunity.
Signal is also ported to UT but has less users. The more users, the more interest and the more developers you get... -
@AppLee Always the chicken and egg problem, ain't so?!...
-
@C0n57an71n said in Security on UT:
@Keneda yes, telegram is open source, but not what whappens in the servers. That is why Axolotl should be pushed forrward.
The two aren't interchangeable. It also depends on whether any of your contacts use it. I happen to use both, for that reason.
I'm eagerly awaiting the further development of Axolotl, but it will not replace Tg for me. -
@AppLee Also, with respect to this, people were already using Telegram for group chats (which I think Signal didn't support yet back then), and Matrix was nowhere near usable in ~2015 either.
Telegram and Canonical also had some agreement back in the day, which led to the creation of the old Telegram app on UT.
So less of a push and more of just the way things were at the time, and now we have those.
-
@C0n57an71n said in Security on UT:
@kugiigi said in Security on UT:
However, there's no support yet for encryption and such so your device is vulnerable when someone else gets a hold of it.
@kugiigi That applies everywhere: don't let your stuff be accessed by people you don't trust :))
Even people who are careful not to lose or misplace things cannot guarantee that their phone won't be stolen.
If a modern Iphone or Android is lost or stolen, no one is getting your data off it without a great deal of time, expense, and trouble.
Ubuntu Touch has unencrypted data and adb always on in recovery, so anyone who knows the adb command is going to extract your data quite easily.
Ubuntu Touch is a promising OS and is taking huge strides thanks to the devotion a great group of developers, but I feel that celebrating it for what it is not yet (secure, or any more private than a de-Googled Android phone with carefully selected apps) detracts from celebrating what it is.
-
With UT, developers and all users oscillate between hopes and frustrations: the former for what they would like to develop but don't can easily for various reasons, the latter for what they hope to get one day but without any guarantee: concerning a secure phone from A to Z, we are well in the case !
-
@trainailleur said in Security on UT:
Ubuntu Touch has unencrypted data and adb always on in recovery, so anyone who knows the adb command is going to extract your data quite easily.
Even if adb was off, the bootloader cannot be re-locked either, so one could simply flash TWRP and use adb with it instead.
And even if it had FDE today, using dm-crypt, the key and data would be stored on the same media, so combined with the previously mentioned lack of lockable bootloader, an attacker could just copy the wrapped key and image data off the device, and brute force decryption externally.
-
@dobey said in Security on UT:
Even if adb was off, the bootloader cannot be re-locked either, so one could simply flash TWRP and use adb with it instead.
Yes, I first tried this once, long ago, when I was curious how readable the Android-based UT devices were. It was only later that I realized the stock recovery had it enabled too.
And even if it had FDE today, using dm-crypt, the key and data would be stored on the same media, so combined with the previously mentioned lack of lockable bootloader, an attacker could just copy the wrapped key and image data off the device, and brute force decryption externally.
Indeed. Hence the general recommendation for extremely long and complex LUKS passphrases these days.
-
@trainailleur said in Security on UT:
Indeed. Hence the general recommendation for extremely long and complex LUKS passphrases these days.
Yes, which absolutely nobody ever wants to have to actually remember with their brain or type on a phone screen.
There's a reason that storing the key on separate media (hardware backed encryption keys in android) and avoiding extraneous user interaction is preferred by both Android and iOS now.
-
@dobey said in Security on UT:
Yes, which absolutely nobody ever wants to have to actually remember with their brain or type on a phone screen.
There's a reason that storing the key on separate media (hardware backed encryption keys in android) and avoiding extraneous user interaction is preferred by both Android and iOS now.
Correct Horse Battery Staple is a good start, and its entropy can be improved on considerably whilst still remaining memorable. That's something I can live with in the absence of perfection.
-
@dobey Before I start writting this post I did some reading.
https://sensorstechforum.com/ubuntu-touch-os-is-it-secure-enough-and-should-you-use-it/
It is from 2016.
So today, the biggest issue is with adb and the bootloader, as far I understand.
How did the things changed from 2016 ? Would the PinePhone make a change regarding this?
