Molly.im

23Sha-ger

Joe-FastFeet
Because it doesn't need to. Being a fork doesn't mean they
do things better. They do things that the official app doesn't.
Such as encrypted database, UnifiedPush.

Joe-FastFeet

23Sha-ger Encrypted database is great! This is very good. But I don't see the need for this when it comes to using the application inside GrapheneOS, especially if it is used inside the private space of one of the profiles.

Joe-FastFeet

In general, based on the current situation, I do not consider it possible for me to switch from Signal to Molly. Moreover, so far a lot of problems arise when using Molly, as evidenced by user complaints, some of which are published in the project itself on github.

userofgos

Joe-FastFeet you've belabored this point enough. If you have issues with it, don't use it. Repeating your complaints is just bloating this thread. How about you make a contribution by sharing your concerns in their official chat channels? https://github.com/mollyim/mollyim-android?tab=readme-ov-file#feedback

userofgos

Joe-FastFeet And now I am asked to share information about this shortcoming? How can I share Molly's lack of audit, can you explain?

Sure I'll explain...

Joe-FastFeet as well as the fact that Molly never managed to pass the audit

Joe-FastFeet Please remind me when Molly was last audited and what is the peer review of the audit?

Joe-FastFeet That's why I won't get off the ground until the audit is done

Joe-FastFeet Show me the results of the audit

Joe-FastFeet I will not use Molly until an audit is carried out

Joe-FastFeet What are its results, if it took place? And if it did not take place, then for what reason?

You constantly contradict yourself...Molly failed the audit, there is no audit, did the audit take place?, what are the results of the audit? Why didn't it take place????????

So I understand why others in this forum are asking you to provide information about this so called "audit" that Molly "never managed to pass". I can't seem to find anything. The burden of proof is on the one making the claim.

Joe-FastFeet

userofgos I have never used the word "failed", I raise the question, was there an audit or not? If - then where is the result? And if he was not, then for what reasons he was not there. After all, an audit would certainly strengthen the reputation of the project, right? That's what it's about.

23Sha-ger

Joe-FastFeet

Cellebrite has entered the chat.

You clearly underestimate some capabilities, even on GOS,
when you provide AFU password to the authorities.
Molly will add an extra layer. Because a fully unlocked device,
even with GOS, will give the adversary to fully extract all content.

Joe-FastFeet

userofgos If I don't use Molly, why should I write on the project page on github?

userofgos

Joe-FastFeet I have never used the word "failed"

Basically what "never managed to pass" means. However I corrected the quotations :)

userofgos

Joe-FastFeet now that is more clear what you mean and intended to say than the 6 statements/questions you mentioned above. Sure, audits can be beneficial to open source projects, but I tend to think their are better approaches.

https://xcancel.com/GrapheneOS/status/1879265831634497963#m

https://grapheneos.org/faq#audit

Joe-FastFeet

23Sha-ger I'm not going to provide a password for the AFU, and if I do, it's only one that wipes out that information inside the device. (If this feature works, I haven't checked.)

Joe-FastFeet

23Sha-ger As for Cellebrite, it is unlikely that they are able to collect information from a locked iPhone in the BFU.

Nuttso

Joe-FastFeet But do I understand correctly that database encryption is no longer necessary on GrapheneOS?

Not only on GrapheneOS. Molly implemented the database encryption, because signal deprecated it's variant.

Joe-FastFeet as well as the fact that Molly never managed to pass the audit

Molly never did an audit. I don't know what you mean by "failed to pass the audit".

Joe-FastFeet Please remind me when Molly was last audited and what is the peer review of the audit?

Please tell me when signal was last audited. There is only an audit done for the protocol in 2019.

Joe-FastFeet By the way, the representative of Molly in this discussion has long said that he is preparing for the audit.

We would love to do an audit. Will you pay for it? Preferably at Cure53 or SRLab. It would cost around 20k. From our point of view, it only makes sense to do this audit once further features have been implemented. Our financial resources are very limited. We are barely able to keep the project alive.

Joe-FastFeet I read discussions in this chat that Molly has been preparing for an audit for a long time, but for some reason it has not yet passed. For me, this is the main disadvantage

Even an audit would not satisfy you, as it would only be a snapshot of the current situation.

Joe-FastFeet As early as Jun 13, 2022 in this chat there is a message for all participants in the discussion, about the upcoming important event - attestation - that has to take place, and about the event of which users will have to be notified. But until now, no one knows about any certification, or about its results. This is all that can be said today. But, I note that this event was presented by the author of the message as important and significant for the further work and development of Molly.

You seem to have completely misunderstood what this is about. “Attestation” is a planned feature based on https://attestation.app/.

Joe-FastFeet This is what we are talking about. How can Molly, a fork of Signal, be more reliable and secure than Signal if it hasn't been able to replicate a similar Signal feature for three years?

Signal doesn't have similar feature.

23Sha-ger You clearly underestimate some capabilities, even on GOS,
when you provide AFU password to the authorities.
Molly will add an extra layer. Because a fully unlocked device,
even with GOS, will give the adversary to fully extract all content.

Absolutely correct. On top it allows for a weak OS password and a strong database password for example. Also we don't know how long AFU is considered secure.

userofgos

Joe-FastFeet well it seems you are highly invested in the fact that they haven't been audited by experts, so maybe you'd like to make that known just like you did here.

23Sha-ger

Joe-FastFeet
Дурак или что? Я про момент когда даем органам пароль от устройства. Как ты сюда вписал USB порт

23Sha-ger

Joe-FastFeet
Check the official manuals. Those capabilities exist.
Not sure for iPhone 17, but when I used to work with them,
this was not an issue. iPhone pre-15 I can guarantee.

Joe-FastFeet

And an independent audit could confirm that Molly securely encrypts data, not allowing it to be extracted when accessing the device after the AFU password. So personally, I will wait for the audit, and based on the results I will make a decision. In the meantime, Signal did not give reason to doubt its reliability and safety.

23Sha-ger

Joe-FastFeet I will wait for the audit, and based on the results I will make a decision

Some governments, have a very effective non technical approach to extraction. Cellebrite is not required. ;)

Joe-FastFeet

userofgos I did not open this topic of discussion. But after reading it, he expressed his opinion, like all the other participants in the discussion. I think I have the same right as all other users.

userofgos

Joe-FastFeet and I think it's a valid point to consider, I didn't say otherwise. It just seems so important to you that you might want to mention it to the actually Molly devs/community and not just here. That's all I'm saying :)

Joe-FastFeet

userofgos I think we can hardly influence the decision of the developers to conduct an independent expert assessment. It is also worth noting that not everyone is ready to undergo an independent audit. Although, of course, firstly, it would be interesting for users, and secondly, as we have already discussed, it would give an additional boost to the development of the project. After all, there would be much more trust in the application. It is one thing when the topic of security is discussed by users in the chat, and quite another when an expert assessment is formulated by specialized authoritative representatives in security security.

n3t_admin

I can't believe people here are wasting their time on this very obvious rage bait, as also demonstrated in the Accrescent thread. This thread should be sanitized properly...

« Previous Page Next Page »