Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. in .Mr 2020 März 3. Wien, iwrug nvLko il-n.D.eh.GogMrdvi,BSc Merzdovnik, Georg Dr.techn. Dipl.-Ing. Weippl Univ.Lektor Edgar Mitwirkung: Dr.techn. Dipl.-Ing. Mag.rer.soc.oec. Privatdoz. Betreuung: Wien Universität Technischen der Informatik für Fakultät der an euiyadPiayo Secure of Privacy and Security -00Wien A-1040 otaeEgneig&Itre Computing Internet & Engineering Software esgn Services Messaging u ragn e kdmshnGrades akademischen des Erlangung zur aeSuyo Wire of Study Case A alpaz13 Karlsplatz Diplom-Ingenieur mRhe e Studiums des Rahmen im arklumr0825205 Matrikelnummer ehiceUiesttWien Universität Technische DIPLOMARBEIT nra ol BSc Boll, Andreas igrih von eingereicht nra Boll Andreas e.+43-1-58801-0 Tel. www.tuwien.at da Weippl Edgar Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. ina 3 Vienna, dio:Piadz a.e.o.e.Dp.Ig rtcn da Weippl Edgar BSc Dr.techn. Merzdovnik, Georg Dipl.-Ing. Dr.techn. Mag.rer.soc.oec. Privatdoz. Dipl.-Ing. Univ.Lektor Assistance: Advisor: Wien TU the at Informatics of Faculty the to euiyadPiayo Secure of Privacy and Security rd ac,2020 March, umte nprilfllmn fterqieet o h ereof degree the for requirements the of fulfillment partial in submitted -00Wien A-1040 otaeEgneig&Itre Computing Internet & Engineering Software esgn Services Messaging aeSuyo Wire of Study Case A alpaz13 Karlsplatz eitainNme 0825205 Number Registration ILM THESIS DIPLOMA Diplom-Ingenieur ehiceUiesttWien Universität Technische nra ol BSc Boll, Andreas nra Boll Andreas e.+43-1-58801-0 Tel. by in www.tuwien.at da Weippl Edgar Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. in .Mr 2020 März 3. Wien, naedrQel l nlhugkntihgmcthabe. gemacht kenntlich Entlehnung als oder Werken Quelle anderen der die Angabe –, Abbildungen und Karten Tabellen, einschließlich – Arbeit nra ol BSc Boll, Andreas e nenti otatoe e innc nnme id u ee alunter Fall jeden auf sind, entnommen nach Sinn dem der oder Stellen Wortlaut die im verwen- ich Internet die dass dem ich und dass habe habe, angegeben verfasst vollständig selbständig Hilfsmittel Arbeit und diese Quellen ich deten dass ich, erkläre Hiermit rlrn u efsugder Verfassung zur Erklärung nra Boll Andreas Arbeit v Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. etaesubu nehlugscehi n aesht e Nachrichtentransportes des Datenschutz und Unterhaltungssicherheit Vertrauensaufbau, Aufgaben, bestimmte für Metadaten Obwohl hat. verbessert Signal durch Verschlüsselung ud i etubumtenmegnmWr evr ece heASAbhängigkeiten AWS ohne welcher Server, Wire eigenem einem mit Testaufbau ein wurde e iez il eaae n ece omgih euir ednsollten. werden reduziert möglich, wo welche, an, Metadaten fallen viele Weiteren zu Des Wire werden. gutes bei nachgebessert ein Vertrauensauf sollte beim Benutzungsfreundlichkeit Wire dessen Speziell hat Verbesserungsbedarf. und Zusammenfassend es sowie gibt analysiert. Sicherheitsfunktionalitäten jedoch Browsercookies HTTP Sicherheitsniveau, Sicherheit, von TLS Sicherheit und auf Wire der Fokus von mit Server wurde offiziellen Funktio- der Signal verschlüsselt wichtigsten Ende-zu-Ende Produktionsumgebungen die Nachrichten die welches um Auch erstellt, unterstützt, auszutauschen. Pidgin Protokolls für Wire Verständnis Plugin des ein nalitäten besseres wurde ein Protokolls Für Wire evaluiert. Nachrichtentransportes des des Unterhaltungssicher- ausführlich Datenschutz Vertrauensaufbau, Metadaten und hinsichtlich anfallenden heit wurde die Protokoll REST-API, auf Wire die Hinblick Das Protokoll, im Arbeit analysiert. Wire insbesondere diese das Datenbank Für wurden die an? Aufbau sowie Wire diesem bei Mit fallen aufgebaut. Metadaten auskommt, viele wie bezüglich (3) Wire und sich Signal die verhält zu kann Vergleich wie wie im (2) (1) werden, sind evaluiert wurden, Protokolls beantwortet verglichen. Wire Arbeit Signal, des dieser insbesondere Sicherheit in Lösungen, welche anderen mit Hauptfragen, Evaluie- und wurde Die der Dazu analysiert mit Kommunikationsdiensten. Wire sicheren Arbeit Dienst von diese der Datenschutz sich und befasst Sicherheit aufweist, von zu Probleme rung Kommunikationsdienst sicheren dieser keine einen sensib Motivation welcher wodurch der finden, Telefonbuchs, die Mit des funktioniert werden. Hochladen preisgegeben Zudem durch Daten Fällen erwerben. meisten zu den Prepaid-Karten in Kontaktsuche anonyme wird schwieriger Jedoch immer Kommuni- verwenden. mobile es Identifikation nicht zahlreiche eindeutigen oft dass zur diese ist, Telefonnummern sind Problem kationsdienste sind, weiteres erforderlich Ein Nachrichten, verschlüsselt. der Ende-zu-Ende Zustellung die für beispielsweise des Einführung seit Nachrichte sicheren sich für der Voraussetzung tausch, einer zu wurde Verschlüsselung Ende-zu-Ende obeRatcheting Double Kurzfassung loihu u Ende-zu-Ende zur Algorithmus naus- bau vii le Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. ieeps?T oti,ats eu ihasl-otdWr evrwtotAWS without server Wire self-hosted a with setup test a this, do To expose? Wire h anqetosasee nti hssae()hwcntescrt fteWire the of security the can how (1) are thesis this in answered questions main The dacd utemr,Wr oseps o fmtdt hc hudb reduced. be should which be metadata should of room usability lot has a its but expose and level does establishment security Wire security trust good Furthermore, HTTP a Especially advanced. security, has TLS improvements. Wire on several conclude, focus To for a security. with cookie to analyzed and Wire’s protocol were headers of Wire’s servers environments of official production Signal’s features the Further, and most messaging. implements protocol, encrypted which end-to-end Wire developed support the was understanding plugin database, help Pidgin To the establishment, privacy. a trust and regarding transport API evaluated and REST was security protocol the conversation Wire protocol, The Wire does metadata. the for metadata inspect particularly much to how built (3) was and dependencies conversation Signal establishment, to trust in compared Signal. privacy perform i.e. Wire transport services does and other how security to (2) compared evaluated, and services. be conducted messaging protocol was secure Wire of privacy of and study security case drawbacks, above-mentioned the a evaluate the this, have to data. For not sensitive how does exposing shows server, that thesis the service this identifiers. to messaging contact book a unique Further, address find as cards. the to of prepaid numbers Motivated upload anonymous phone via acquire works problem on to often Another discovery depend difficult increasingly apps encrypted. is end-to-end messaging their it not However, mobile fulfill usually end-to- to most is providers for that it service algorithm is has by messages, Ratcheting forward needed which often Double i.e. messaging, is the tasks metadata secure introduced Although for Signal encryption. since end requirement lot a a become improved has encryption End-to-end Abstract ix Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. Introduction 1 Contents Abstract Kurzfassung tt fteArt the of State 2 Background 3 . tutr fteWr 2 ...... Work the of Structure 1.1 . euiyAayi fEdt-n nrpini esgn evcs..7 3 . . . . Services . Messaging in . Encryption Services End-to-End Messaging of in Analysis Encryption Security End-to-End of Evolution 2.2 The 2.1 . ieLbais...... 29 ...... 27 ...... 23 ...... 22 ...... Libraries . . . Wire ...... 3.6 . . . 11 . . . 16 ...... Apps . . . / . . . Clients . . Wire ...... 3.5 ...... Backend . . Wire . . . . Architecture 3.4 . Wire . . . . 3.3 ...... Features . Selected . . 3.2 . . Wire 3.1 .. rtu 29 . . . . 28 29 . . 28 ...... 27 ...... 25 ...... 23 ...... 21 ...... 19 ...... Proteus ...... 3.6.1 ...... Apps ...... Desktop ...... App 3.5.4 . . Web . . . . 17 ...... App . . . . 3.5.3 20 . iOS . . . . . 18 . 16 . . App . 3.5.2 . Android ...... 11 . . 3.5.1 ...... Services . . . . External ...... Services . . . . 3.4.2 . . Internal ...... 3.4.1 ...... Upload Self-Messaging . . . . Book . . . Address . . . and . . 3.2.6 . People-Search ...... 3.2.5 Notifications . . . Authentication . . . and . 3.2.4 . Registration . . . . . Encryption 3.2.3 Transport . . . Encryption 3.2.2 . End-to-End . . 3.2.1 . . Overview Feature 3.1.1 Contents vii 11 xi ix xi 3 1 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. Implementation 4 Discussion 7 euiyAayi fWire of Analysis Security 5 Conclusion 8 Results 6 Bibliography . ox...... 30 31 ...... libpurple / . Pidgin . . 3.8 Coax 3.7 . eaaaAayi fWr 55 ...... Wire of Analysis Metadata 6.4 . iePto ol 38 . . 36 ...... 33 ...... Tools . . Python . Wire . . Backend . Wire 4.3 Self-Hosted . . 4.2 ...... PWR - PurpleWireRust 4.1 . eaaa...... 62 61 ...... 59 61 ...... Metadata . . . . . Security 7.4 App . . . . Environment . 7.3 Production . Establishment 7.2 Trust 7.1 . nlssTos...... 39 39 ...... 42 ...... Backend . Wire . Self-Hosted . . the . of . Setup . . Test . Local . . Tools 5.3 . Analysis . Model 5.2 Threat 5.1 . uueWr 64 ...... Work Future 8.1 . euiyAayi fWr’ ps...... 50 ...... 45 47 ...... Apps Wire’s . Environments of Production . Analysis Wire’s Security and Protocols Signal’s Messaging of 6.3 Wire’s Analysis and Signal’s of 6.2 Analysis 6.1 .. rpoo 30 30 ...... Cryptobox . . 3.6.3 HKDF 3.6.2 .. nsdAIFaue p-u rmPol-erh...... 57 ...... 55 People-Search From Opt-Out Feature: API Features Unused Hardening Security Linux 6.4.1 for Apps Desktop of Analysis 6.3.3 .. xeddCa 35 35 34 ...... Coax . Extended . . . . 4.1.3 . wire-rust-ffi . 4.1.2 purple-wire 4.1.1 .. ieecso euiyadPiayBtenWr ps....50 . . . . Apps Wire Between Privacy and Security of 6.3.2 Differences 6.3.1 euiyadPiayAayi fSga’ n iesAdodApps Android Wire’s and Signal’s of Analysis Privacy and Security 45 59 65 33 63 39 51 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. FM rApePs oicto evc AN) hrb,tecmuiainrle na on relies communication the Thereby, (APNs). service Notification Push Apple or (FCM) nte rbe o urn esgn evcsi httutetbiheti their in establishment trust that is services messaging current for problem Another h i fti oki ofidasest h olwn eerhqetosi eadto regard in questions research following the to answers find to is work this of aim The e i oprtoswihhv cest eaaaadptnilyee communication even potentially and metadata to access have which corporations big few n-oedecyto s nms ae,ol oryipeetdo o upre tall. at supported not services: or messaging implemented permission. poorly for only cases, asking most without continuously in is, servers often encryption services own end-to-end Messenger their private to devices. sensitive mobile information of on private loss potential book this number a address a upload also where the is numbers, there i.e. phone acquired Further, to data be contrast costs. can in additional which time; brings the solution, any change identifier disallow messaging at alternative Other Austria) changed as and cards. also email anonymously acquired prepaid offer recently anonymous Wire) be identifier i.e. cannot (i.e. (i.e. numbers services as numbers nations phone phone metadata number anonymous more cases the of phone and more purchase Besides unique more increasingly a since in encryption. However, anonymously on of form depend Signal. some often i.e. use services not messaging do problem, messages the if content Messaging Cloud Firebase i.e. internet-based services mobile transport most notification only one that push but to is use encrypted sender problem services Another end-to-end a communication not from server. usually messages and needed client forward is often between metadata i.e. is encrypted This tasks (metadata) their receivers. data fulfill more of to or information kind providers all certain service not A the and encryption. by supported end-to-end universally by not online secured still for is requirement is indispensable this However, an communication. become has encryption end-to-end Nowadays, • • o osWr efr ntutetbihet ovrainscrt n transport and security conversation Signal? establishment, to trust compared in privacy perform Wire does How o a h euiyo h iepooo eevaluated? be protocol Wire the of security the can How Introduction CHAPTER 1 1 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 2 .Introduction 1. . tutr fteWork the of Structure 1.1 hstei ssrcue notefloigcatr:Catr2sostecretstate current the shows 2 Chapter chapters: following the into structured is thesis This h eut n osbeipoeet r icse ncatr7adfial hpe 8 chapter finally of and downsides thesis. 7 this The chapter of in analysis. 6 conclusions discussed security Chapter are the the improvements summarizes perquisites. during possible its found and and been results analysis have the security which the results explains necessary all conducted 5 the were lists which Chapter describes implementations 3 thesis. the describes Chapter this 4 for services. Chapter messaging thesis. this encrypted for end-to-end background of art the of • o uhmtdt osWr expose? Wire does metadata much How Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. nentMi xesos(S/MIME) Extensions Mail Internet il esgn n rsnePooo (XMPP) Protocol Presence and Messaging sible . h vlto fEdt-n nrpinin Encryption End-to-End of Evolution The 2.1 hscatrdsrbstesaeo h r fedt-n nrpe esgn services. messaging encrypted end-to-end of art the of state the describes chapter This XMPP. emails. as for encryption such receiver). transport protocols to support server encryption and server the transport [ to of past, server encryption) some, server, recent least to at the sender or In (i.e. all, communication encrypts the which of encryption routes transport is method encryption i.e. standardized encryption are end-to-end there though enable Even to internet. protocols the in protocols communication digital oldest forefront the Email. at not were privacy mind. and developers’ security original However, existing the email). been of has (i.e. messages decades text-based several as for such communication internet-based Electronic, the and 2.2. 2.1 services services messaging messaging those of of encryption encryption end-to-end end-to-end of of evolution analysis the security into split is It pnG n /IEd o support Furthermore, not encryption. do end-to-end any S/MIME without and text plain OpenPGP in transmitted are emails 1 https://xmpp.org esgn Services Messaging mi sadcnrlzd snhooscmuiainpooo n n fthe of one and protocol communication asynchronous decentralized, a is Email nte omnyue eetaie omncto rtcli the is protocol communication decentralized used commonly Another 40 [ ] 18 and ] cesd 22-February-2020 Accessed: , TLS src nrpin [ encryption) (strict [ 44 ,te r aeyue npatc n most and practice in used rarely are they ], owr secrecy forward tt fteArt the of State OpenPGP 1 hc a rgnlydsge sa as designed originally was which 10 aebe sdetnieyto extensively used been have ] [ 7 and ] oecmol used commonly more A . StartTLS eue/Multipurpose / Secure CHAPTER (opportunistic Exten- 3 2 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Saeo h Art the of State 2. 4 hc ntr a h oeta oices h rs ntesre n subsequently and server the in trust the increase to potential the has turn in which ideas on back falls protocol Signal the this, accomplish To parties. two than more with called so with combination in algorithm Ratchet Double the uses protocol [ Signal OTR The on based is and Signal by developed also was algorithm Ratchet Double The eso [ version trTSfropruitctasotecyto,teuaeo rnpr nrpinis encryption transport of usage the encryption, transport opportunistic for StartTLS h eaaaacsil ytesre.Hwvr h eeoeso inlsilhave still Signal of developers the However, server. the by accessible metadata the mn te hns h nerto fsl-otdsresit h omncto network communication the into allows, servers This self-hosted of system. integration communication the decentralized things, interconnected a other independent creates among several Federation which of and federation. networks consists support network smaller not communication does the Signal that communication, means XMPP or email key. Unlike encryption group the of exchanges key conversations pairwise group encrypt the also on from can based protocol parties Signal two between the messaging algorithm, for Ratchet encryption Double end-to-end to [32]. addition deniability In derived. and is secrecy key forward new as a such message properties each security for Hence, 2.1. prekeys figure in symmetric seen a be with can ratcheting) as (Diffie-Hellman ratcheting ratcheting key OTR asymmetric the combines Signal. reached. been has [ (OTR) Off-the-record protocol encryption, the based recently, OpenPGP most developed and, been i.e. have be years encryption cannot the end-to-end messages over concerning of solutions encryption Multiple transport continuous guaranteed. a Consequently, obligatory. not Although encryption. end-to-end [ and standard encryption communi- XMPP transport asynchronous the supports for extensions also included XMPP also cation. XMPP called for so extensions the of using development by achieved be can 2004, in (IETF) time Force first Task the Engineering for Internet standardized, the was by XMPP protocol. communication synchronous mlmnsthe implements epie ihambl eie te hnealadXP,Sga nocsteuse the protocol enforces messaging Signal to own XMPP, have its and initially uses email they It than instead Other encryption. standalone, device. end-to-end a mobile of as as a classified with used are paired be devices be desktop cannot However, and devices. devices desktop secondary and mobile for encryption 2 3 4 https://ietf.org https://conversations.im/omemo/ https://signal.org/ mpOTR n hrb nbe n-oedecyto o snhooscmuiainwith communication asynchronous for encryption end-to-end enables thereby and 51 3 oee,n osnu o biaoyipeetto foeo hs protocols these of one of implementation obligatory for consensus no However, . Signal [ ] 52 [ 14 n21.A ssae nisnm,XP sa xesbepooo which protocol extensible an is XMPP name, its in stated is As 2011. in ] obeRatchet Double n sstearayetbihdtoprycmuiaincanlfor channel communication two-party established already the uses and ] 4 frel nw sTxScr)oesmsaigwt end-to-end with messaging offers TextSecure) as known (formerly cesd 22-February-2020 Accessed: , 51 MM ut-n esg n betEncryption Object and Message Multi-End OMEMO tpltstespoto h rnpr nrpinprotocol encryption transport the of support the stipulates ] cesd 22-February-2020 Accessed: , loih [ algorithm cesd 22-February-2020 Accessed: , MPEtninPooo (XEP) Protocol Extension XMPP 42 2 frel nw sAoolRatchet). Axolotl as known (formerly ] [ 49 [ ] 50 n a uesddb newer a by superseded was and ] libsignal-protocol 4 Continuous . encryption ] (OMEMO) which , 31 .It ]. Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. betEncryption Object rtcl(PEP) Protocol ok o snhoosevrnet ie oiecmuiain n tl supports still and communication) mobile (i.e. environments asynchronous for works estoshsbe dpe rdal yohrmsaigsrie ..Wasp [ WhatsApp i.e. services messaging other by gradually adopted been has versations navnae seilyfrkymngmn.T aaeteky,i atclrthe particular in extension keys, be XMPP the existing to manage already proves To the which uses XMPP, management. OMEMO into prekeys, key numerous integrated for better especially is supports advantage, and OMEMO an Furthermore, account deniability. per also and devices encryption secrecy multiple end-to-end forward the properties that security is the OTR to compared OMEMO of advantages the of above-mentioned the well, as XMPP for algorithm OMEMO. & XMPP default. con- group as well [ as Messenger conversations Facebook 1:1 of based. encryption web end-to-end is for itself solution service Signal’s the although identification for required still [ are federation numbers supporting of intention no aeokMsegr ogeAl n kp onteal n-oedecyto by encryption end-to-end enable not do Skype and Allo Google Messenger, Facebook [ 53 rtclhsbe eeoe n tnadzdi E-34[ XEP-0384 in standardized and developed been has protocol tews nadtoa e evrwudb eurd Presently, required. be would server key additional an otherwise ] 34 iue21 obeRthtagrtm[42] algorithm Ratchet Double 2.1: Figure ,Gol lo[ Allo Google ], ooe n-oedecyto ae nSga’ obeRachet Double Signal’s on based encryption end-to-end offer To ..TeEouino n-oEdEcyto nMsaigServices Messaging in Encryption End-to-End of Evolution The 2.1. 36 35 .Aohrdabc fSga sta phone that is Signal of drawback Another ]. n otrcnl ySye[ Skype by recently most and ] MM ut-n esg and Message Multi-End OMEMO esnlEventing Personal 38 .However, ]. 55 .One ]. 37 ], 5 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 6 .Saeo h Art the of State 2. esgn (FCM) Messaging oicto evc (APNs) service Notification Proteus iecinscnadtoal s xenlps oicto rvdr i.e. providers notification push external use additionally can clients Wire rte nC n aymore many and C) in written 22-February-2020 epesac etr ofidohrcnat,mkn h podo h srsadesbook address user’s the of upload the making contacts, other find to feature people-search tre h ees fprso h evrsuc oea pnsuc n none to announced and [59]. source [ federation source open as open code as source code [ [ server source app the entire web of the universal parts release Android, a of i.e. as release platforms also the major and all started for Linux available MacOS, and Windows, source open iOS, are for clients number Wire identification. phone addition, alternative a In as require email not supports does also Wire Wire Signal, because for identification than other features Furthermore, privacy optional. other some supports also Wire messages encrypting notifications. Besides push Android for Custom FCM for use required cannot push is therefore for usage WebSockets and Such use LineageOS apps. only desktop i.e. push would and client ROMs external app such mobile web without the like used case, notifications that be In also can services. clients notification Wire mobile However, notifications. [ protocol server. WebSocket the the on interface [ REST communication a HTTP using by protocol uses HTTPS Wire Furthermore, the with happens mostly server Conversations i.e. clients XMPP many for Gajim implemented been has OMEMO Wire. frqiigls atr,epcal fmlil pso h oiedvc s push use device mobile the on apps multiple if especially battery, less requiring of tityefre nWr n hsntotoa.Cmuiainbtencin and client is between encryption Communication end-to-end optional. Signal, not in thus Like and Wire conversations. in group enforced as strictly well as 1:1 encrypt 61 14 13 10 11 12 .Frhroe hr r ln ospotsl-otdsresa ela osupport to as well as servers self-hosted support to plans are there Furthermore, ]. 9 8 5 7 6 https://wire.com/en/security/ https://grapheneos.org/ https://omemo.top https://wire.com https://lineageos.org https://github.com/gkdr/lurch https://pidgin.im https://conversations.im https://dev.gajim.org/gajim/gajim-plugins/-/wikis/OmemoGajimPlugin https://gajim.org 7 6 iesonipeetto fteDul ace loih.Poescan Proteus algorithm. Ratchet Double the of implementation own Wire’s , h esgn evc Wire service messaging The pafr needn yhncin) Pidgin client), Python independent (platform omrykonas known formerly , cesd 22-February-2020 Accessed: , 12 cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , TPSrc rnpr euiy(HSTS) Security Transport Strict HTTP 66 12 rGrapheneOS or .BsdscmuiainvaHTS iecinsas use also clients Wire HTTPS, via communication Besides ]. orciera ieps oictos utemr,mobile Furthermore, notifications. push time real receive to ] cesd 22-February-2020 Accessed: , xenlps oicto rvdr aeteadvantage the have providers notification push External . cesd 22-February-2020 Accessed: , 10 cesd 22-February-2020 Accessed: , . cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , 11 ogeCodMsaig(GCM) Messaging Cloud Google lospot n-oedecyto yusing by encryption end-to-end supports also 13 hc aen r-ntle ogeApps Google pre-installed no have which 59 hc a civdb h n f2017 of end the by achieved was which ] 9 8 as ltomindependent, platform (also 57 [ 17 .I pig21 Wire 2017 spring In ]. oefreencrypted enforce to ] or , ieaeCloud Firebase 5 14 pl Push Apple (Android), uha a as such Accessed: , Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. diinly nte datg fORi h needneo t neligmessaging underlying its of independence the is OTR of advantage another Additionally, . euiyAayi fEdt-n nrpinin Encryption End-to-End of Analysis Security 2.2 hsORpui,i obnto with combination in plugin, OTR This parties. third for unverifiable messages of content render can turn in which of security the of evaluation regarding years past from work related lists section This ela h e p [ app web the as well ru epciey h e xhneisl sietclt e xhne o T 1:1 OTR for the exchanges of key member to each stand identical with to is exchanges chosen itself key is exchange pairwise chat key perform group The to the and of respectively. server creator group chats virtual the group a that of suggest as encryption authors in end-to-end The supports OTR. extension on This based protocol. OTR original [ the al. et Bian conversations) GOTR. Pidgin. published. by was supported 2004, protocols in messaging messenger multi-protocol instant independent GAIM platform as the known for originally [ plugin Pidgin, al. a messenger implementation, et reference Borisov this themselves of others. encryption many end-to-end and popular support those MSN not library especially did ICQ, but protocols, AIM, used messaging widely all i.e. were on which used 2004 be in can OTR Hence, protocol. OTR messages, individual for decryption deniability a achieve to To access messages. gained the uses old has with decrypt who combination not attacker, OTR in can an keys key, Thus, properties. short-lived very security exchange. using key those OTR by Diffie-Hellman miss of secrecy S/MIME usage forward and the perfect for OpenPGP achieves arguments mentioned. main communication. been As online have used. social be most properties should security for OTR the [ suitable like al. not protocol et is a Borisov OpenPGP Instead by on 2004 based in encryption time end first the for published OTR. services. messaging in encryption end-to-end Linux components and encryption MacOS end-to-end the vulnerabil- on for focused [ search mainly Cryptobox to audit bases and first regular Proteus The on Wire. place in take audits ities security external that, Beyond 16 15 https://github.com/wireapp/wire-server https://github.com/wireapp/wire-desktop esg uhniaincds(MACs) codes authentication message libotr esgn Services Messaging h ffteRcr OR rtclfrscr niecmuiainhsbeen has communication online secure for protocol (OTR) Off-the-Record The ic T nyspotddrc omncto ewe w ebr (1:1 members two between communication direct supported only OTR Since htipeet h T rtcla eeec mlmnain spart As implementation. reference as protocol OTR the implements that 15 swl stesre implementation server the as well as , 64 efc owr secrecy forward perfect ..Scrt nlsso n-oEdEcyto nMsaigServices Messaging in Encryption End-to-End of Analysis Security 2.2. .Scrt uiso at ftedstpcinsfrWindows, for clients desktop the of parts of audits Security ]. 62 3 .Frhradt oue nteap o nri,iSas iOS Android, for apps the on focused audits Further ]. suggested ] ru T (GOTR) OTR Group libotr o ahmsaeisedo iia signatures digital of instead message each for and nbe n-oedecyto o all for encryption end-to-end enabled , cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , repudiability 4 .Teatossae htend-to- that stated authors The ]. 4 aepbihdtegeneric the published have ] 16 lokonas known also , aenttknpaeyet. place taken not have hc sa xeso of extension an is which deniability , 7 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 8 Art the of State 2. api fpbi n rvt e) hs hr-ie e ar r eeae yeach by generated are pairs key short-lived These key). private and public of pair (a ihti einteatosaodduigcmlxkyecag rtcl o group for protocols exchange key complex using avoided authors the design this With ihti atse h n-oedecytdgopcnesto scetdadteactual the and created is conversation group encrypted end-to-end the step last this With hs pT uprsscr n-oedecyto ihterqie properties required the with encryption end-to-end secure supports mpOTR Thus, eti icmtne twssonta o nygopmmes u lotidparties, third Under also OTR. but in members, was group it only as not strong that as shown was not it is which circumstances deniability, certain concerning OTR original the 2013. GOTR employs it instead. rather protocol component, exchange centralized key a members. need complex group not a of does number mpOTR GOTR, arbitrary with an Compared for deniability and authenticity conversation. confidentiality, member the a enters whenever member repeated new a be to or conversation has protocol. group agreement procedure the key complex leaves group This a a begin. derive using can to by messaging used following are all members of group encryption all the of for keys this key signature After common short-lived respectively. to the participant authentic order exchange, each confidential, In between a initial the channel creates exchange. of communication exchange key members deniable key pairwise all and the Subsequently keys, via signature key session. short-lived each public exchange of their signatures beginning exchange OpenPGP the conversation by at group used group are the as of such member key pairs short-lived key order conversations, long-lived In group of deniability. for instead support deniability used to and are signatures secrecy pairs digital forward using both to ensure return to they so-called MACs the of Instead conversations: group of encryption members. two of mpOTR. of deniability conversations the deniable concerning for (MACs) an work has codes only authentication especially they cryptographic message This because used of communication members. the use conversation because two the conversations exactly on group that for impact to chosen state OTR authors been extend virtual had life, the to Further, a primitives real trivial of in above). “Telephone” not use (see or is makes messages Whispers” it it to “Chinese as of modifications into approach game possible people this a two including from to between removed translate conversation would far private which is life, server, GOTR real world. a digital map to the was new OTR a on to intention or [ impossible leaves al. member is et a it Goldberg i.e. service), not, changing of or members group. forwarding denial group the during a of enters message case member the (i.e. the point modified attack ignores single has GOTR an a server and or is virtual server outage the virtual whether of the determine case server, in virtual failure additional the causes for of it overhead disadvantages: computing major an some network has approach this However, group. for conversations. the responsible of also members is other server to virtual messages the all exchanges, forwarding key and to distributing addition In conversations. hsi h odege l [ al. et Goldberg why is This 14 i ta.[ al. et Liu lopitottoesotoig fGT’ ein h original The design. GOTR’s of shortcomings those out point also ] 28 aefudsm hrcmnsi pT oprdto compared mpOTR in shortcomings some found have ] 14 ugs ieetapoc o end-to-end for approach different a suggest ] ut-at fftercr (mpOTR) off-the-record multi-party . Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. oei-et euiyaayi fSga’ esgn protocol messaging Signal’s of analysis security in-depth more A ok h uhr aecetdafra ecito fteasrc rtclo Signal’s of protocol abstract the of description formal a created have authors the work, yFoc ta.[ al. et Frosch by euecmuiaini em fscrt rpris nodrt copihthis, accomplish to order In properties. security of terms in communication secure sr ..tetasiso fuaesaitc rcahrprs h podo h address the of upload the The by reports. disabled crash be or could statistics or usage optional of is transmission information the Some i.e. server. users Wire’s on saved are Wire. conversations. 1:1 Because in as device. strong [ 1:1 said al. on of et focused theft Rösler recently or conversations, messaging loss group encrypted of on end-to-end case less of and in area functionality conversations device the app the in as research well on as most saved private data sensitive evaluated protect of study transmission to The and protection. permission data and app privacy required on focusing TextSecure, as such services, [ al. on performance. et focusing their Rottermanner solutions in ease-of- as losses and challenge heavy usability major with increasing a come thus remains this security user, however conversation the privacy established, Transport with is interaction trust adoption. and as without usability solved soon aspects as be the hand, can at other privacy poorly the and On perform security usually ease-of-adoption. strong establishment, have authors trust which conversation the for solutions, establishment, Current properties Consequently, trust privacy. challenges: transport solutions. and major security three of pertaining following services ease-of-adoption the messaging identified and secure have of usability evaluation security, the for to framework a developed they [ al. in et encrypting shortcomings Unger for major protocol. any used messaging find Signals is not of which did design key, confidentiality, analysis the messaging security (i.e. the the Signal This Furthermore, of of ratcheting. messages). properties secrecy for security forward model several security and of a security authenticity as the well prove their as could of implementation model course Signal’s the on During based protocol. core exchange key the and protocol [ agreement al. key et the Cohn-Gordon by performed release. the formally follow-up to a contributed in authors fixed the was Signal, which key-share of vulnerability unknown developers this to the of vulnerable with solution is cooperation protocol In the that attacks. found authors the shortcomings be to the [3]. Signal. not al. Hence mpOTR, et member. on Bian group based by specific (GOTR) GOTR a groups the for to with OTR confused message improved particular an a suggested of authors origin the trace could omncto rtcl fSga,Wasp n hem.Aogtohrthings, other property Amongst security Threema. the that and showed WhatsApp they Signal, of protocols communication h rvc ht ae [ paper white privacy The h esgn evc inl omrykona eteue a enanalyzed been has TextSecure, as known formerly Signal, service messaging The 56 aeaaye n ae eea ouin,sc sTxScr,for TextSecure, as such solutions, several rated and analyzed have ] 13 ihrgrst uhniiyadcndnilt.Bsdssm minor some Besides confidentiality. and authenticity to regards with ] 47 aeaaye oeo h otwdl sdmbl messaging mobile used widely most the of some analyzed have ] ..Scrt nlsso n-oEdEcyto nMsaigServices Messaging in Encryption End-to-End of Analysis Security 2.2. 65 fWr ecie hc nomto n metadata and information which describes Wire of ] uuesecrecy future 8 .Aogohraaye,te okdat looked they analyses, other Among ]. fgopcnestosi o as not is conversations group of 48 nlzdtegroup the analyzed ] libsignal-protocol was 9 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 10 .Saeo h Art the of State 2. iesscr n-oedecyto.Tevleaiiisfudwr xdi release a in fixed were found vulnerabilities The encryption. end-to-end secure Wire’s h sdcytgahcagrtm n h rcs frgsrto,lgnadexchange and login registration, of process the and algorithms cryptographic used The h takrahee hsb oiyn nrpe miswihtevci erpsand decrypts victim the which emails encrypted modifying by this achieves attacker The D-Sec X41 and Security Kudelski by executed also audit, security external following The usqetygt ekdbc oteatce yteealcin sn n fseveral of one using client email the by attacker the leakages. to data back leaked gets scenarios. subsequently (mitm) man-in-the-middle circumventing employing successfully by attacker usually an emails, in encrypted result end-to-end vulnerabilities the leakages. described transmit data the to above-mentioned summary, enough the In is through emails attacker such email the Displaying encrypted to but message. email or unauthenticated failure wrong decrypted the decryption ignore show a they therefore of because and instead clients, sums email check many MDC in [ circumvented missing 2007 be the in can end- prevents standardized feature of which was security integrity (MDC) and the code attacks secure detection modification to modification above-mentioned feature called a emails developed encrypted OpenPGP to-end the S/MIME, by to data. modified contrast leak In be to can source used parts HTML be unencrypted can Therefore, forms, encrypted and of emails. HTML attacker merging of enables parsing parts MIME i.e. unencrypted incorrect and The leakages images. data the external incorrect in and causing to attributes encryption due potentially clients authenticated email parsing of vulnerable and lack MIME OpenPGP the respectively. and were S/MIME clients attacks protocols email encryption successful by in for succeeded and attacks reasons protocols those encryption Other of the Some in OpenPGP. vulnerabilities and combining S/MIME protocols encryption end [64]. OpenPGP. immediately and [24]. fixed S/MIME were app web found and vulnerabilities [23] all iOS audit, [22], first Android the of for implementations Like client the analyzed GmbH, [62]. audit for the essential after are shortly which published Cryptobox and Proteus [ X41 components major and cryptographic not Security the Kudelski albeit on companies vulnerabilities the some focused Wire found of have GmbH audit messages. ensure security D-Sec text-based to external non Proteus first for by the supported encrypted During are be files also the can of encryption secrecy metadata symmetric forward or corresponding the that videos the this, images, as accomplish as well To such as symmetrically. keys types, [ encrypted message are paper other files, all white other and security Proteus Wire’s with in encrypted described end-to-end also are messages and of processing for necessary server as the long On as server. memory to permanently. the ephemeral Similar saved to in not optional. numbers held are phone also only the is are of discovery hashes hashes contact, the transmits automatic only for Wire used Signal, be can which book, Efail [ 43 nrdcdsvrlatcso mi’ end-to- email’s on attacks several introduced ] 66 21 .Tx esgsare messages Text ]. .Tescrt audit security The ]. 6 .Hwvr this However, ]. Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. ieoesiscinstodsic con ye:Wr esnladWr r.Wire Pro. Wire and Personal Wire types: account distinct two clients its offers Wire . Wire 3.1 h olwn eto oue nWr upre etrs al . otisashort a contains 3.1 table features, supported Wire on focuses section following The sharing file calls, conference audio secure offer compliant, GDPR are other, each with several 3.1, overview feature a including Wire of background the describes chapter This .. etr Overview Feature 3.1.1 ru,adta ovrain.I : ovrain w sr a xhnemessages exchange can users two conversations 1:1 In conversations. team and group, ebr ieas uprsgopcnestoswt pt 0 ebr.Initially, members. 500 to up with contact conversations individual each group with supports conversations also 1:1 have Wire users default, member. By other. each between types. Conversation overview: below. described are which features other among calls, video video encrypted one communicate on end-to-end can one as types and account such invited Both features be controls. can special administrator latter offers full The It and partners. calls communication and conference (liable rooms. secure clients Pro guest and external Wire easy secure as for well web. to as looking and clients teams, desktop can business internal mobile, and towards across for encrypted geared designed end-to-end is apps focused costs) are privacy- on to messages secure, received All offers and account. and sent an charge be with of free anybody is to users, messaging individual to caters Personal / Pidgin and 3.7 Coax 3.6, libraries well. Wire’s Wire’s as and of described 3.4, background is backend the 3.8 Wire’s libpurple Further, 3.3, architecture Wire’s 3.5. 3.2, clients Wire of features selected iespot he ye fcnesto:oeo n (1:1), one on one conversation: of types three supports Wire Background CHAPTER 11 3 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Background 3. 12 psuecrict pinning certificate use Apps + encryption Transport fingerprints secrecy device (future) Verify backward devices and 8 forward to prekeys + up using by asynchronous algorithm + Ratcheting Double uses + encrypted end-to-end conversations All app Web + Linux MacOS, Windows, + platforms iOS popular Android, all + for apps source devices Open mobile on APNs FCM, via + WebSocket via notifications Push Self-messaging + devices multiple upload for only) team Support (hashes and book 1:1 phone in Optional only picture people and for name Search profile arbitrary number username, phone Unique or email with Register sharing Screen conferences Audio calls video and Audio management and roles conversation Group messages Quote messages delete or messages Edit destructing self / Ephemeral MB receipts 25 read to and up Delivery mentions or Likes ping via attention Get location content PDF) Share Spotify (i.e. SoundCloud, files Vimeo, other YouTube, or Share messages video audio, GiphySend from GIFs Send + images Send previews Link formatting Markdown + messages Text conversations Group conversations 1:1 Features emcnestosu o50members 500 to up files Send + conferences users Video ephemeral + for room Guest + conversations Team + features Pro al .:Faueoverview Feature 3.1: Table nyfrWr r users Pro Wire for only pt 0 members 500 to up pt 0members 10 to up pt 0members 10 to up pt members 4 to up pt 0 MB 100 to up ✓ pt 5MB 25 to up wbapp (web L 1.2 TLS Wire ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✗ ) Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. hl ikpeiw a edsbe niSadaldstpap,ti snta option an not is this apps, desktop all and iOS on disabled be can previews link While a,1we r4wes h ondw trsa ona h esg sdisplayed is message the as soon as starts countdown The weeks. 4 or week 1 day, 1 oTb,Sudlu,SoiyadVmocnet diinlfaue nld sharing include features Additional content. Vimeo and Spotify SoundCloud, YouTube, ihnaytp fcnesto ecie bv.Tems seta otn yeaetext are type content essential most The above. described conversation of type any within est satce otemsae o rvc esn,teeln rvesaegenerated are previews link these reasons, privacy For message. the to attached is website esgs hc a efratdb sn ipeMrdw omtig sr aethe have Users formatting. Markdown simple using by formatted be can which messages, oee,dlvr ofimtosaeol upre o : n emcnestosbut conversations team February-2020 and keep message. 1:1 to specific for easier a supported received/read it only recipient make are the “read” confirmations them that delivery and However, verifying liking “delivered” by by following as conversations messages such facilitate of to Confirmations to track Reacting quoted conversations. possible. be multiple also can of is messages aspects hour, Past certain 1 supports or minutes, messages. Wire older 5 of messages, seconds, misspelled/unintentional deleting 10 correct and To at editing set device. be recipient’s the can once on timer device The recipient’s out. the runs from Ephemeral removed timer receipts). are set read messages, previously and timed the delivery as deleting and known and reactions also editing message, messages, messages, sent ephemeral a quoting (i.e. messages, conversations inside available are change features. also conversation can This Other attention. receiver’s username. the specific attract a for to mentioning provided messages by also ping accomplished is and smaller be support location files content other device’s Conversation as a Wire. well of easier via as for sent messages apps be video its and also into Audio can Giphy MB images. service can 25 third-party GIF images) than of the GIF variety integrated a (i.e. has to images Wire access animated well. and as images sent messages, be text-based to manually. addition URL app. In the web the opens and recipient Android the all on when not of available address does addresses IP solution IP the this intent, However, of malicious third-party. leakage no all a potential URL has to to out the sender leaked rule access open the be automatically gaining if could would from Even members device conversation sender each preview. as malicious a devices generate a receiver to prevents all This of the addresses of device. IP image sender’s preview a the and on detected automatically are messages text numbered inside lists, links bullet URL snippets, sub-heading. code and monospace, heading italic, quoting, bold, block as lists, text format to choice content. Wire Conversation for available only is type conversation web This management users. accounts. team Pro guest dedicated or e.g. receipts features underlying delivery advanced app, the participants more of of certain number optimization with the several conversations increasing however in members, resulted 128 code to limited were groups 1 https://medium.com/wire-news/wire-for-web-2019-07-47a13a06ea7c iespot aiu otn hc a esn smessages as sent be can which content various supports Wire aiu diinlfaue eadn esg ex- message regarding features additional Various 1 emcnestosaegroup are conversations Team . cesd 22- Accessed: , ..Wire 3.1. 13 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 14 Background 3. : ovrain.Telte a nyb ntae yWr r sr.Fruesbehind users For users. Pro Wire by initiated be only can latter The conversations. 1:1 h nri p scretylmtdt cons O n h eko pscnsupport can apps desktop the and iOS accounts. 2 to limited currently is app android The cons nytewbapi iie ooeatv con ihntesm browser. same the within account active one to limited is app web the Only accounts. 3 aeacut o ute nomto,ra h eto nsl-esgn 3.2.6. the account. self-messaging on on Multi registered section devices the between read messages existing information, share the further replaces to For session possible account. temporary also intended new same is is Each It device app. temporary device. web The temporary the devices. via temporary sessions for ephemeral is for contacts. slot device matching one find and to permanent backend Wire the devices. to Multiple it addresses uploads email optional and and the numbers book use phone phone all or user’s hashes names approach the profile second in and The usernames upload. for book search address to function people-search the of history the discovery. export Contact to feature backup a is there Additionally, conversations. apps. all Wire all in settings SMS. via associated code and login address features. a email Profile receive the to either number provide phone can registered user the use a or in, password log To number. the phone to Firefox. limited on account. currently app Wire web is the feature and this MacOS however, and call, Windows prefers the a user on provides the clients during Wire if desktop screen rate video. their bit for variable share of used The can instead is rate call. codec bit the [ constant VP8 initiate it with while to OPUS servers audio using [30] of for TURN option used and is [46] video OPUS STUN in codec and uses applies Wire participants participants NAT, of 10 or limitation firewalls to no Self-evidently, limited 4. are to limited calls are conference calls audio conference However, permission nologies. manage. calling. the to video had hard / user were Audio conversations group group every group thus past, and the the users from In remove and be group. and to only the add users can of to conversations removing roles group and user Now adding managing users. i.e. and Pro administrators Formerly, management Wire group conversations. role for by group available is managed for only feature role was opt-in added administrator feature are recently the this those A of but conversations. introduction confirmations team the read for including to opt-out applies and same 1:1 The for conversations. group for not oo rmalmtdsto oos ahpol trbt a ecagdvaprofile via changed be can attribute profile profile Each a colors. choose 6 and of picture, set profile limited optional a an from name, color profile arbitrary an username, 58 .Aohrfauefradoadvdocligi upr o censaig Users sharing. screen for support is calling video and audio for feature Another ]. sr a eitrfraWr con ihterealadeso their or address email their with account Wire a for register can Users igeWr letcnspotu o3acut ttesm time. same the at accounts 3 to up support can client Wire single A ahWr con a e eti rfieatiue ..aunique a i.e. attributes profile certain set can account Wire Each iespot pt eie e con hr eie a be can devices 7 where account per devices 8 to up supports Wire hr r w ast n te otcsi ie ihruse Either Wire. in contacts other find to ways two are There iespot ui n ie aln sn eRCtech- WebRTC using calling video and audio supports Wire Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. eSce r rvddfo iesonbcedsrie xenlps notifications push External service. backend own Wire’s Cloud from Firebase provided i.e. are providers WebSocket notification push external via second the and WebSocket ilb eee fewrs nte etr o iePoi ie ofrneclswt up with calls conference video is Pro Wire for feature Another afterwards. deleted be will get users, guest as known also users, ephemeral These number. phone or password with ecie eeaeoe oreadaeicue neeyWr let lhuhte are features they Pro although the client, All Wire users. every accounts. Pro in or pro Wire included ZIP Wire for are PDF, by MB and videos, usable 100 source sharing only to open i.e. MB are sharing 25 here file from and described for increased hours size is 24 limited files for the other validated Further, only members. are 4 guest users to guest corresponding authentication Such the an join created. contains automatically was which and link link, app the this web where Wire With address room the user. email open pro i.e. users Wire credentials guest a token, need from not link do as thus via insofar and invited special account a are an use users create also Ephemeral to can need users. conversations not ephemeral Team have do for they users app. rooms” Pro web “guest Wire an management called include teams team feature that large dedicated conversations of a team management to create easier account access can For free-of-charge users regular, administrator. Pro the team Wire while assigned Pro Personal. Wire Wire called called are is accounts business These fee. Pro. Wire app web independent platform a and browsers. Linux web MacOS, for Windows, iOS, Android, including platforms. multiple for Clients man-in-the- possible against encryption transport attacks. the middle strengthen to [ pinning certificate 1.2 TLS using by encryption. Transport can devices two between in session reset. key-fingerprints cryptographic manually public a be comparing needed, calls by If video performed representation. and be hexadecimal Audio can verification secrecy). Device [ future SRTP and messages. as with algorithm encrypted known Ratchet end-to-end (also forward Double are perfect secrecy the supports backward it of and Additionally, implementation secrecy prekeys. using an messaging is asynchronous supports Proteus Proteus. using End-to-end-encryption. providers clients. notification Wire push the external and the backend from Wire’s metadata between hide via to encrypted notifications additionally Push are (APNs). service Notification Push Apple and (FCM) Messaging notification. Push iepoie ubro diinlfaue o uiescsoesfra for customers business for features additional of number a provides Wire 10 stasotecyto.Alcins xettewbap use app, web the except clients, All encryption. transport as ] iespot w id fps oictos h rti via is first the notifications: push of kinds two supports Wire l omncto ewe let n evraeencrypted are server and clients between communication All l esgsbtenWr let r n-oedencrypted end-to-end are clients Wire between messages All iehscinsfralpplroeaigsystems operating popular all for clients has Wire 1 n TS[ DTLS and ] 45 n uhniae i Proteus via authenticated and ] ..Wire 3.1. 15 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Background 3. 16 . eetdFeatures Selected 3.2 htppr[66]. whitepaper i.e. section following the in described are thesis this for relevant most features The .. n-oEdEncryption End-to-End 3.2.1 ses agrbnr lsie mgs ui,vdoo te lswt pt 5M,o 100 or MB, 25 to up with files other or video audio, images, i.e. files binary larger assets, Proteus. ntesre n a edwlae yWr let snee.A eut the result, a As needed. the as because clients secrecy Wire forward property by security downloaded important stored be the permanently inherits can is encryption and itself asset ciphertext server encrypted (large) end-to-end the The via ciphertext, on exchanged clients. the are between of symmetrically key, messages checksums are encryption Proteus but SHA-256 symmetric Proteus the AES-256-CBC. with with cipher encrypted together the directly using not are by users, encrypted Pro Wire for MB user. the inform to encryption. generated Asset be will devices key-fingerprints added device newly those for of notification verification prominent initial a After representation. the hexadecimal keep the should clients verification. Thus, secrecy.Device forward period. strong longer for ensure a used to this for is enough of it or large usage if session pool the especially prekeys Proteus However, property as one secrecy exhausted. serves than forward gets prekey more perfect then last pool the server prekeys The weakens The the prekeys. prekey available server. case fallback of the in from prekey pool prekey fallback the a a from fetches prekey client used a this removes session, Proteus new each For cryptographic these libsodium of by the implementation provided The as is Curve25519 exchange. primitives key and integrity, Diffie-Hellman curve and elliptic authentication for HMAC-SHA256 encryption, this of primitives. properties Cryptographic security secrecy. The (future) 3.6.1. backwards section and also secrecy see forward Rust, are in algorithm written is which Proteus security Wire’s messages. in sent found of be content can the encryption change end-to-end or Wire’s read about cannot integrity information server and More the authenticity Thus, confidentiality, clients. ensures between messages of encryption End-to-end handling. authentication and registration encryption, transport encryption, end-to-end Prekeys. oih.I re oueti loih,Wr a eeoe t w implementation own its developed has Wire algorithm, this use to order In gorithm. 2 https://github.com/jedisct1/libsodium o n-oedecyto fmsae,Wr ssteDul ace al- Ratchet Double the uses Wire messages, of encryption end-to-end For ospotfradsceyfraycrnu esgn ieue prekeys. uses Wire messaging asynchronous for secrecy forward support To ordc h opttoa okadt aentokbandwidth network save to and work computational the reduce To iecinsalwcmaigpbi e-nepit yusing by key-fingerprints public comparing allow clients Wire rtu sstecytgahcpiiie hCa0for ChaCha20 primitives cryptographic the uses Proteus 2 . cesd 22-February-2020 Accessed: , Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. Wire iesla certificates. leaf Wire’s and (apps) clients between communication the secure to encryption transport uses Wire keys. encryption separate with encrypted individually are streams WebRTC e p oan.CAi N eodadi sdt eiyta etfiae fcertain of certificates that verify to used is and record DNS a is CAA domains. app web .. rnpr Encryption Transport 3.2.2 kase oan r indb nepiil loe etfiaeauthority. certificate allowed and explicitly backend an the by for signed certificates are issue domains can that authority certificate only the as DigiCert of key public installed the certificate pinning root by pinning local certifica- certificate a trusted implement or a apps CA by Wire compromised issued attacker. or certificate the malicious a man-in-the-middle by a to mitigating access i.e. helps authority gained pinning tion has Certificate attacker app. the web where the attacks, except apps all on pinning. Certificate used. be to secrecy forward perfect with ciphers only 1.2. TLS [66]. whitepaper security clients Wire’s between the in encryption with specified transport encrypted is The The server get TLS. operation. and messages, protocol service encrypted encryption for end-to-end transport needs all standard server the not the with metadata because together required i.e. metadata, is encrypted This end-to-end are integrity. data and authenticity confidentiality, for servers all thus pair member each for between does calls it 1:1 as as attacks implemented man-in-the-middle by are possible developed calls mitigate Conference protocol to DTLS. agreement KASE key negotiation used a key is is the Extension) KASE Signaling Agreement initialization. (Key call KASE the and SRTP accelerate attacks. calls man-in-the-middle to phone possible to mitigates phone thus On and session SRTP the authenticate [ parameters the reduce to WebRTC. optimization This protocol. [33]. in Proteus proposed the been via has sent overhead was key symmetric CAA. ieTasotPooo ST)[ (SRTP) Protocol Transport time sue oiiit h RPssinie xhneteecyto loih,ky and keys algorithm, encryption the exchange i.e. session SRTP the initiate to used is 4 3 https://download.libsodium.org/doc/key_exchange/ https://github.com/wireapp/wire-audio-video-signaling/tree/master/src/ cesd 22-February-2020 Accessed: , 3 n ae s flboimskyecag API exchange key libsodium’s of use makes and iemksueo etfiainAtoiyAtoiain(A)[ (CAA) Authorization Authority Certification of use makes Wire iecretyrqie L . [ 1.2 TLS requires currently Wire 39 : ui ie al r n-oedecytdwt h eueReal- Secure the with encrypted end-to-end are calls video / audio 1:1 .Ti TSngtaini nrpe i rtu esgst properly to messages Proteus via encrypted is negotiation DTLS This ]. ieue etfiaepnigfrtasotscrt hardening security transport for pinning certificate uses Wire 1 .Dtga rnpr ae euiyDL [ DTLS Security Layer Transport Datagram ]. 10 o rnpr nrpinadallows and encryption transport for ] 4 cesd 22-February-2020 Accessed: , rtu loauthenticates also Proteus . ..Slce Features Selected 3.2. 15 oallow to ] 45 ] 17 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 18 Background 3. cestkn r sdt uhniaeec eus otebcedAI h long-lived The API. backend. backend the the by to generated request are each token authenticate access to an used and are token tokens user Access a login, successful After hr r w itnttpso oes rt hr r oglvdue oeswihcnbe can which tokens user long-lived are there first, tokens: of types distinct two are There Wire. in handled are authentication and registration how describes subsection This .. eitainadAuthentication and Registration 3.2.3 ai o ihroeya o emnn eie roewe o eso-ae eie i.e. devices session-based for week one or devices permanent for year one either for valid Login. h e p.Scn,teeaesotlvdacs oeswihaevldfr1 minutes. 15 for valid are which tokens access short-lived are there Second, app. web the srtkn r sdt ers hs hr-ie cestkn.I eesr,teuser refreshed. the registration. is necessary, token Client If access the tokens. when access server short-lived the those by refreshed refresh is to token used are tokens user [ 2.0 OAuth uses Wire login. each for SMS number pseudo-random the from taken is salt random The salt. password- Byte generator the 32 using random by backend [ a the scrypt and in function form derivation encrypted key in based stored are Passwords credential. user internal Passwords. unique a backend. registration, the of to by sent time generated via is the gets registration which At [26]) of code SMS. (UUIDv4 case verification via ID In a provided address. number generates is email randomly phone code that also the verification backend to a sent the address number is email phone and provided backend the the of by verification generated For number. phone or registration. [66]. User whitepaper security Wire’s in found be can details Further API. REST the via backend Wire’s to them encryption for upload for (MAC) and keys login required code first both authentication on generate authentication message apps and mobile AES-256-CBC as The cipher HMAC-SHA256 integrity. the and use using authentication the encrypted and from are encryption hidden notifications metadata for push keep The to encrypted providers. encrypted additionally push end-to-end are containing metadata notifications and However, messages devices. mobile on notifications pinning. certificate notifications. of Push absence its of because app web Wire’s for important HSTS. n asodo rb rvdn hn ubradalgncd,wihi rnmte via transmitted is which code, login a and number phone providing by or or password ing ttesm ie ahnwcin eitaingnrtsa generates registration client new Each time. same the at oi spsil ihrb rvdn h eitrdealadesadcorrespond- and address email registered the providing by either possible is Login ieue SS[ HSTS uses Wire /dev/urandom ncs frgsrto i mi drs,apswr srqie slogin as required is password a address, email via registration of case In iespot eitaino nacutete i mi address email via either account an of registration supports Wire xenlps rvdr ..FMadAN r sdt send to used are APNs and FCM i.e. providers push External ti osbet s n ieacuto pt let (devices) clients 8 to up on account Wire one use to possible is It . 17 omtgt L tipn tak,wihi particularly is which attacks, stripping TLS mitigate to ] 41 ihdfutparameters default with ] 16 ihBae oes[ tokens Bearer with ] user.client-add 19 N o authentication. for ] 2 = 14 oicto as notification , r 8, = p 1 = Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. API .. Notifications 3.2.4 ftecin osntrtiv h oicto ihnti iefaei ilb eee by deleted be will it weeks. frame 4 time of this period within a notification push for the external queue retrieve server. via notification not the notification this does push in client the held the or are If offline Notifications was lost. device queue was the notification provider the where via cases call in synchronization messages client push a external by an or WebSocket, APNs) list via or A notifications FCM push them. (i.e. 3.2. either provider process table uses to in notifications clients summarized of for and is Delivery order server definitions in the and type between types specific kind notification a any most of of of is messages notification and events Each deliver clients. to used are Notifications address. notification email e-mail an an registered Furthermore, has receive. user clients the other if all sent which is 3.2 table in described user.update user.properties-set user.properties-delete user.properties-clear user.identity-remove user.delete user.contact-join user.connection user.client-add user.activate conversation.typing conversation.rename user.client-remove Description conversation.otr-message-add conversation.member-update conversation.member-leave conversation.member-join conversation.create type Notification E /notifications GET al .:Ntfiaintypes Notification 3.2: Table h oicto uu sue ofthptnilymissed potentially fetch to used is queue notification The . srpol a enupdated been has profile set user been a has property deleted user been a has property cleared user been a have properties user all re- account been own has from phone) moved or (email identity deleted an been available has is user request a join contact new a created been users has two between the (auto-)connection new to a from removed been account has account the device to a added been has device new a ac- successfully been tivated message has new account a user typing the currently is user renamed a been has conversation the is message encrypted available end-to-end new a ovrainmme a enupdated been has member chat conversation group a a chat leaves group user a a joins user created new been a has conversation new a ..Slce Features Selected 3.2. 19 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Background 3. 20 Multi_match /users/handles/ ipie xml o erhqey ssn ybi otesac nieElasticsearch, engine search the to brig by sent as query, search a for example simplified A ocnetwt te epeuescnete s h epesac etr rupload or feature people-search the use either can users people other with connect To h eut ftesac ur oti h srdt rmtesac ne n include and index search the from data user the contain query search the of results The fields The unblocked. API or search blocked above-mentioned were The they that notified be not will .. epeSac n drs okUpload Book Address and People-Search 3.2.5 nadto otesac P,Wr let a loueteue adeAPI handle user the use also can clients Wire API, users search returned the the rank to to addition used is matches. In score better search to The scores found. higher user assigning each by for score search a query. fields the than weighted by matching. higher “alice” phrase into and matching normalized prefix is phrase field “Alice” the parts: input in two search of The consists query 3.1. The listing in brig. found be can of matches uses query field the the within prioritizes input query normalized search this normalized for a fields into searches lowercase index transliterated Elasticsearch into search is Subsequently, searcher name well. the profile ID, by as the provided user input input transliterating as: search of The such result data letters. the Latin user are includes names which ( profile index name Normalized search profile a normalized to name, applied profile is query This Elasticsearch query. engine search the users unblocked or Blocked resumes. connections messages blocked 1:1 Also, of resulting connections. delivery time, blocked and any from again at messages unblocked blocked 1:1 be the drop can be by to can ignored backend connections be has the accepted, can contact in Once request the contacted. connection once all any contact being commence, However, of correct user can list request. the Communication connection a select this then returns request. accepted can which connection searcher field, a The chosen input send person’s search usernames. and a and app’s type names the (“searchers”) profile into matching users username function, or people-search name the profile use to order In backend. the to books address their h asnr aaaeo rgt euntecrepnigue Dfrtematching the for ID user corresponding the return to brig of database Cassandra the multi-match-query.html#type-phrase 5 6 https://www.elastic.co/elasticsearch https://www.elastic.co/guide/en/elasticsearch/reference/master/query-dsl- handleˆ3 handleˆ2 handle haematch phrase lost erhi utpefilsi.e. fields multiple in search to allows or handle niae htti edi wc siprata h field the as important as twice is field this that indicates and ofidafl aciguenm.Teue adeAIqueries API handle user The username. matching full a find to normalized normalizedˆ2 ofideatmthswihaegvnpeeec vrprefix over preference given are which matches exact find to and handleˆ2 normalized handle . 5 E /search/contacts GET osac o sr yepoigaseicsearch specific a employing by users for search to cesd 22-February-2020 Accessed: , vrtefield the over normalized rmteprs acigqeyaetherefore are query matching phrase the from and sn a using normalized cesd 22-February-2020 Accessed: , n h nqeuenm ( username unique the and ) haepexmatching prefix phrase handle normalized rmteprs rfi matching prefix phrase the from and sdb iecins uses clients, Wire by used normalized diinly h search the Additionally, . h ae ˆ2 caret The . 6 ur.The query. normalized handle GET ). . Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 0"tp hae", " , phrase " " e c i l a : , " " " or type " " : " " : ^2 query " " } , normalized operator " " " } ^3 22 , handle ] " 21 [ : 20 " s d l e i 19 f " 18 { 17 : " 16 multi_match " 15 14 13 } { 12 , } 11 10 ye":"prs_rfx", " , phrase_prefix " " e c i l a : , " " " or type " " : " : " query " " , normalized operator " " " ^2 , handle ] " [ : 9 " s d l e i 8 f " 7 { 6 : " 5 multi_match " 4 3 2 { 1 /onboarding/v3 /users ihissoe ahso l ieues nmthn ahs h orsodn sr get users corresponding the hashes, matching On users. Wire all of hashes stored its with upload book address the use to is people other with connect to approach second The .. Self-Messaging 3.2.6 drs okadulaste oteWr akn sn h norigAPI onboarding the using backend Wire the to them uploads and book address etr.I uses It feature. ru,tu h rao ftegopi h nymme.Hneti etr ol be could feature this Hence the member. to only members the any is adding group without the conversations of group creator new the thus create group, to possible is It to has above. which described request already connection as a contact to create the connect feature would by to people-search this accepted order the although be in automatically use contact, again be could this uploaded the not user with at be will the connect Wire Alternatively, to they using automatically. upload, has not the users book was after both address Wire book the use address upload Therefore, to the the starts connected. from during but contact processed uploading, a only of if but time that backend implies the This accepted. on stored be itself. not to have are requests hashes connection Uploaded no that table means brig uploaded which the are connected, to notices) automatically compared or are birthdays hashes addresses, uploaded names, These (i.e. backend. book the address to the in data other API user the use can clients Wire ID, user returned this With exists. it if username, ortiv oedtisie srae rfienm,pol itr,pol color. profile picture, profile name, profile username, i.e. details more retrieve to itn .:SmlfidEatcerhqeyfrsac nu “Alice” input search for query Elasticsearch Simplified 3.1: Listing SHA256 ete h mi drse n hn ubr hmevs nor themselves, numbers phone and addresses email the Neither . ahso mi drse n hn ubr nteusers’ the in numbers phone and addresses email of hashes user_keys_hash ..Slce Features Selected 3.2. POST GET 21 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 22 .Background 3. iesbcedadcinswl edsrbdi oedti ntefloigscin 3.4 sections following the in detail more in described be will clients and backend Wire’s iesbcedhsbe eindwt togsaaiiyadhg efrac nmind. in performance high and scalability strong with designed been has backend Wire’s . ieArchitecture Wire 3.3 lhuhms ftesrie nWr’ akn r ttls,tebcedi o entirely not is backend the stateless, are backend Wire’s in services the of most Although hc ade h eSce oncin sdsge oalwrnigo utpeinstances multiple of running allow to designed is connection, WebSocket the handles which architecture, client-server traditional a on based heavily is Wire service messaging The fti evc nodrt adenmru ttflcnetos tt nomto about information State connections. stateful numerous handle to order in service this of n 3.5. and highly a support to used is a ElasticSearch Cassandra, engine in people-search. search in stored scalable The stored is are database. information endpoints, scalable persistent Conversely, notification highly push database. key-value external a as well Redis, as service, connections, Haskell WebSocket The the WebSockets. the i.e. parts stateful some features also it as stateless good for authentication REST stateless enables also which 2.0, for Authentication scalability. therefore Oauth API network. by REST and internal internal handled time an an and inside is same provide stateless components the services backend all Haskell at between Additionally, are communication services well. API those very REST of scale language backend’s services instances programming the multiple functional behind the running services in support Haskell written been The have backend Haskell. the of services Most clients. between communication peer-to-peer peer-to-peer the for for uses iOS, client-side Wire on the architecture, use APNs client-server on iOS WebRTC and the technology Android and to on Android addition FCM for In i.e. clients communication. services, mobile notification handled Wire’s push and is WebSocket. external internal server and additional into and HTTPS The clients grouped protocols browsers. between be the web communication can by for The which app components respectively. Windows, web service services for independent several external apps platform of desktop a consists iOS, as side and available well server Android are as for apps Linux, apps clients, and mobile For MacOS i.e. architecture. platforms (p2p) several peer-to-peer for a with combination in multiple create to device. having each and for self-messaging, another one for with conversation i.e. information 1:1 accounts the sharing a to encryption, abusing of belonging end-to-end by sharing devices, up person the multiple giving facilitates between without This data user, account. other same the Wire or if same pictures useful the information, especially with sensible is devices which multiple self-messaging, uses encrypted user end-to-end establish to used Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. evcs(AWS) Services . ieBackend Wire 3.4 h iebcedcnit ftefloig pnsuc,itra opnns(e also (see components internal source, open following, the of consists backend Wire The backend. Wire the of components all describes section sub following The AWS via deployed be to meant is it that implies backend Wire the be of can design services current external The and internal into split components its with backend Wire The services Haskell the of consists respectively, server and backend Wire the of part main The .. nenlServices Internal 3.4.1 nfoto hs akl evcs hl eea aasucsie h aaae Cassandra databases the i.e. sources data several positioned while is nginx services, proxy Haskell reverse those The of proxy. front and in cargohold cannon, gundeck, galley, brig, gr 3.1): figure services. AWS many on dependencies strict its of because 3.1. figure in seen Spotify, SoundCloud, Giphy. YouTube, and Nexmo, Maps Twilio, several services of Google external consist the services requires external backend These services Wire. external of several set on feature depends backend full conjunction, Wire the In the for services, back. internal the those in Beyond are services. Elasticsearch, internal engine the search form the services as these well as Redis, and 7 https://github.com/wireapp/wire-server ..SS Q,SS yaoB 3adCodrn.Frhroe the Furthermore, CloudFront. and S3 DynamoDB, SNS, SQS, SES, i.e. iue31 rhtcueo h iebackend Wire the of Architecture 3.1: Figure cesd 22-February-2020 Accessed: , 7 mznWeb Amazon ..Wr Backend Wire 3.4. 23 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Background 3. 24 2020 rfiepcue hc r trdunencrypted. stored are which pictures profile to cargohold. notifications submits gundeck where API clients. REST the internal to an pushed provides be also It clients. to to gundeck enables cannon. This database. Redis a cannon. in of stored instances where are this multiple endpoints, sent, for handle Notification keys be sent The database. to Notifications Cassandra have metadata. gundeck’s notifications APNs. hide in to and stored encrypted FCM are additionally i.e. encryption are SNS providers over push providers external push to external via or cannon gundeck. generates Galley hub Cassandra notification galley’s messages. push into send the stored is to to conversations them database. API about forwards information the Persistent and provides gundeck. messages also incoming It for notifications members. their and authentication. galley. 2.0 database. Oauth Cassandra for brig’s token into access stored signed are the data creates Persistent Brig upload. book phone access its with brig. authentication 2.0 Oauth using nginx-zauth-module, by module, calls authentication tokens. API is custom REST and The statistics all caches virtual authenticates nginx. and nginx monitoring traffic The shows for headers. nginx-module-vts, used HSTS module, and status CORS traffic set host to nginx used additional is three headers-more-nginx-module uses component transport The the headers-more-nginx-module terminates backend. modules: it and means Further- clients which between proxy connections. termination TLS WebSocket TLS encryption establish as to operated is upgrade nginx protocol more, HTTP the handles also nginx. luFot iecinssoealecytdast nti evc.A xeto are exception An service. this on assets encrypted all store clients Wire CloudFront. oncin.I lopoie h P etrst onc e sr ..pol-erhand people-search i.e. users new connect to features API the provides also It connections. oictos oictoscnb ihrsn i eSce vrteHselservice Haskell the over WebSocket via sent either be can Notifications notifications. party/nginx-zauth-module 11 10 9 8 https://github.com/openresty/headers-more-nginx-module https://github.com/wireapp/wire-server/tree/develop/services/nginz/third_ https://nginx.org/ https://github.com/vozlt/nginx-module-vts h akl evc rgmngsalacut nldn hi let dvcs and (devices) clients their including accounts all manages brig service Haskell The nginx alyi h evrcmoetwihhnlsalcnestos(: n group) and (1:1 conversations all handles which component server the is Galley anni eSce evripeetto o edn uhnotifications push sending for implementation server WebSocket a is Cannon h uhntfiainhbgnekmngstedsrbto falpush all of distribution the manages gundeck hub notification push The aghl sue opoiea se trg ae nAao 3and S3 Amazon on based storage asset an provide to used is Cargohold 8 sue srvrepoyfrtepbi ETAIo iesbced It backend. Wire’s of API REST public the for proxy reverse as used is cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , 9 nginx-module-vts , cesd 22-February-2020 Accessed: , 10 n nginx-zauth-module and cesd 22-February- Accessed: , 11 . Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. eSce oncinfo hc annsriea ela xenlps notification push external as well as service cannon which from connection WebSocket hs hr-at evcsotnrqieAIky,teeoe h akn evc proxy service backend the therefore, keys, API require often services third-party Those .. xenlServices External 3.4.2 eicto facutdltosadohripratealnotifications. email resets, important password other devices, and added deletions newly account about of notification verification identities, email of verification well. as API REST the to sent are and JSON ytepol-erh thsisonsac ne hc a emdfidb sn its using by modified be can which index search own its has It people-search. the by SES. required. are CloudFront and S3 DynamoDB, SNS, SQS, SES, services (AWS). services Services external Web following Amazon 3.1): the figure requires also (see Wire features services, all internal for functionality the guarantee to additional In as formatted also are queries search The format. content as JSON with API RESTful ElasticSearch. which i.e. devices APNs. connected or FCM all of of endpoints notifications push for URLs destination the store further. scalability the Redis. brig, improves be components which could the therefore Cassandra of and of schema data instances database storing different own for completely its backend in has Wire’s component run in Each used gundeck. is and galley It failure. of point a or Cassandra. firewall a behind is peers the of any NAT. if connections WebRTC peer-to-peer establish services. mitigates third-party also those This to restund. clients, clients. Wire all by of exposed them address), IP requiring of (i.e. leakage instead clients. metadata keys Wire all API into those integration manages easier for Giphy and Maps Google Spotify, SoundCloud, proxy. 17 16 14 15 13 12 https://docs.aws.amazon.com/ses/index.html https://aws.amazon.com https://redis.io https://www.elastic.co/elasticsearch https://cassandra.apache.org/ http://www.creytiv.com/restund.html ipeEalSrie(SES) Service Email Simple h opnn rx sue oitgaetidprysrie ..YouTube, i.e. services third-party integrate to used is proxy component The Redis Restund Cassandra 14 h aabsdoe oresac nieElasticsearch engine search source open based Java The sa pnsuc nmmr e-au aaaeue ygnekto gundeck by used database key-value in-memory source open an is 12 cesd 22-February-2020 Accessed: , sa pnsuc TN[ STUN source open an is 13 sa pnsuc,hgl clbedtbs ihn single no with database scalable highly source, open an is cesd 22-February-2020 Accessed: , 17 cesd 22-February-2020 Accessed: , nodrt u h nenlsrie h AWS the services internal the run to order In sue ybi osn mist ieuesi.e. users Wire to emails send to brig by used is cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , 46 n UN[ TURN and ] 30 evrue to used server ] ..Wr Backend Wire 3.4. 15 sused is 16 25 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Background 3. 26 /i/users/blacklist ie ti loue o trn rfiepictures. profile storing for used also is It Wire. piitclcigfrpeeswihi eurdi re ornmlil ntne of instances multiple run to order in required is which prekeys for locking optimistic nieWr conversations. Wire inside Spotify. conversations. Wire inside content Wire SoundCloud inside content YouTube SoundCloud. support to clients Wire by used is conversations. and proxy service failure. Nexmo a YouTube. of case in SMS sending for service fallback a Twilio. phone. via login to and passwords Nexmo. storage. asset provide API internal brig’s by S3. managed are which users blacklisted store to used also is It brig. APNs. via iOS DynamoDB. on and FCM via Android on clients mobile to for used only currently SNS. is it API brig, internal On the gundeck. by and deletion brig account services user the of instances multiple SQS. CloudFront. 19 18 20 21 22 23 24 25 26 27 https://docs.aws.amazon.com/sqs/index.html https://docs.aws.amazon.com/sns/index.html https://docs.aws.amazon.com/dynamodb/index.html https://aws.amazon.com/s3/ https://docs.aws.amazon.com/cloudfront/index.html https://www.nexmo.com https://www.twilio.com https://www.youtube.com https://soundcloud.com https://spotify.com ipeSoaeSrie(S3) Service Storage Simple ipeQeeSrie(SQS) Service Queue Simple ipeNtfiainSrie(SNS) Service Notification Simple Twilio Spotify Nexmo h hr-at evc YouTube service third-party The h otn eieyntokCloudFront network delivery content The h oQ aaaeDynamoDB database NoSQL The 24 SoundCloud 27 23 smil sdb rgt aiaepoenmes ti loue as used also is It numbers. phone validate to brig by used mainly is sas ui temn evc n sue osaeSoiycontent Spotify share to used is and service streaming music a also is sue ybi osn M ovrf hn dniis reset identities, phone verify to SMS send to brig by used is . cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , 26 samscsraigsriewihi sdt share to used is which service streaming music a is cesd 22-February-2020 Accessed: , 21 18 sue ycroodt tr l sessn over sent assets all store to cargohold by used is sue sitra esg uu osynchronize to queue message internal as used is 19 EEE/i/users/:id DELETE sue ygnekt edps notifications push send to gundeck by used is 25 sitgae noWr ytebackend the by Wire into integrated is cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , 20 sue ybi o best-effort a for brig by used is cesd 22-February-2020 Accessed: , 22 cesd 22-February-2020 Accessed: , sas sdb aghl to cargohold by used also is . Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. ie ieg S sr ihu Ap,wocnueteWr p ihu ogePlay Google without app Wire the use can who GApps, without users OS) Lineage (i.e. iespot ffiiloe orecinsfralmjroeaigssesie Android, i.e. systems operating major all for clients source open official supports Wire . ieCins/Apps / Clients Wire 3.5 nri p upre nyuecytdbcusbtnwi pinlyecyt the encrypts optionally it now but backups unencrypted only supported app Android h p a eisaldfo h ffiilGol lysoeo yisaln h APK the installing by or store Play Google official the from installed be can app The For Java. in written parts minor some with Scala in written mostly is app Android The conversation. a within .. nri App Android 3.5.1 nerto evc rx o rvdn h etr osac n hr nmtdGIFs animated the share via and Giphy search integrate to clients feature Wire the providing sites. for other proxy from service GIFs integration numerous indexes also It ftedrc P onodtefigrrn fteapsgigcrict swl sa as well as integrity certificate the signing verify app To the of website. fingerprint the Wire’s download from APK downloaded direct be the of can which directly, file Giphy. sta h eeaino ikpeiw antb iald ute,temulti-account the Further, disabled. be cannot previews link of generation the Argon2 that [ using is function and derivation XChaCha20Poly1305 key is cipher password-based the added Formerly, encryption as authenticated recently conversations. the was all with of that backup history feature disables the security also export Another which to lock switcher backups the app. task encrypted on the the for notifications in support of of content security shots content screen added the the screen recently hiding hiding the taking for locking, of support app Some and of certificate. implementedscreen, support leaf is in Wire’s which of are pinning key certificate features public supports the also pinning App by Android CustomROM The FCM. for and useful store especially is This provided. are checksum SHA256 corresponding runtime. battery the WebSocket increases to thus addition and in also efficiency notifications see power push Rust, improve for in used to FCM written libraries order uses are shared in app which Other notifications Android libraries C++. The encryption library in end-to-end extensive 3.6. written the and section is are important which apps One engine both app. signaling by Android video common the audio certain as and the implemented on iOS is be depends the to app between able the were code Further, features shared particular Kotlin. some use because to libraries started custom recently Wire features new are differences These are clients. there the subsection: However, between following general, clients. differ the In all can in by browsers. features described supported web certain are and for 3.1.1 exceptions app section some web in universal explained a features and the Linux MacOS, Windows, iOS, conversations. Wire inside Maps. Google 29 28 https://giphy.com https://developers.google.com/maps/documentation/ Giphy 29 h ogeMp API Maps Google The sawbsriefrsacigadsaigaiae I pictures. GIF animated sharing and searching for service web a is cesd 22-February-2020 Accessed: , 28 sue yWr let osaelcto data location share to clients Wire by used is 66 .Amnrdabc fteAdodapp Android the of drawback minor A ]. cesd 22-February-2020 Accessed: , ..Wr let Apps / Clients Wire 3.5. 27 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 28 .Background 3. diinly iesDSrcrsfrtewbapadbcedueCricto Authority Certification use backend and app web the for records DNS Wire’s Additionally, io rwako h e p sta h eeaino ikpeiw antbe cannot previews link of generation the that is app web the of drawback minor A [ (CAA) Authorization sarpaeetfrHK,crict rnprny[ transparency certificate HPKP, for replacement a As h O p a rgnlywitni betv- u a enmsl erte nSwift. in rewritten mostly been has but Objective-C in written originally was app iOS The okrudoecuduedffrn rwe esost s oeWr consi parallel. in accounts Wire more use to sessions browser different use could one workaround device keys, cryptographic all store permanently to storage local uses app web The React the uses and TypeScript and JavaScript in written is app web The a nrdcdi re opoiecrict inn nwbbosr,hwvrits however browsers, web in pinning certificate provide to order in introduced was .. O App iOS 3.5.2 .. e App Web 3.5.3 February-2020 storage. local The browser’s needed. the as in server stored tokens. from are session downloaded assets for are for used assets keys are client-side, decryption Cookies them storing histories. conversation of and Instead data, account user mitigate and to HSTS enabled from profits stripping. also TLS app using web attacks The man-in-the-middle domains. those for certificates Expect-CT for draft IETF contain current to the certificate also the (see require (SCTs) would timestamps browser certificate the signed of i.e. advantage transparency full certificate take header enforce to HTTP However, the DigiCert. transparency, authority certificate certificate Wire’s by supported [ (HPKP) Pinning Key Public HTTP past, the In pinning. certificate for support NodeJS the and library also app The store. Argon2 Passcode app and or iOS encryption [ official for derivation the XChaCha20Poly1305 key alternative on using for no available by are only backups addition there is improve encrypted Since In it to supports apps, runtime. notifications app. install battery push Android the to for the increases options APNs thus does uses and as app efficiency engine, iOS power signaling the video notifications, WebSocket audio to C++ the uses It time. same In the time. at same accounts the 3 at to accounts up 2 support to apps up desktop allows the only and currently iOS app contrast Android the of feature my-Wire-account-with-Touch-ID-or-Passcode- rwe eso a nyb ogdit n ieacuta h aetm.A a As time. same the at account Wire because one limited into is logged multi-account be for only support can its session that browser is a drawback Another disabled. s snwdsorgdadGol hoearayrmvdisspotfrHPKP. for support its removed already Chrome Google and discouraged now is use 33 32 30 31 https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-08 https://nodejs.org/ https://support.wire.com/hc/en-us/articles/115001479849-How-can-I-lock- https://reactjs.org/ 30 utlk h nri p,teiSapas oscrict pinning. certificate does also app iOS the app, Android the like Just . 66 .Aohretafaueo h O p saplcigvaTuhID Touch via locking app is app iOS the of feature extra Another ]. 15 32 cesd 22-February-2020 Accessed: , hc losol iieta etfiaeatoiyt issue to authority certificate as DigiCert only allows which ] cesd 22-February-2020 Accessed: , csse.A poe oohrcins h e p a no has app web the clients, other to opposed As ecosystem. Expect-CT cesd 22-February-2020 Accessed: , scretymsig hc would which missing, currently is 25 srcmedd hc is which recommended, is ] cesd 22- Accessed: , 31 JavaScript 11 33 ). ] Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. CO)[]format. [5] (CBOR) iehsdvlpdtepafr needn irre rtu,HD n rpoo to Cryptobox and HKDF Proteus, libraries independent platform the developed has Wire . ieLibraries Wire 3.6 diinly tat saflbc o nupre ltom ..Wnos1 Mobile, date. 10 to Windows up always i.e. is platforms and unsupported installation for no fallback needs a it as that acts is app it Additionally, web the of advantage An h e p niei efudtn nalplatforms. all on self-updating is inside app web The Electron the of top on developed are Linux and MacOS Windows, for apps desktop The .. eko Apps Desktop 3.5.4 .. Proteus 3.6.1 esgs esosadky r eilzdit h ocs iayOjc Representation Object Binary Concise the into serialized are keys and sessions sodiumoxide messages, library Rust Bernstein by the introduced uses was which library NaCl, [ cryptographic al. library et cryptographic HMAC-SHA256 the the by ChaCha20, from forked implementation primitives originally the cryptographic on the relies of libsodium Proteus usage Curve25519 its and For Rust. in Proteus advantage major separately. a platform as each serving for be thus encryption separately, to end-to-end app has the each implementation implementing for encryption to not libraries compared the and those apps, once that dependent only fact platform audited the for to reused Due be capabilities. can encryption end-to-end their implement calls. video WebRTC via members using 10 is support to feature also up additional apps with Another desktop sharing They simultaneously. The screen accounts pinning. for 3 certificate. certificate to support leaf for up Wire’s support with have the accounts apps of multiple desktop key the public app, the web pin the updates. to the contrast handles In as manager or package AppImage APT as the either where for provided repository updater is a integrated app with an Linux is package have The itself Debian MacOS themselves. wrapper and the wrapper Electron Windows running Electron The platform. the is each features. which for additional Electron, built some inside specifically offer app and web engine, the Chromium wrap essentially They framework. later. or 43 Opera and later, later, or or 15 60 Edge Firefox Microsoft Mozilla later, are or browsers 51 supported Chrome/Chromium Currently Google platform. that on available S eiaie,HiuO rohrUi ytm sln saspotdbosris browser supported a as long as systems Unix other or OS Haiku derivatives, BSD 37 36 35 34 https://github.com/sodiumoxide/sodiumoxide https://github.com/jedisct1/libsodium https://github.com/wireapp/proteus https://electronjs.org/ 2 .Bcuelboimi rte nC rtu antdrcl s t nta Proteus instead it, use directly cannot Proteus C, in written is libsodium Because ]. 35 36 saGL3 mlmnaino the of implementation GPLv3+ a is isdu saalbeudrteGLcmail ies S n was and ISC license compatible GPL the under available is libsodium . cesd 22-February-2020 Accessed: , 37 hc xot utbnig o isdu.All libsodium. for bindings Rust exports which cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , obeRatchet Double cesd 22-February-2020 Accessed: , loih n swritten is and algorithm ..Wr Libraries Wire 3.6. 34 29 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 30 .Background 3. xadKyDrvto ucin(HKDF) Function Derivation Key Expand . Coax 3.7 skydrvto ucin rtu sstestandardized the uses Proteus function, derivation key As hrfr,teCa leti unrbeto vulnerable is client Coax the Therefore, is which base, code small a with client Wire simple a have to is Coax for motivation The .. Cryptobox 3.6.3 .. HKDF 3.6.2 i TPt e evradueteHT prd edrt wthfo h HTTP the from switch to header upgrade HTTP the use and server web a to HTTP via rtclt h eSce rtcl hspoeue oetbihaWboktconnection, WebSocket a establish handshake. to WebSocket procedure, called This is protocol. WebSocket connect the initially to clients protocol WebSocket because necessary is This connection. WebSocket [ a protocol WebSocket the of OpenSSL uses coax-net encryption TLS the For encryption. TLS with HTTP/1.1 end-to-end of its for coax-net. 3.6.3 Cryptobox components: and following 3.6.1 the Proteus of consists libraries It Wire encryption. unsupported. the also uses are Coax pinning certificate calling, TLS security video or Important and verification features. audio device other i.e. as and protocol messaging such Wire ephemeral features, the assets, of text-based data features encrypted, of other end-to-end transmission the of not receiving purposes. and and testing sending messages for supports suitable only also Coax is protocol. Currently, project Wire This the handle changeable. to and meant understandable is easily that (GUI) interface user graphical a with Rust, Coax keys. identity and pre- session, i.e. data key miscellaneous store to storage permanent Cryptobox Rust in written also hog h pns crate openssl the through ihlvlAIfrmr ipeuaeo rtu.Adtoal,Cytbxue a uses Cryptobox Additionally, Proteus. of usage simple more for API high-level a coax-ws. 42 41 40 39 38 https://crates.io/crates/openssl https://www.openssl.org/ https://github.com/wireapp/coax https://github.com/wireapp/cryptobox https://github.com/wireapp/hkdf 40 sa xeietlpoetdsge ocet aieUi let rte in written client, Unix native a create to designed project experimental an is 39 hscmoet hc sas utlbay rvdsacin implementation client a provides library, Rust a also is which component, This hsRs irr otisasml TP letwihspot subset a supports which client HTTPS simple a contains library Rust This salbaywitni utwihi vial ne Pv+ toffers It GPLv3+. under available is which Rust in written library a is 38 . 42 12 hc rvdsRs idnsfrOpenSSL. for bindings Rust provides which .Teipeetto ae s fca-e oestablish to coax-net of use makes implementation The ]. cesd 25-May-2018 Accessed: , cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , a-ntemdl (mitm) man-in-the-middle [ 20 cesd 22-February-2020 Accessed: , .Teipeetto fHD sd is used, HKDF of implementation The ]. MCbsdExtract-and- HMAC-based attacks. 41 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. message-proto . ign/libpurple / Pidgin 3.8 P swl steWboktueJO sdt xhneformat. exchange data as JSON use WebSocket the as well as API sipidb h ae ut-rtclmsegrPdi uprsoto h o osof lots box the of out supports Pidgin messenger multi-protocol name, the by implied As hs te rjcsie Adium i.e. projects other Thus, REST backend The API. backend the with communicate to needed are types data Those are and clients Wire between sent messages all for used are definitions protobuf These eo ..ca-let nt w,-aa aiad-p-rt.I loitgae the integrates also It -api-proto. and -api -data, -ws, -net, coax-client, i.e. below ignmvdtespotfrismn esgn rtcl oisonlbaylibpurple. library own its to implementations. protocols protocol messaging many its name for the support using name. the current about moved AOL its Pidgin by Pidgin, Support lawsuit renamed AIM. a was protocol After project proprietary gradually. the the added Gaim, the supported was Originally, only protocols others. and further and Gaim for SIMPLE as SILC, known ICQ, was IRC, project XMPP, i.e. protocols messaging Pidgin all uses thus and application. coax-actor Rust a of into top together on them builds combines It and stack. libraries Coax Rust full above-mentioned the of testing interactive coax-gtk. libsodium. and HKDF Proteus, Cryptobox, i.e. libraries cryptographic token). Bearer 2.0 coax-actor. (Oauth renews continuously needed and when calls, token API access all API required handles the therefore and connection WebSocket and SQLite database SQL coax-api. languages. corresponding Proton. the by for encrypted definitions end-to-end type generate to clients Wire other the by coax-api-proto. coax-data. coax-client. rtclbuffers protocol 48 45 46 47 44 43 https://www.bitlbee.org https://pidgin.im https://adium.im https://developer.pidgin.im/wiki/Using%20Finch https://sqlite.org/ https://github.com/wireapp/generic-message-proto 45 samlipooo esne hc switni n vial ne GPLv2. under available and C in written is which messenger multi-protocol a is hsRs irr upisWr P aatpswt SNserialization. JSON with types data API Wire supplies library Rust This h atcmoeto oxcnan ipeGKue nefc for interface user GTK simple a contains Coax of component last The hsRs opnn rvdsapraetdt trg ae nthe on based storage data permanent a provides component Rust This 43 hsRs irr shge-ee letwihasrcsalCa layers Coax all abstracts which client higher-level is library Rust This hscin omnctswt h iebcedtruhteRS API REST the through backend Wire the with communicates client This hc r eeae yteoca iepoou definitions protobuf Wire official the by generated are which , o h rgamn agaeRust. language programming the for hscmoetcnan esg yedfiiin,as nw as known also definitions, type message contains component This cesd 22-February-2020 Accessed: , 44 cesd 22-February-2020 Accessed: , . cesd 22-February-2020 Accessed: , cesd 28-June-2017 Accessed: , 46 Finch , 47 rBitlbee or generic-message-proto cesd 22-February-2020 Accessed: , 48 cesd 22-February-2020 Accessed: , r bet es h same the reuse to able are ..Pdi libpurple / Pidgin 3.8. sas used also is generic- 31 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Background 3. 32 diinly hr r iprl lgn hc ffrspotfrnwrmsaigprotocols messaging newer for support offer which plugins libpurple are there Additionally, ..Mtems,Sak arxog icr,Rce.ht aeokMsegr Skype Messenger, Facebook Rocket.Chat, more Discord, and Matrix.org, Slack, Mattermost, i.e. any protocol. and messaging via specific XMPP sent protocol the messages is with text plugin used is OMEMO encrypt be plugin the end-to-end only libpurple, OTR can to available by the used recently supported While be protocol the can messaging messages. or and text plugin agnostic encrypting OTR protocol end-to-end well-known for the plugin are OMEMO plugins such for plugins. for support through Examples particularly added can features, libpurple be more and can because Pidgin protocol, applications Therefore, messaging broader further system. more plugin for a used support be libpurple and Pidgin Both 49 https://pidgin.im/plugins/ 49 . cesd 22-February-2020 Accessed: , Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. . upeieut-PWR - PurpleWireRust 4.1 ie h rjc mlmnsapafr needn letfrteWr rtcl It protocol. Wire the for client independent platform a implements project The Wire. hscatrcnan h mlmnaindtiso upeieutwt t compo- its with PurpleWireRust of details implementation the contains chapter This estos hrfr,PRcretyol xoe eevn igmsae o group for messages ping receiving exposes only currently PWR Therefore, versations. otntl,lbupehsn ul-nspotfrsnigpn esgsi ru con- group in messages ping conversations. sending for support built-in no has libpurple fortunately, messages. are Ping algorithm. messages Ratched These Double conversations. the group implements which and Proteus, 1:1 with for encrypted messages text encrypted to-end messages. Text incoming accept adding to contacts. supports possible unblock also is and is it block It Further, or list. information. requests, group contact contact and show contact and the contacts synchronizes new and profile user the handling. account Basic protocol: Wire plugin. the libpurple of a features implementing following by the Wire supports for PWR of support analysis with security Pidgin following messenger this the the of for extends course and the protocol during Wire created the been understand has better which to project thesis a is (PWR) PurpleWireRust 4.3. tools Python Wire the and 4.2 backend Wire self-hosted the 4.1, nents n ieacutadlgnlgu i mi n asod utemr,PRfetches PWR Furthermore, password. and email via login/logout and account Wire a ing sa motn etr,PRspot edn n eevn end- receiving and sending supports PWR feature, important an As utemr,pn esgsaeaalbefr11cnestos Un- conversations. 1:1 for available are messages ping Furthermore, W uprsbscacuthnln etrsie register- i.e. features handling account basic supports PWR Implementation CHAPTER 33 4 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Implementation 4. 34 .. purple-wire 4.1.1 al . enstesmni apn ewe iprl n oxrqie oconnect to required Coax and libpurple between mapping semantic the defines 4.1 Table eicto ycmaigpbi e-nepit feeydvc sdb contact. a by used device every of key-fingerprints public comparing by verification eea otcswouetesm rfienm,wihcnb ofsn n a lead can and confusing be can which name, profile same the use who contacts several L 1.2. TLS eas hsfil sue o h oa la etr.Ec iecnathsa mlct1:1 implicit an has contact Wire Each feature. alias local the that for intended used is is It field data. this profile because libpurple’s in libpurple’s it to store maps name profile The struct unique credentials. the login to as account correspond password Coax conversations Basically, group Coax. and by struct struct provided libpurple’s those to with maps libpurple data of fields data existing The the plugin. of protocol use a makes of and required C functionality in all written implements is plugin It protocol. Wire the purple-wire sections. following the components in the of multiple unlimited consists allows PWR a PWR of clients, Instead Wire simultaneously. official accounts the Wire accounts. by multiple allowed handle accounts to 3 is limited of PWR, names also of thus list and handling. a account only multi app, Unlimited Android pictures. Wire profile shown the additional is on without name used appear, profile is contacts the feature and only share conversations however, the instances when some In with e.g. information identifier. confidential additional some an shares as user contact the wrong if the issues privacy and/or security to authority. certificate aliases. trusted a Local by issued certificates malicious mitigate to pinning tificate feature. this verification. for Device the support in built-in notifications delivery no incoming has show libpurple not because does interface it user However, conversations. 1:1 for receipts. Delivery lae hc scretyntspotdb n te letfrWr.Ti feature This Wire. for client community other the any by by requested supported been already not has currently is which aliases 1 2 https://github.com/wireapp/wire-webapp/issues/7122 https://github.com/wireapp/wire/issues/104 user_id sapui o h irr iprl n xed hslbaywt upr for support with library this extends and libpurple library the for plugin a is stasotecyto,PRecuieyue L . n mlmnscer- implements and 1.2 TLS uses exclusively PWR encryption, transport As yuigPdi,PRoesteadtoa etr odfielocal define to feature additional the offers PWR Pidgin, using By UI)wsasge oastig nr flbupet permanently to libpurple of entry settings a to assigned was (UUID) 2 o uhcss iecinsuulyas ipa rfiepicture profile a display also usually clients Wire cases, such For . W uoaial ed n-oedecytddlvr receipts delivery encrypted end-to-end sends automatically PWR nte euiyfaueo W steipeetto fdevice of implementation the is PWR of feature security Another account purple-wire wire-rust-ffi nte etr hti upre yPidgin, by supported is that feature Another tut otc ace libpurple’s matches contact A struct. , wire-rust-ffi 1 tcnb eyueu faue has user a if useful very be can It . cesd 22-February-2020 Accessed: , oipeetteWr protocol. Wire the implement to buddy->alias and chat cesd 22-February-2020 Accessed: , Coax W ssealand email uses PWR . hc r described are which alias a omapping no has h Coax’ The . buddy Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. wire-rust-ffi .. wire-rust-ffi 4.1.2 .. xeddCoax Extended 4.1.3 nrpin L etfiaepnighsbe de oCoax. uses to added been has pinning certificate TLS encryption, pinning. features new Certificate some by improved. extended been was have 3.7 features Coax existing PWR, some implementing and of course the During to purple-wire) (i.e. Wire. programs for other implementation by protocol used as be stack then Coax could the exports which use and interface, coax-gtk C component interface a user instead Coax’s replaces wire-rust-ffi components words, underlying other In its all with API. coax-actor C component a using Coax into interface the C abstract a to exports tionality wire-rust-ffi C. language programming the the in written projects of hash the simply Therefore, hash. a be to needs ID used. its Coax’ that to in map special therefore and libpurple in unique the a by identified is which conversation 3 al .:Smni apn ewe iprl n ie(ox/wire-rust-ffi) / (Coax Wire and libpurple between mapping Semantic 4.1: Table buddy->settings oeg ucinItrae(FFI) Interface Function Foreign buddy->server_alias buddy->alias iprl ox(wire-rust-ffi) Coax name password email user_id account->settings("user-id") account->alias account->password account->username libpurple ht>dg_str_hash(conv_id) name conv_id user_id conv_id chat->components("conv-id") chat->id chat->alias chat->name buddy->alias buddy->name ud-sre_la name conv_id buddy->settings("conv-id") buddy->server_alias salbaywitni ut hc ae tpsil oitgaeCa into Coax integrate to possible it makes which Rust, in written library a is esdfie yteue n o ytepooo lgn saflbc libpurple fallback a As plugin. protocol the by not and user the by defined gets omtgt a-ntemdl tak gis h transport the against attacks man-in-the-middle mitigate To pin h ud aeadca aeaeuiu identifiers unique are name chat and name buddy The option. saisi h srhsntdfie oa alias. local a defined not has user the if alias as etr rmRs.I otisterqie func- required the contains It Rust. from feature user_id conv_id 3 nlbupessd ti trdinto stored is it side libpurple’s On . and conv_id ..PrlWrRs PWR - PurpleWireRust 4.1. h htsrc is struct chat The . conv_id was 35 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 36 .Implementation 4. nginx . efHse ieBackend Wire Self-Hosted 4.2 htohrWr let oa rsn,tespotfrTS11hsbe eoe.There removed. been has 1.1 TLS for 1.1. support TLS the present, at do clients Wire other what a iald hrfr,teetra evcsTii n em eernee useless rendered were Nexmo and Twilio services external the Therefore, disabled. was part not is calling video / audio Because CloudFront. and S3 services external its with also (see backend the of architecture the Wire, of analysis security the complete To eutdi eoa fteetra evcsSSadDnmD.Isedo sending of Instead DynamoDB. and SQS which services brig external of the instances multiple of removal running and in blacklisting resulted user for responsible features eieverification. Device esd 22-February-2020 cessed: proxy reverse the the of enabled configuration This the Finally, analysis. security SES. following service the external for last sufficient the is of which removal log SES server service the external into the to notifications email component The component well. the as in removed identity were as and number The phone APNs. for or support FCM the i.e. Furthermore, providers SNS. notification also push in was external code NAT for relevant or support firewalls the service behind is STUN/TURN initiation disabled the call removing for server by support asset its disabled the analysis, remove security to the order of the in Additionally, disabled also Giphy. was and assets Maps sharing party for 3rd Google component integrating feature the SoundCloud, for of Spotify, feature removal YouTube, The the services allowing 4.2). thus table disabled, also was (see content disabled were features several 4.1). features. figure thus Disabled also and removed (see were backend services analysis the cloud the self-host external for to All needed possible patched. strictly it code not made source were which its and components slightly and simplified was 3.1) figure fixes. Bug messages. ping receiving messages. Ping added. encryption end-to-end been the also against has attacks Proteus man-in-the-middle mitigate to fingerprints) Draft IETF an already is support. 1.1 TLS Drop 4 https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/ a prpitl dutdt eettesmlfidbcedarchitecture. backend simplified the reflect to adjusted appropriately was atbtntlat aymselnosbg aebe xdi Coax. in fixed been have bugs miscellaneous many least, not but Last gundeck nte etr hc a de oCa sspotfrsnigand sending for support is Coax to added was which feature Another nodrt u iesbcedwtotayetra services, external any without backend Wire’s run to order In upr o eievrfiain(..cmaigpbi key- public comparing (i.e. verification device for Support 4 a ialdwihalwdrmvlo h xenlservice external the of removal allowed which disabled was npaet erct n ialwteuaeo L . and 1.0 TLS of usage the disallow and deprecate to place in oxhsspotfrTS11adTS12btt match to but 1.2 TLS and 1.1 TLS for support has Coax brig brig’s restund a ute ace odsbethe disable to patched further was oewsudtdt rt emails write to updated was code nte etr hc was which feature Another . proxy ihisexternal its with cargohold Ac- , brig Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. xct h evcs hswsdn ocml ihtescrt rnil fminimal of principle to security user the with unprivileged comply an to add done to was edited privileges. This was services. Dockerfile the execute existing the container, Docker changes. Other Elasticsearch. engine search simplified the a and Redis, is and which Cassandra services backend servers internal Wire database the customized the only this of of consisting architecture outcome backend the shows 4.1 Figure mi oictosSES DynamoDB Twilio Nexmo, DynamoDB SQS, notifications brig Email of instances multiple Running service Obsoleted blacklisting User identity SNS as number Phone providers notification push External assets Sending content party 3rd for Integration feature Disabled ui ie calling video / Audio al .:Dsbe etrsi re ormv l xenlservices external all remove to order in features Disabled 4.2: Table iue41 dutdacietr fteWr backend Wire the of architecture Adjusted 4.1: Figure ic h akl evcsuiietepiiee srro niethe inside root user privileged the utilize services Haskell the Since cargohold Giphy Maps, Google Cloud, proxy restund oTb,Soiy Sound- Spotify, YouTube, , SU/UNserver) (STUN/TURN 3 Cloudfront S3, , brig , galley ..Sl-otdWr Backend Wire Self-Hosted 4.2. , gundeck , cannon , 37 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Implementation 4. 38 /users/$USER_ID/clients . iePto Tools Python Wire 4.3 rp h Python the wraps mitm-gundeck.py mitm-brig.py, scripts the and wrap.py client REST the of consist These eemn SNa otn yeadueisbiti rtypitfnto oso the show to function print pretty output. built-in readable its human use a and in type data content as JSON determine to notification this of mitm-elastic.py. delivery the can prevents which therefore notification and arbitrary client an It certain of client. gundeck. a recipients hub that hide the notification to from the IDs used reaches client be it strip before to user allows Wire also arbitrary an call for notifications API the from user Wire arbitrary an of IDs client arbitrary strip server. to Wire’s allows from user a is mitm-brig.py. of that metadata data long-term accessible profile the the user to retrieve of possibilities or to manipulation the credentials or easy demonstrate login server-side, scripts for to to stored by allows access used used wrap.py gained is be already It cookie. to has authentication ipython. meant to that is client i.e. adversary It shell an REST Python calls. of interactive interactive API low-level an arbitrary a in with as API or REST used Wire’s is call wrap.py directly authentication. 2.0 Oauth wrap.py. 5.2. section developed. in been found have be can scripts proxy mitmproxy Python man-in-the-middle about of the set for mitm-elastic.py a and API, REST Wire’s analyze to order In charset=UTF-8 mitm-gundeck.py. imrx opet rn SNdt ett h erhegn lsiSac.It ElasticSearch. engine search the header to HTTP sent missing data the JSON injects print simply pretty to mitmproxy 5 https://mitmproxy.org/ ieRs p yhni ipeHT letfrWr’ ETAI It API. REST Wire’s for client HTTP simple a is Python Api Rest Wire hsPto citi o h a-ntemdl proxy man-in-the-middle the for is script Python This oec TPrqet hs nbigmtpoyt successfully to mitmproxy enabling Thus, request. HTTP each to requests hsmtpoysrp sasothle ucinwihallows which function helper short a is script mitmproxy This hsmtpoysrp lost rpincoming drop to allows script mitmproxy This irr n nacsi ihcin-iehnln o Wire’s for handling client-side with it enhances and library cesd 22-February-2020 Accessed: , hc sdrce oteWr evc brig. service Wire the to directed is which otn-ye application/json; content-type: mitmproxy 5 oeinformation More . user.client-add mitmproxy GET and Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. l hs ye fatcescnata asv ratv desr.Frhr ti assumed is it Further, adversary. active or passive as act can attackers of types these All model threat a Signal, also subsequently and Wire of evaluation the for prerequisite As a eurd ti ae nUgre l 5]addfie h olwn attackers: following the defines and [56] al. et Unger on based is It required. was privacy and security the analyze to perquisites and requirements all describes chapter This h olwn ol eeue spr fteaayi fti thesis: this of analysis the of part as used were tools following The oa adversary Local . nlssTools Analysis 5.2 normal all use to them messages). allowing sending system, messaging (i.e. the features in messaging participate adversaries all that providers Service adversary network Global adversary network Local Model Threat test local the and 5.1 5.2 tools analysis 5.3. the backend 5.1, Wire model self-hosted threat the the of of setup consist Those Wire. of nso ieadSga,tidprysrie)wihcnb aiiu swell. as malicious be can which services) third-party Signal, and Wire of ends providers). service Internet large or states nation LAN). or WiFi the malware). via remote or access sa takrwogisacs otevci’ eie(..physical (i.e. device victim’s the to access gains who attacker an is r h rvdr ftemsaigsrieifatutr ie back- (i.e. infrastructure service messaging the of providers the are euiyAayi fWire of Analysis Security sa takrwocnrl h oa ewr ie we of owner (i.e. network local the controls who attacker an is sa takrwocnrl ag at fteItre (i.e. Internet the of parts large controls who attacker an is CHAPTER 39 5 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Scrt nlsso Wire of Analysis Security 5. 40 RLO hw httepormwsbitwith built was program the that shows (RELRO) P:RS letwa.yadmtpoysrps h atrmkn s ftePython the of use making latter the scripts, mitmproxy. mitmproxy of and API wrap.py client REST API: scenarios. man-in-the-middle sophisticated more for used been has and can which API hc sncsayt aeavnaeo drs pc aotRnoiain(ASLR) Randomization Layout Space Address of advantage take to necessary is which backend. Wire’s by stored database key-value the inspect to used was tool The interface. line command interactive the in uses Wire which eyueu neatv omn ieitrae(L) tas etrsapwru Python powerful a features also it (CLI), interface line command interactive useful very 2020 cqlsh. redis-cli. upr o ohra-nyrlctosadimdaebnigi scle ulRLO as RELRO, full called is it binding immediate and indicates relocations binding read-only Immediate both ELF with exploit. for an built corruption support of was memory areas a program memory by the possible used that the be reduces can protection which This binary RELRO. partial as compiler known the with built been has program more memory, the vulnerabilities within that flag corruption indicates relocated memory protected be of Stack can exploitation challenging. binary binary makes ELF ASLR the protection. of Independent section PIE Position text binding). the (i.e. immediate that features and relocations, out hardening read-only points security protected, of executables stack for presence (PIE), format Executable the standard for the Linux, binaries, Format) on Linkable and (Executable ELF backend. Wire’s by Cassandra hardening-check. into used was stored tool are The which metadata Cassandra. and to data queries all Language) inspect Query (Cassandra to CQL send to used mode. interactive in used be can and databases redis to queries send to user the allows frames WebSocket binary the show not does it mitm- limited: because is WebSocket necessary was for Wireshark support proxy’s connections. WebSocket over sent notifications mitmproxy. Wireshark. Tools. Python Wire 5 1 2 3 4 -fstack-protector https://packages.debian.org/buster/devscripts https://mitmproxy.org/ https://www.wireshark.org/ https://redis.io/topics/rediscli https://cassandra.apache.org/doc/latest/tools/cqlsh.html cqlsh redis-cli 4 Wireshark mitmproxy sa neatv omn ieitraefrCsadadtbss tis It databases. Cassandra for interface line command interactive an is hc rtcsaantsaksahn tak.Ra-nyrelocations Read-only attacks. smashing stack against protects which 3 h omn ieto hardening-check tool line command The sacmadln nefc o h e-au aaaerds It redis. database key-value the for interface line command a is hs iePto ol . eeue oaayeWr’ REST Wire’s analyze to used were 4.3 Tools Python Wire These 2 oeflntokpooo nlzr a sdt analyze to used was analyzer, protocol network powerful a , 1 cesd 22-February-2020 Accessed: , saPto a-ntemdl rx ol sd rma from Aside tool. proxy man-in-the-middle Python a is cesd 22-February-2020 Accessed: , -Wl,-z,now cesd 22-February-2020 Accessed: , ikrflg ftebnr a ul with built was binary the If flag. linker -Wl,-z,relro cesd 22-February-2020 Accessed: , 5 ikrflgwihi also is which flag linker losteue ocheck to user the allows cesd 22-February- Accessed: , Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. nri emsin n a oespotfrdtcigkonmlaeie detecting i.e. malware known detecting for support some has and permissions Android hc a eue ymmr orpinexploits. corruption memory by used be can which cesd 22-February-2020 Accessed: osade nlsso h L eu ossigo L etrs etfiae,configuration certificates, features, TLS of consisting setup TLS the of analysis deep a does twsntncsayt s hsfauebcuetesuc oewsraiyavailable. readily was code source the APKs, because decompile feature can this it use While to Windows. necessary and not iOS was Android, it on apps mobile analyzing February-2020 February-2020 which enabled. are are configuration versions TLS protocol the TLS for and factors suites Important cipher vulnerabilities. TLS common and length. key its with certificate certificate ssltest. algorithm the i.e. key of information public details cryptographic the all files. as and shows APK well algorithm also Android as signature it issuer, i.e. used certificate, and files fingerprint, the owner JAR read signed certificate to from i.e. certificates able itself read being to to used addition be In also can It keys. malware. provide keytool. to known are required which the APK shows the it Further, inside URLs tool. known Python standalone the as from analysis functionality in-depth analysis an tracker such the integrates also MobSF manifest Android not, via or i.e. used disabled actually explicitly are been classes Therefore, has tracker feature file. the tracking already whether the finds detect if only cannot particularly it it that a Thus, are of against method content runtime. namespace, this actual the that of the including and Drawbacks analyze trackers name, classes. not known class tracking does each known It compares of analyzes it file. list it instead APK services, files the tracking class inside potential all those files detect enumerate to class to Java order file In included manifest all app. Android the the by parses required It permissions results. analysis tracker regarding available also is service trackers. known ε regions memory available the reduces further RELRO Full RELRO. partial to opposed MobSF. ls hc stesadr akg omtfrAdod o nri emsin and permissions Android for Android, for format package standard the is which files, xodus-standalone. 11 10 9 8 6 7 https://github.com/MobSF/Mobile-Security-Framework-MobSF https://reports.exodus-privacy.eu.org/ https://manpages.debian.org/buster/devscripts/hardening-check.1.en.html https://www.ssllabs.com/ssltest/ https://docs.oracle.com/en/java/javase/11/tools/keytool.html https://github.com/Exodus-Privacy/exodus-standalone S evrts (ssltest) test server SSL Keytool h oieScrt rmwr (MobSF) Framework Security Mobile The ε ε ou s oacrandge,poet as oiieresults. positive false to prone degree, certain a to is, xodus ou-tnaoei h tnaoevrinof version standalone the is xodus-standalone 10 sato htmngsX59crictsadtercryptographic their and certificates X.509 manages that tool a is 8 ε ε h tnaoeto a hsnbcuei losmr insight more allows it because chosen was tool standalone The . xodus ou osol ttcaaye n odnmcaaye during analyses dynamic no and analyses static only does xodus 7 11 lostesai nlsso P Adodpackage) (Android APK of analysis static the allows sa niesriefraayigTSwbsres It servers. web TLS analyzing for service online an is cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , 6 9 sascrt rmwr for framework security a is ε cesd 22-February-2020 Accessed: , ou u osntallow not does but xodus ε ou huha online an though xodus cesd 22- Accessed: , cesd 22- Accessed: , ..Aayi Tools Analysis 5.2. , 41 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Scrt nlsso Wire of Analysis Security 5. 42 wire e t a e 4 r c 3 network 2 docker 1 mitmproxy eecnetdt ahohrwti nitra okrntok ydfutDocker default By network. Docker internal an within other each to connected were ewrsawy aeacs oteetra ol hog h okrhs.However, host. Docker the through world external the to access have always networks ewr slto etr a hrfr sdt eiyta l xenldpnece of dependencies internal external removed. This the all properly services. that that were AWS backend verify some ensured Wire to i.e. was self-hosted used service the therefore it external was Docker, any feature to isolation of requests network feature any make network cannot internal services this using By create to used backend: was Wire command the Docker for connect following network The cannot Docker containers network. internal that internal the way the a of in outside the access to external restrict networks Docker internal containers tool all and Python container Docker the own its this, inside deployed For was backend the 5.1). of service figure Each bet also as well (see as backend server, the and client of between has services i.e. 4.2, man-in-the-middle internal setup multiple backend section the the communication, in backend to described added the were already analyze proxies as better To analyzing backend, for used. Wire also Backendbeen self-hosted and clients the Wire communication, backend metadata, Self-Hosted protocol, the Wire’s the of of analysis the Setup For Test Local to 5.3 order in servers DNS addresses. with IP interaction and allow names They domain two. about the information of query tool powerful most the host. dig, third- location. and server (first-party and cookies requests headers, third-party security attributes, HTTP cookie HTTPS, party), for checks It measures. more. webbkoll. and Referrer-Policy CSP, HSTS, i.e. headers security HTTP for sively securityheaders. 14 13 12 15 16 https://webbkoll.dataskydd.net/en/ https://securityheaders.com/ https://packages.debian.org/buster/dnsutils https://packages.debian.org/buster/bind9-host https://mitmproxy.org/ −− −− unt172.20.0.0/24\ 4 2 / 0 . 0 . 0 2 . 2 7 1 subnet \ l a n r e t n i − backend 16 hs w tools two These Webbkoll a sda a-ntemdl rx tool. proxy man-in-the-middle as used was itn .:Dce omn ocet nenlnetwork internal create to command Docker 5.1: Listing Securityheaders 13 −− saohroln olue o nlzn rvc protecting privacy analyzing for used tool online another is rde\ bridge r e v i r d cesd 22-February-2020 Accessed: , 415 14 a eue opromDSlous ihdgbeing dig with lookups, DNS perform to used be can cesd 22-February-2020 Accessed: , 12 sacekn ol vial nie en exclu- meant online, available tool, checking a is cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , cesd 22-February-2020 Accessed: , ween Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. h e p,Ca n W a sdt ucsflyvrf httesl-otdbackend properly. self-hosted working the still that verify was successfully set to feature used reduced was the PWR with and Coax app, web The backend self-hosted the use to configured be to had PWR and Coax app, web clients: The nta fteoca iebced codnl,teULo h ETAIadteURL the and API REST the of URL the Accordingly, backend. Wire official the of instead mlmnscrict inn twsrqie oadacrepnigpnigfrthis for PWR, pinning also corresponding thus a and add Coax, to extended required certificate. the was self-signed into Because it certificate pinning browser. self-signed certificate the the transport implements of import the store to establish required To certificate was the backend. it self-hosted connection the HTTPS to encrypted changed were WebSocket the of the for self-signed needed generated. a are be which with to nginx-zauth-module, configured had the authentication, was for 2.0 keys nginx OAuth zauth proxy the reverse Further, the certificate. encryption transport For iue51 eu fteWr akn o h euiyanalysis security the for backend Wire the of Setup 5.1: Figure ..LclTs eu fteSl-otdWr Backend Wire Self-Hosted the of Setup Test Local 5.3. 43 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. h nlsso inlsadWr’ esgn rtcl a efre yuigthe using by performed was protocols messaging Wire’s and Signal’s of analysis The produc- the 6.1, itself To protocol messaging the Wire. of of analysis analysis the privacy into split and are security results the The of results the describes chapter This rs establishment. Trust inevrnet ftemsaigpafr .,teapaayi . n metadata and 6.3 analysis app the 6.2, platform messaging the of environments tion opromdaanwt l te sr.Ti oesteuaiiyadtu oesthe lowers thus and be usability has the lowers task verification This key However, users. manual other it. the all can to device attached with profile additional app) again Wire Web each A performed or for to desktop support. that iOS, key is Android, multiple drawback for (i.e. a devices support eight full to has up Wire have side, other are the devices On Secondary verification. that fingerprint is for secondary approach key multiple trusted. device master one transitively for primary-secondary the to option this linked compare the of simply be offers advantage users only but The can app) apps). profile iOS (desktop Signal or devices A Android keys. (either multiple device verification. for primary fingerprint key support key optional partial optional has and and Signal TOFU directory directory, key key uses uses Wire Signal verification. fingerprint establishment: trust for approach called is keys long-term cryptographic areas: [ problem al. three et Protocols Unger Messaging of systematization Wire’s and Signal’s of Analysis 6.1 needed. 6.4. where analysis analyzed been has too Signal results, the interpret and understand better rs salsmn nlsscnb eni al ..Bt ieadSga s layered a use Signal and Wire Both 6.1. table in seen be can analysis establishment trust rs establishment trust h rcs fuesecagn n eiyn ahother’s each verifying and exchanging users of process The 56 .Teeoe h nlssi iie notefollowing the into divided is analysis the Therefore, ]. rs establishment trust , ovrainsecurity conversation h efrac eut fthe of results performance The . and rnpr privacy transport Results CHAPTER . 45 6 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 46 Results 6. weee otc’ e hne)ol per fe niiilkyfigrrn verification fingerprint key initial an after appears only changes) key contact’s a (whenever iepromi ovrainscrt a ese ntbe62 h etrsdifferentiate features The 6.2. table in seen be can security conversation in perform Wire eicto ae nQ-oe.Tu,Wr sr aet s h eaeia based hexadecimal the use to have users Wire Thus, QR-codes. on based verification fWr ntrso rs salsmn euiyi htteTF ann message warning TOFU the downside that is Another security friendly. establishment user trust very of terms not in is Wire which of fingerprint key of representation esgs nietly inlhsaddmlidvc upr ic h ulcto of publication the since asynchronous [ support for al. multi-device Diffie- prekeys et added triple as Unger well has the as Signal and Incidentally, algorithm AKE) ratchet messages. (3-DH double exchange key the authenticated uses Hellman Signal encryption message 1:1 For and Signal how rows. of results The messages. encrypt to protocols provide cryptographic to of has use solution the messaging secure a messages, fingerprints. warnings Security. their fewer Conversation verify because to usability managed the not improves have this users hand, if other displayed the are On contact. that of fingerprint for support lacks further Wire and Signal, task with verification Compared fingerprint key authentication. manual strong the lowers perform users that probability ewe : n ru esgn n hrfr inladWr r eotdi separate in reported are Wire and Signal therefore and messaging group and 1:1 between ceePooo euiyadPiayAoto ru Chat Group Adoption Privacy and Security Protocol Scheme Piws xlt+utcs nrpinWire Encryption Axolotl+Multicast +Pairwise Dul ace+D K+rky Wire AKE+Prekeys Ratchet+3DH +Double Piws xlt+utcs nrpinSignal Encryption Axolotl+Multicast +Pairwise Topology Network+Star Signal OTR AKE+Prekeys Ratchet+3DH +Double DH Authenticated e ietr+OUOtoa eicto Signal Verification Directory+TOFU+Optional Key Scheme e ietr+pinlVrfiainWire Verification Directory+Optional Key al .:Cnesto euiyo inl&Wr,bsdo ne ta.[56] al. et Unger on based Wire, & Signal of security Conversation 6.2: Table al .:Tutetbiheto inl&Wr,bsdo ne ta.[56] al. et Unger on based Wire, & Signal of establishment Trust 6.1: Table 56 .Wr sstesm esg euiypooo sSga o : messages. 1:1 for Signal as protocol security message same the uses Wire ].

rvdsproperty; provides = rvdsproperty; provides = rtclScrt etrsUaiiyAdoption Usability Features Security Protocol nodrt rtc h euiyadpiayo exchanged of privacy and security the protect to order In

Confidentiality G#

G# Integrity #G #G G# G# G# G# #G #G G# G# G# G# atal rvdspoet;-=de o rvd property provide not does = - property; provides partially = atal rvdspoet;-=de o rvd property provide not does = - property; provides partially = Network MitM Prevented Authentication - - Participant Consistency Operator MitM Prevented

Destination Validation Operator MitM Detected

Forward Secrecy Operator Accountability

Backward Secrecy Key Revocation Possible - - - - - Anonymity Preserving - Privacy Preserving

#G#

#G# Speaker Consistency

# G# Automatic Key Initialization Causality Preserving ovrainsecurity conversation - - - - Global Transcript Low Key Maintenance

#G G# G# G# #G G# G# G# Message Unlinkability Easy Key Discovery

Message Repudiation Easy Key Recovery

Particip. Repudiation In-Band

No Shared Secrets Out-of-Order Resilient - Alert-less Key Renewal Dropped Message Resilient

Immediate Enrollment Asynchronicity - - Inattentive User Resistant Multi-Devices Support - - - - G# No Additional Service G# hsrequires This . Multiple Key Support - -

Computational Equality No Service Provider

Trust Equality No Auditing Required

- Subgroup Messaging No Name Squatting

Contractable Asynchronous

Expandable Scalable Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. ie edr eevr hc ovrain shde uigteecag fmessages of exchange the during hidden is conversation) which receiver, sender, (i.e. as nw sdul ace)admliatecyto.Wr osntuetemulticast the use not does Wire encryption. multicast and ratchet) double as known (also ieuetemliatecyto etr u opromneraosa esgsare messages as reasons performance to due feature encryption multicast the use Wire h rdcinevrnet fSga’ n iesbcedadwbie aebeen have websites and backend Wire’s and Signal’s of environments production The mrvssne nnmt.Adtoal,Sga a etrpriiainanonymity participation better has Signal Additionally, anonymity. sender improves ewe h atcpns h eut ftetasotpiayaayi a ese in seen be can analysis privacy transport the of results The participants. the between nlzd o hsaayi h olwn ol aebe sd h nieservices online the used: been have tools following the analysis this For analyzed. n ot52 h eut fti nlsscnb eni al . o h akn analysis backend the for 6.4 table in dig seen analysis. tools website be can line the analysis command for this the 6.5 of as table results well and The as 5.2 5.2. webbkoll host and and 5.2 securityheaders 5.2, ssltest Production Wire’s and Signal’s of Analysis 1:1 6.2 accept metadata. non-temporary to user additional need that storing users means thus backend, this because However, the control, in messages. spam stored send are better can connections participant has a Wire before side, conversations which to other belong the messages On which end-to-end see inside not ID does group server its the conversation. hides thus it messages, because 1:1 Wire encrypted than properties unlinkability [ and al. et Unger of publication the Since scheme. store-and-forward the use Wire and Signal Both 6.3. table privacy. Transport messages. text assets) simple as just known than also larger (internally much message files usually same media the for uses However, it messages. Instead 1:1 messaging. in group as in encryption messages text axolotl simple pairwise for topology, encryption star network, OTR scheme the uses Signal messaging group For ceePooo rvc sblt Adoption Usability Signal Store-and-Forward Privacy Protocol Scheme tr-n-owr ie------Wire Store-and-Forward al .:Tasotpiayo inl&Wr,bsdo ne ta.[56] al. et Unger on based Wire, & Signal of privacy Transport 6.3: Table Environments

rvdsproperty; provides = rnpr rvc enshwmc omncto metadata communication much how defines privacy Transport G# Sender Anonymity G# - Recipient Anonymity atal rvdspoet;-=de o rvd property provide not does = - property; provides partially = #G#G#

Particip. Anonymity Environments Production Wire’s and Signal’s of Analysis 6.2.

Unlinkability -

56 Global Adv. Resistant ,Sga nrdcdsae edr[ sender sealed introduced Signal ], # G# G# Contact Discovery

No Message Delays

No Message Drops

Easy Initialization

No Fees Required

Topology Independent

- - - No Additional Service # G# Spam/Flood Resistant

Low Storage

Low Bandwidth

29 Low Computation which ] Asynchronous

Scalable 47 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 48 Results 6. p ie.cmhsCArcr com" . t r e c i g i d prod " host 8 e $ u s s i 7 0 6 prod record host 5 CAA $ has 4 com . 3 wire . app host 2 $ 1 a tln nti cnroi ol neesrl xoealdvcswtotteupdate the without it devices case all in expose certificate unnecessarily valid would this it untrust scenario explicitly this to In clients its stolen. all was update to need would at ftewbie r otdi h S o instance, For US. the in hosted are websites the of parts analysis. Website threat. leaf potential a this for to long Signal too Therefore, much revocation. is certificate future until for valid the support are in no backend years with Signal’s 9 combination should for date which in certificates expiration certificate services leaf An backend The also 2029. its Signal future. 12th on 1.2, near March 1.1 TLS the and to in As 1.0 removed addition protocols pinning. In be TLS certificate exclusively. deprecated uses 1.2 the additionally TLS Wire supports uses app Wire web protocol the transport except clients Wire all For records). CAA DNS the backend of Wire’s analysis for for certificates allows 6.1 issue Wire listing to CA. (see authorization malicious domains certificate a exclusive from as [ created authority DigiCert (CAA) certificates only certificate Authorization mitigate trusted Authority the to publicly Certification On transparency the DNS certificate certificate. from uses root signed self-signed it this certificate Further, own trust a its DigiCert. to uses uses need Wire instead Signal clients hand, but that Signal other EU. authorities means all the certificate Obviously, which in root services certificate. servers backend trusted root Wire’s its on and for build US certificate not the root does in untrusted located an are uses servers Signal Signal’s that difference the akn evcsanalysis. services Backend etfiaetransparency Certificate eoainifrainNn oeCL CPCL OCSP CRL, OCSP CRL, None None information Revocation Sol ihrsuites cipher only FS intr algorithm Signature − − etfiaeise eteue(nrse A eteue(nrse A iietDigiCert DigiCert CA) (untrusted TextSecure CA) (untrusted TextSecure issuer Certificate evrhse yAao mznAao Amazon Amazon Amazon Amazon by hosted Server etvldutl1-a-091-a-091-a-0011-Mar-2020 11-Mar-2020 12-Mar-2029 12-Mar-2029 until valid Cert nginz nginz evrlcto SU UEU EU US US location Server L rtcl L .,11 . L .,11 . L . L 1.2 TLS 1.2 TLS 1.2 1.1, 1.0, TLS 1.2 1.1, 1.0, TLS protocols TLS − − − S eotT()T()A A+ A+ (A) T (A) T Report SSL N CAA DNS a prod caa t prod caa t com . wire . app caa t al .:Evrneto inlsadWr’ esgn backend messaging Wire’s and Signal’s of Environment 6.4: Table − − R eteuesriewiprytm.r d.inlogpo-gn-tp.iecmprod-nginz-ssl.wire.com prod-nginz-https.wire.com cdn.signal.org textsecure-service.whispersystems.org URL e S 08btRA24 i S 08btRA49 bit 4096 RSA bit 2048 RSA bit 2048 RSA bit 2048 RSA Key tp ie.cmhsCArcr com" . t r e c i g i d " d l i w e u s s i 0 record CAA has com . wire . https ie.cmhsCArcr com" . t r e c i g i d " d l i w e u s s i 0 record CAA has com . wire . l s s itn .:Isetn iesDSrcr o A support CAA for record DNS Wire’s Inspecting 6.1: Listing − − ept iesaigta hi evr r oae nteE,some EU, the in located are servers their that stating Wire Despite H26ihS H26ihS H26ihS SHA256withRSA SHA256withRSA SHA256withRSA SHA256withRSA nginz nginz inlBcedSga D ieBcedWr WebSocket Wire Backend Wire CDN Signal Backend Signal ✓ ✓ ✗ ✗ ✓ ✓ ✗ ✗ ✓ ✗ ✓ ✗ − − tp ie.com . wire . https ie.com . wire . l s s inladWr r ohhse yAao W with AWS Amazon by hosted both are Wire and Signal wire.com ssthird-party uses (wire.com) 15 and ] Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 0waeea.znek.cm.90I 1 1 1 . 5 5 . 6 1 . 4 0 1 A IN 900 . com . zendesk . wearezeta 10 erzt eds o 0 NA104.16.54.111 1 1 . 4 5 . 6 1 1 . 1 4 1 0 . 1 3 5 . 6 1 1 . 1 4 1 0 . 1 2 5 . 6 1 1 . 1 4 1 0 . 1 1 5 . 6 1 c . . 4 0 1 zendesk A . l s s . A wearezeta A zend CNAME A IN . IN wearezeta IN CNAME 900 IN IN 900 . com . 900 . zendesk com IN . . 300 900 . zendesk com wearezeta . . 900 9 . zendesk . com wearezeta . com . . 8 zendesk zendesk wearezeta . . l 7 s s wearezeta . . com . 6 wearezeta wire . 5 com support . ANSWER SECTION: wire 4 ; . ; . support 3 . . dig 2 $ 1 est.Aohripratwbiei iesspotwbiewihi loreferenced also is which website support Wire’s is website important Another website. upr udmisrslet h aepbi P4adessa a ese nlistings in seen be can as both Actually, in addresses IPv4 located provider. public also same 6.3. same is the and the which on 6.2 to Zendesk site resolve by support hosted subdomains its is support hosts site Signal Incidentally, support US. This the apps. Wire’s within from to requests SSicuesubdomain include HSTS X-Content-Type-Options r at evrlcto SU,D SUS US DE US, US location server party 3rd euiyHaesRpr C C A D Report Headers Security etfiaetransparency Certificate Content-Security-Policy eoainifrainCL CPCL CPOS OCSP OCSP OCSP CRL, OCSP CRL, information Revocation Sol ihrsuites cipher only FS intr algorithm Signature oRfresleaked Referrers No euecoisonly cookies Secure est otdb mznAao eds Zendesk Zendesk Amazon Amazon by hosted Website r at euss9t nqehss2 o2uiu ot1 o7uiu ot 9t nqehosts unique 5 to 19 hosts unique 7 to 15 host unique 2 to 22 hosts unique 5 to 9 requests party 3rd X-XSS-Protection X-Frame-Options r at oke 3 3 0 1 cookies party 3rd s at oke 4 7 4 2 cookies party 1st etfiaeise mznDgCr e’ nrp e’ Encrypt Let’s Encrypt Let’s DigiCert Amazon issuer Certificate Referrer-Policy evrlcto SE SUS US Amazon Amazon EU Google US Google location Server by hosted Mail L rtcl L .,12TS12TS12TS1.2 TLS 1.2 TLS 1.2 TLS 1.2 1.1, TLS protocols TLS SSpreload HSTS S eotA +AA A A+ A+ Report SSL N CAA DNS images.ctfassets.net itn .:Isetn iesDSrcr o t upr site support its for record DNS Wire’s Inspecting 6.2: Listing al .:Aayi eut fSga’ n ieswebsites Wire’s and Signal’s of results Analysis 6.5: Table HSTS R inlogwr.o upr.inlogsupport.wire.com support.signal.org wire.com signal.org URL e S 08btRA24 i S 06btRA49 bit 4096 RSA bit 4096 RSA bit 2048 RSA bit 2048 RSA Key H26ihS H26ihS H26ihS SHA256withRSA SHA256withRSA SHA256withRSA SHA256withRSA inlWr inlWire Signal Wire Signal ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✗ ✓ ✗ ✓ ✓ ✓ ✗ ✓ ✓ ✗ ✗ ✓ ✓ ✗ ✗ ✓ ✓ ✓ ✓ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✓ ✗ ✗ ✗ ✓ ✗ ✓ ✗ ✗ ✗ ✓ ✗ iehse nteU,t tr mgso h Wire the of images store to US, the in hosted site a , ..Aayi fSga’ n iesPouto Environments Production Wire’s and Signal’s of Analysis 6.2. toshort) (too - - s o . com . esk ✓ toshort) (too (wire.com) m. om 49 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 50 Results 6. wspot.znek.cm.90I 1 1 1 . 5 5 . 6 1 1 . 1 4 1 0 . 1 4 5 . 6 1 1 . 1 4 1 0 . 1 3 5 . 6 1 1 . 1 4 1 0 . 1 2 5 . 6 1 1 . 1 4 1 0 . 1 1 co 5 . . 6 1 A . 4 0 1 zendesk . A owssupport A CNAME A IN A IN IN IN 900 IN . com . 900 IN . zendesk com . . 900 300 . zendesk com owssupport . . 900 9 . zendesk com owssupport . . 900 8 . zendesk com owssupport . . . 7 org zendesk owssupport . . l a 6 n g i s owssupport . org 5 . l a support n ANSWER g SECTION: i s 4 ; . ; . support 3 . . dig 2 $ 1 l ps xetCa,spotdvc eicto n hwawrigmsaei new a if message warning a show and verification device support Coax, except apps, All Electron), on based is (which Linux on app desktop Wire app, web Wire app, Android h L ofiuaino ohspotstscnb mrvda ela inl main Signals as well as improved be can sites support both of configuration TLS The h olwn ieap aebe nlzdrgrigpiayadscrt etrs Wire features: security and privacy regarding analyzed been have apps Wire following The To apps. Wire’s of analysis security the of results the describe subsections following The eiei sdatrpirvrfiain nyPRsosa diinlwrigmessage warning additional an shows PWR Only verification. prior after used is device pinning from certificate and profits support CAA not it DNS does but client certificate: pinning Coax the either. original app in certificate The desktop trust implement transparency. the Electron not improve certificate the which does Android, technologies app on alternative Certificate web connection some 1.1. TLS The TLS the PWR. supports harden additionally and to Coax used only is 1.2, pinning TLS can use results clients The all testing. Generally, manual 6.6. and the table inspection comparison in code this found manual For by be (PWR). analyzed PurpleWireRust been and have Coax apps clients experimental the and Apps Wire Between Privacy and Security of Differences 6.3.1 each with compared equivalent. either Signal been the have to they compared results, or the other interpret and understand better Apps Wire’s of Analysis Security 6.3 of any on flags even cookie has and side headers other security the and HTTP websites. on i.e. Secure regarding its Signal attacks improvement the mitigating applicable. for setting in where always room useful HTTPOnly by more be set too to and improved months, flags be 6 SameSite should recommended flags the Cookie to poorly not SSL-stripping. is if which days, but header, 30 used HSTS of appropriately the are particularly Signals site site, The from main support 1.1 configured. Wire’s Wire’s TLS on of dropping improved headers and be security suites should HTTP cipher The secrecy forward site. non main all dropping by site itn .:Isetn inlsDSrcr o t upr site support its for record DNS Signal’s Inspecting 6.3: Listing max-age aaee sstt as u hudb e oaminimum a to set be should but days, 3 to set is parameter . m Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. h tools The and app web Wire’s backups. encrypted supports that one only the is app Android The Android the Only apps. Wire all between significantly differs prekeys of management The eue,Sga antb sdwtotapoenme.I h emsint access to permission can the address If email number. an phone and a optional without is used number be 6.7. phone cannot table the Signal in where used, found be Wire, be can to analysis contrast this In of results The Wire. and Signal Android Wire’s and Signal’s of Analysis Privacy and Security the if revealed only 6.3.2 is address browser. IP web user’s a automatically The with not clients. link for does receiving the benefit which all opens A sender-side of recipient on before. address generated browser IP only web IP the the is a the leak to preview with has the client website likely that the most the provider is visited of privacy service sender optional address the the the Although IP if supports already, the link. app address provided leaks desktop the which The of provider previews, preview. service link link generating a feature of a not disabling have do not PWR do and PWR Coax and Coax all. backups. at unencrypted feature support backup only key prekeys. client fallback available desktop as further the used no prekeys is are key 9 there last only as that the long means because as This secrecy session forward 10. new the perfect to a each Android, full up for only on with filled like supports used be threshold, always be app no will can The desktop is prekeys prekeys. there Electron of 50 Although the pool of prekeys. available and keys threshold 10 app new the of generates web under number and falls maximum the prekeys prekeys of available 100 management of to count up prekeys the supports if It needed implementation. as good which a client has Wire app only the is PWR Therefore, technique. before. TOFU verified the been implements not properly has device the if lr e eie ihu ro verification prior without devices new Alert al .:Wr ps-weete ieetaergrigpiay&scrt features security & privacy regarding differentiate they where - apps Wire 6.6: Table lr e eie ihpirverification prior with devices new Alert Apps ε ou,MbFadkyolhv enue oaayeteAdodap of apps Android the analyze to used been have keytool and MobSF xodus, ial ikpreview link Disable eeae e keys new Generates ubro rky 0 01 0 200 200 10 10 100 prekeys of Number etfiaepinning Certificate eieverification Device nrpe backup Encrypted etr nri e p eko Lnx oxPWR Coax (Linux) Desktop app Web Android Feature L . . . .,121.2 1.2 1.1, 1.2 1.2 1.2 TLS ✓ ✗ ✓ ✓ ✓ ✓ ✗ ✓ ✓ ✓ ✗ ✗ ✓ ✗ ✗ ✓ ✓ ✓ ✓ ✗ ✓ ✗ ✓ ✓ ✗ ✗ ✗ ✗ ✓ ✗ ✗ ..Scrt nlsso iesApps Wire’s of Analysis Security 6.3. / N/A N/A / N/A N/A 51 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Results 6. 52 ieadSga okwl na nri niomn fteevrneti without is environment the if environment Android an in well work Signal and Wire h p inn etfiaekyo inli ny12 i ogwihi o hr o a for short too is which long bit 1024 only is Signal of key certificate signing app The elne si svldutlJn 0h24.Seas itns64ad64 ohAndroid Both 6.4. and 6.4 listings also also should See which key 2040. bit 30th 2048 June a until has valid Wire is it 2045. as 16th longer May until be valid is that certificate Instead, link. website. download Signal’s the page on this download for play APK URL Google the exact of the to know absence link to the direct have in no users websites is their there However, via download store. APK alternative an support if shown only are they because problem this them. be easily. to shared will confusing solution owner contact become partial profile any can a the since conversations only usable group are barely Especially profiles is only. Signal Signal number given, phone not as is listed book address phone’s the Ap n hswtotFMie utmAdodRM.Bt,Wr n Signal, and Wire Both, ROMs. Android Custom i.e. FCM without thus and GApps nie ute,tepg eursatidpryJvSrp rmGol oatal show actually to Google from JavaScript third-party a requires page the Further, engine. 1 rvdsfigrrn fapsgigcertificate signing app of fingerprint Provides https://signal.org/android/apk/ al .:Piay&scrt etrso inladWr nAndroid on Wire and Signal of features security & Privacy 6.7: Table sbewtotadesbo podbarely upload book address without Usable sbewtotGol lyStore Play Google without Usable p inn etfiaevldutl1-a-0530-June-2040 16-May-2045 until valid certificate signing App dneos nri emsin 77 17 permissions Android (dangerous) rvdsdrc P download APK direct Provides sbewtotpoenumber phone without Usable rvdsSA26smo file of sum SHA-256 Provides e nepitverification fingerprint Key p inn etfiaekyRA12 i S 08bit 2048 RSA bit 1024 RSA key certificate signing App al nri emsin 519 65 permissions Android (all) eicto i QR-Code via Verification p inn algorithm signing App cenhtprotection Screenshot nlzdapvrin45. 3.44.877 4.52.4 version app Analyzed sbewtotFCM without Usable etfiaepinning Certificate r at rces00 0 trackers party 3rd eldsender Sealed p locking App cesd 22-February-2020 Accessed: , etr inlWire Signal Feature 1 rsac h aevaa nentsearch internet an via page the search or H1ihS SHA1withRSA SHA1withRSA ✗ ✗ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✓ ✗ ✓ Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 2SbetPbi e loih 2048 F : : 1 6 : 8 4 Algorithm : SHA1withRSA 4 4 3 : Key 6 6 : : name 6 : 8 : F7 Public : 4 Version 3 : 4 algorithm 8 13 5D:FD: : Subject F8 : E3 : 12 6 2 : Signature 6 1 11 : SHA256 10 1024 : 6 : Algorithm 1 7 SHA1withRSA : D6 : 3 Key F9 : 5B: name :BC: : 4 2 : Public B4 : Version 1 1 : algorithm F2 13 : 7 2 Subject : 5F 12 4E: : F3 : Signature 9 2 11 : SHA256 10 : s 2013 t n CET i r p r 1 e 3 g : n 3 i 5 : f 2 1 e t 12 a c i f Feb i t r e Tue C ST=U a2d3b 9 511 : , L=Unknown from : , number O=Zeta ST=Un Valid OU=Unknown l , a CN=Unknown i 8 , L=Unknown , r e S : , r e O=Zeta 7 u s s OU=Unknown I , CN=Unknown , 6 : : Owner 5 Signature 4 3 l o o Signer t y e k 2 $ 1 : s t 2010 n i r CEST p r e g 2 n 4 i : f 4 2 : 7 1 e t a 25 c i f i May t r e Tue C Development bfbebba 9 4 : and from : number OU=Research , Valid , l a i 8 r Development Systems e S and CN=Whisper 7 : r OU=Research e u s s , I 6 Systems CN=Whisper : : Owner 5 Signature 4 3 l o o Signer t y e k 2 $ 1 agru emsin sas ihr oeo hs emsin r eae oSignal’s to related are permissions those of of number Some the Additionally, higher. Wire. also than is Gradle Android permissions the from dangerous in in permissions false-positive removed more a were many library silence requires analytics to firebase 6.7 the file the of build Wire, traces In remaining trackers. last third-party some any without tracker come anonymity. last Wire sender and improves Signal verification. which fingerprint both sender Fortunately, key veri- sealed of for for usability support support the has has improves Signal Signal greatly Further, that which is QR-Code screenshot difference via locking, One fication app verification. pinning, certificate fingerprint key i.e. protection, features security important have apps Both used be not must SHA1 SHA1withRSA. algorithm signing app anymore. insecure the use apps =itbrh,S=A C=US ST=PA, , L=Pittsburgh 2040 2045 =itbrh,S=A C=US ST=PA, , L=Pittsburgh C C 9:D 3 2 5 A3: : F 8 : 8 2 : 5 8 : D5 : B9 4C: : 0 3 1C: : 1:64:16:C B:26 2 :BA: 6 7 : 2 6 : 4 4 :FC: 6 1 : 4 6 : C1 : 5 3 : 1: #1 : #1 − − ogeFrbs Analytics Firebase Google t r e c t n i r p t r e c t n i r p itn .:kyolotu rmSga APK Signal from output keytool 6.4: Listing itn .:kyolotu rmWr APK Wire from output keytool 6.5: Listing − − wire e l i f r a j Signal e l i f r a j a ialdi iesAdodmnfs . and 6.6 manifest Android Wire’s in disabled was − − − prod S key RSA t i b key RSA t i b − ε website ou.A a ese ntbe67 Signal 6.7, table on seen be can As xodus. − e s a e l e r until until − l a s r e v i n u a u 013:53:31CEST 1 3 : 3 5 : 3 1 30 Jun Sat : − u a 617:24:42CEST 2 4 : 4 2 : 7 1 16 May Tue : .487 apk 3.44.877. ..Scrt nlsso iesApps Wire’s of Analysis Security 6.3. 0:AF:A D:35:AF 5 3 :DA: A2 :EA:FB: C0 : 2 5:C F:37:7:28:4C : 8 2 7A: : 7 3 :FB: C8 : E5 : 4 − nw C=Unknown , known e s a e l e r kon,C=Unknown , nknown =hse ytm , Systems O=Whisper , =hse ytm , Systems O=Whisper − apk . 4 . 2 5 . 4 53 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Results 6. 54 xld ru cm.gol oue:’firebas a b e r i f ’ s a b e r i f : ’ module : , ’ module e s a , b e ’ r i f e s . a b e r i f google e s . . a b ’com . e r . i f . google } : . : ’com e s 8 a group b e } r : i f 7 . group exclude google 6 . com ’ exclude ( 5 implementation . 4 . . { 3 2 dependencies 1 " e s l a f e=" u l a v : /> d i o r d " n a true e=" u l a v : d i o r d n a nteFMcore FCM the in g n i k c a r t e l b a s i D − − aaadodnm= a e d _ n o i t c e l l o c _ s google_analytics_adid_collection_ c i t y l a n a _ android:name=" e s a b e r i f data android:name=" data onco ’ connector itn .:Dsbe C rcigi iesAdodmanifest Android Wire’s in tracking FCM Disabled 6.6: Listing al .:DneosAdodprisoso inladWire and Signal of permissions Android Dangerous 6.8: Table agru emsin on 77 17 count permissions Dangerous WRITE_EXTERNAL_STORAGE WRITE_CONTACTS WRITE_CALENDAR SEND_SMS RECORD_AUDIO RECEIVE_SMS RECEIVE_MMS Wire READ_SMS Signal READ_PHONE_STATE READ_EXTERNAL_STORAGE READ_CONTACTS READ_CALENDAR GET_ACCOUNTS CAMERA CALL_PHONE ACCESS_FINE_LOCATION ACCESS_COARSE_LOCATION Permission −− > − esgn { ) ’ 0 . 3 . 7 1 : messaging ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ e e nbe " enabled " d e t a v i t c − − measurement ’ s c i t y l a n a − Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. PE,sakpoetd edol eoain,adimdaebnig fSga’ and Signal’s of binding) immediate and relocations, read-only protected, stack (PIE), iesdstpap,tetool the apps, desktop Wire’s hmadwe.T eie h n-oedecytdmsae otergtrecipients, right the to messages to encrypted messages end-to-end sends the who deliver To on information when. contains and services whom messaging for metadata internal Typical the to access gains or TLS encryption transport the breaks successfully who a deletion. after intended deleted without gets database but the database in the stored in is stored which or traffic network the metadata within This sent Wire. is in which accumulated get which metadata all enumerates section This Executable Independent Position (i.e. features hardening security Linux the compare To a edffrnitdit w itnttpso eaaa is,tmoaymetadata temporary First, metadata: of types distinct two into differentiated be can eprr eaaa(..dt etwti ewr traffic). network within sent data (i.e. metadata Temporary rvt ewr fWr’ akn ie evc rvdr)cudra hsmtdt.This metadata. this read could adversary providers) metadata. An service this enumerates clients. (i.e. section right backend is the Wire’s metadata to of This network messages private deliver 3.4. section i.e. in operate described encryption to TLS as backend the nginx the because proxy by text private reverse needed plain the the in inside at sent Additionally, terminated is server. metadata is and this backend, client Wire’s between of TLS network via encrypted only but data i.e. metadata non-temporary is type second The time. of period defined strictly upstream the by caused support was enabled This recently binding. only immediate project. Signal enabled and four Electron and not relocation all Wire has read-only of of Coax Signal PIE, use client apps nutshell, for make Wire desktop a plugin experimental The In PWR the 6.9. protection. the Only stack table with Linux. in pidgin on seen PWR and features plugin be apps hardening Wire can electron the results desktop with The Wire’s Pidgin well. and and as coax analyzed client been Rust have the Further, inspection. code Hardening Security Linux for Apps Desktop of Analysis 6.3.3 . eaaaAayi fWire of Analysis Metadata 6.4 muto eaaawihi o n-oedecytdwt rtu ewe clients, between Proteus with encrypted end-to-end not is which metadata of amount edol relocations Read-only nlzdapvrin12. .221 i .20+Git + 2.12.0 Git 3.12.2916 1.29.3 version app Analyzed meit binding Immediate Features tc protected Stack al .:Dstpap euiyhreigfaue nLinux on features hardening security - apps Desktop 6.9: Table I (ASLR) PIE etr inlDstpWr eko oxPdi PWR + Pidgin Coax Desktop Wire Desktop Signal Feature hardening-check ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ . a enue nadto omanual to addition in used been has 5.2 ..Mtdt nlsso Wire of Analysis Metadata 6.4. hr ssome is There 55 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Results 6. 56 (yes/no). iehsn upr o eldsne ieSga hc ol mrv edraoyiyof anonymity sender improve would which Signal like sender sealed for support no ID, has Wire message unique a i.e operate to metadata some needs protocol messaging Wire’s nte xml o eprr eaaai iei,wosace hmadwe by when and whom searches who is, Wire in metadata temporary for example Another ieo creation. of time etysoe oemtdt npantx nisbceddtbss hrfr,any Therefore, databases. backend its in text plain in metadata some stores nently ietm fls pae n niemsae(uoaial eeae yteap with apps the by generated (automatically message user invite cancelled), the a and or encompass DELETE, sent update, metadata ignored, for last These pending, API it of blocked, updates. no established timestamp (accepted, connection is status been for there connection has PUT Since fields: via users following forever. blocked messages two stored be between sends be only connection who will can and a i.e. deleted once be connections means, cannot user This about whom. metadata to stores also previews Wire link Further, send and (yes/no) server- errors on report metadata (yes/no), some wire stores improve additionally settings: endpoint app privacy web API the the apps, via mobile side a the from to originates contrast data In geolocation The at longitude) well. and as (latitude stored data is database name geolocation browser GeoIP for creation and the MaxMind’s model device time or phone of the model, the time Further, phone and the (i.e. and Linux app). class vendor web app: device phone the web the mobile for for id, (i.e. (OS device model label a and device stored: phones), the is phone), metadata or following book desktop the address device the user support address each to email For stored the also to are addition picture, those In profile of feature. locale. hashes optional upload number, the SHA256 an phone and number username), and/or accent_id) phone as address as or known email (mapped (also an color handle ID, profile user user a a unique name, a profile stores: the Wire to user access each metadata. For gains non-temporary who this administrators) read rogue can or database providers this service malicious database). (i.e. adversary server in stored data (i.e. metadata device Non-temporary the devices. of multiple address write uses IP they user the do the and if languages when i.e. accepted devices and metadata system, or online produces operating user also agent, a (HTTPS) user is protocol HTTP when underlying the Or Furthermore, feature. messages. search people not Wire’s but too. using devices metadata all contains to 3.2.4 forwarded notification is each Further, message the weeks. until metadata, 4 server unencrypted than the the longer on with stored together temporarily messages, are encrypted the end-to-end from The devices messages. involved all as well as users recipient recipients. all the and and user sender sending the of UUIDs 2 https://hackage.haskell.org/package/geoip2 /properties/webapp 2 hc sdrvdfo h Padeso h eiea the at device the of address IP the from derived is which cesd 22-February-2020 Accessed: , hc otiswbapstig i.e. settings app web contains which ieperma- Wire Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. nte yeo eaaawihi trdo evrsd r h ymti encryption symmetric the are server-side on stored is which metadata of type Another creator, conversation fields: following the stores Wire metadata conversation of part As evrvateRS P.Psil takseaiswudb . h itmue just user victim the i.e a be of the would exfiltration from scenarios in attack metadata result Possible can temporary API. This some is REST as app. which the well web token via as the user server of metadata long-lived case non-temporary the in entire or cookie user’s credentials browser user’s a a as of stored hold getting by metadata efudb ete rfienm o ata srae hsfauewsacse ythe by accessed was feature cannot This user a username. opt-out of partial this out nor call: using opt name API By to profile following users people-search. neither allows the by features, of found backend results be rather search or in are features, included which API being features unused API these some of found clients. One I Wire Wire by of use analysis in security not the People-Searchcurrently of From course Opt-Out the Feature: During API Unused user given 6.4.1 any for color profile and picture API profile user name, the profile ID. with i.e. Combined revealing users. user Wire cious most enumerate /users to exfiltration. abused GET be metadata can 3.2.5 partial ture and key enumeration private User actual the to access metadata need the not devices. Because network does the attacks. the attacker of mitm where the material browser using network encrypted, the by end-to-end corporate to inspection not a access packet is in has deep attacker be TLS the would does and scenario operator out another logging Or of instead afterwards. tab browser the closed credentials. stolen with exfiltration Metadata TLS. connection WebSocket with and encrypted API transport REST only Wire’s are On notifications services. for such is notification used encryption push are additional for this keys However, used These client only notifications. ID, code). of user authentication metadata the temporary (message the includes key encrypting also MAC metadata and key, this encryption To ID, delivery. notification encrypted leaving for thus keys and conversation a indefinitely. deleting server for cannot the endpoint conversation on API a metadata information no created, the important is once all leak worse, there could matters because which make deleted text, to be plain And in Once group conversation. stored or the member. is 1:1 about each metadata of (i.e. this role conversation all conversation of again, the type and the members name, conversation conversation conversation), background. deleted, this the field Although, in boolean sent Bob). the gets Wire. only on and connect use Let’s in Alice, not Hi currently is i.e. message profiles invite both of names the oeo h bv o-eprr eaaacudb cesdb mali- a by accessed be could metadata non-temporary above the of some natce a anacs to access gain can attacker An ..Mtdt nlsso Wire of Analysis Metadata 6.4. h epesac fea- search people The 57 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 58 .Results 6. U erhbe’: ’ searchable ’ { e l b a h c r a e s / f l e s / PUT 1 /users/handles/ ieuesb sn h epesac ucini hrfr esstraightforward. less therefore is function people-search the using by users Wire Pst erhfrpol sdsrbdi eto 3.2.5. section in described as people for search to APIs hc ban t nwr yacsigEatcerh oee,teue adeAPI handle user the However, Elasticsearch. accessing API search by the answers by its found be obtains cannot which user the that ensures This field Boolean the updates call API This h nwo us h orc srae diinly natmtdeueaino all of enumeration automated an Additionally, username. correct the guess or found know easily who be cannot they because users of privacy with the search increase to can necessary feature is opt-out This it people-search, of opt-out to chosen have who people add To i epesac n hstepbi rfieifrain(o-eprr eaaa i.e. metadata) (non-temporary information profile public the thus and people-search via srae rfienm,pol itr n rfieclr a nyb cesdb people by accessed be only can color, profile and picture profile name, profile username, found. be cannot user the otherwise username, both exact use the clients Wire ID. user given any for color profile API and user picture the profile accessing name, by profile user the about information index. the from (username, user data corresponding source the the of removing name) by normalized updated and is name Elasticsearch profile engine search the of table srI ftehnl uenm)eit.Ti srI a usqetyb sdt retrieve to used be subsequently can ID user This exists. (username) handle the if ID user user fteCsadadtbs otevalue the to database Cassandra the of itn .:AIcl:Ototfo people-search from Opt-out call: API 6.8: Listing sntaetdb hsototfaue si eun h corresponding the returns it as feature, opt-out this by affected not is searchable e s l a f } false ftecrepnigue ntebrig the in user corresponding the of E /users GET utemr,tesac index search the Furthermore, . E /search/contacts GET hc eun the returns which GET , Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. lhuh eiyn te epesdvcsde o cl o i ruswt many with groups big for scale not does devices people’s other verifying Although, . rs Establishment Trust 7.1 hr srcossgsalterondvcs hnWr sr ol edt verify to need would users Wire Then devices. own their all cross-signs user a where eiyec igedvc faltercnat.Wihcnb udeso huad of thousands or hundreds be can Which contacts. their all of device single each verify 22-February-2020 February-2020 need won’t and user this of devices other all transitively trust thus cross-signing and of device Wire introduction one Therefore, i.e. only devices. establishment other’s trust each of verify improvement members the all in 128 that invest from unlikely should group highly per is people it maximum this, possible. of limit as members the 300 conversations bumped to many Wire verify. since to as especially consuming verify members, time to too recommended be not second highly should and is which devices it devices other 8 the Nevertheless, to to straight up access be the easy be should have reduce only This should to can chapter. user verified there previous the be the first, always in because should seen forward as devices) attacks own man-in-the-middle (i.e. of account risk an to of have devices Users Multiple Wire. in trust establish to devices. impossible nearly or cumbersome be can It split 7.3 is It security app Wire. 7.2, of environment analysis privacy production 7.4. and 7.1, metadata security establishment and the Trust of sections: results the the into discuss I chapter this In 2 1 https://medium.com/wire-news/wire-for-web-2019-07-47a13a06ea7c https://medium.com/wire-news/wire-for-web-2018-08-06-46fcaaf131f 1 n ae updtelmtaant 0 members 500 to again limit the bumped later and Discussion 2 nlregop like groups large In . CHAPTER cesd 22- Accessed: , Accessed: , 59 7 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. 60 .Discussion 7. ute onieo iei eadt rs salsmn euiyi htWr shows Wire that is security establishment trust to regard in Wire of downside further A to account their from devices unused or old remove should users advice general a As key- the of representation hexadecimal the replace to be would improvement Another for task easy an not is digits hexadecimal of strings multiple comparing Additionally, hrfr,Wr spoet a-ntemdl tak yie aiiu evc providers. service malicious i.e. by attacks man-in-the-middle to prone is Wire Therefore, eiytedvcso l otcs hs l sr h aentvrfidterdvc are device their verified not have who users all Thus, contacts. all of devices the verify show not does it yet, key the compare to managed not has user the if But verification. e nepit smc ihrcmae oWr.Wihi unfrhripoe the improves further turn in Which their Wire. Signal. much compare to of a users establishment compared with that trust higher So, probability much friendly. the is user establishment fingerprints more trust key also Signal’s as is of numbers usability which new hexadecimal fingerprints better for of Additional key needed instead the is numbers usability. for verification decimal improved representation additional and uses much no Signal Wire a thus Furthermore, for trusted, for devices. suggested transitively verifications are as key devices verification warning for used key TOFU QR-code a prior shows a without It provides devices Wire. than master establishment changed trust for in attacks. better man-in-the-middle much against performs Signal users Wire protect providers. properly service to malicious this won’t by improve likely attacks should users man-in-the-middle perfect, to from vulnerable far potentially is establishment trust of new friendliness of user number the the Since but decrease default, significantly by TOFU to enabled enable cross-signing be to notifications. support should users device this to advanced Ideally needs for setting establishment. Wire contact a first on least devices at have the to for changed. advantageous has be partner would communication It key the prior of a key cryptographic after the only that changes) notification key any contacts’ a (whenever message warning TOFU a devices. mobile on run-time battery the increase potentially could key-fingerprint for representation textual that best concluded the They comparisons. not accuracy. is and representation speed comparison hexadecimal Dechand the by benchmark proposed to as key-fingerprints numeric) (e.g. [ representation al. textual et better match. a key-fingerprints with both fingerprint if compares the software scan the an simply and as could device QR-codes users other way, introducing the verification That by of device key-fingerprints. e.g. QR-code of compare error-prone usability less to the and option improve easier additional should verification Wire the Thus, make brain. to and eye human the of number large the reduce significantly would This individually. comparisons. device each verify to nrpe n ett h evr hsas mle eseeg osmto n thus and consumption energy be less implies to also have also This messages this fewer server. effect the because side to power sent a computing and As and encrypted traffic comparisons. network key-fingerprint the possible reduces of amount the reduce 9 .Te aepromdaue td ihdffrn eta ersnain of representations textual different with study user a performed have They ]. Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. wire.com iesol lopoieteAdodapvaFDod napsoeta exclusively that store app an F-Droid, via app Android the provide also should Wire to compared permissions Android of amount minimal a only requiring well, does Wire support its for case the not is this but EU the within everything host to promises Wire . rdcinEnvironment Production 7.2 . p Security App 7.3 email an uses or settings profile the in number phone the changes simply user Wire A identifiers. as numbers phone uses Signal that is establishment trust to problem related A h nri p inn algorithm signing app Android The too. support encryption the inherit would app desktop the the Thus, on especially and app Web the on increased be should prekeys of numbers The site main the Also, US. the in location server a with Zendesk by hosted is it as website to has user Signal a changes, number phone the if drawback: great a with comes This hc urnl at asol.Ti smc o hr ob sflfrmitigating for useful be to short too much is This only. days 3 lasts currently which eie otcshv ob eie gi oetbihtut nWr hsi non-issue. a is this Wire On trust. establish to again verified be to have contacts verified rvdsoe oreapps. digital source [27]. open [54] i.e. provides function operations hash cryptographic this for on used attacks be practical exist not there must since and signatures longer any secure i.e. not algorithm function signing hash secure cryptographic a of with replaced be must many. requires which Signal app. web the on backups for enough. support large encryption be missing should the offline prekeys add available are should of clients Wire the pool Further, if the Particularly time, of support. secrecy periods forward longer good for ensure to app desktop environment. production its in better performs environments. Wire production Signal, their regarding with improvements compared for Nevertheless, months. potential 6 the has least Wire at Overall is use recommended Its attacks. SSL-stripping for used stores are and use usernames identifier not addition as does In UUID Wire. Wire an server. on that uses the lookup is it on contact this instead connections for identifier, contact reason as established The email the account. or the number for phone number the phone a phone of new instead all the account, add new used, the be by still caused can to Further, number conversation manually. phone group conversation old each group the ask each case to i.e. in number tasks or further again implicates invited Which be account. new a create h otn fisst oteE ocml ihisonpoie.Adtoal,the header Additionally, HSTS the promises. own Especially its site. with support comply the to for improved EU be the could to headers site security its of hosting the otistidpryrqet oawbiehse nU.Wr hudmove should Wire US. in hosted website a to requests third-party contains SHA256 SHA1withRSA nta of instead SHA1 hc sue yWr n Signal and Wire by used is which SHA256withRSA h ahfunction hash The . ..Pouto Environment Production 7.2. hc ae use makes which SHA1 is 61 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Discussion 7. 62 ondvcs aeo h ps u hsfnto a ic enrmvd hs the Thus, removed. been since has function this but apps, the of page devices” “own . Metadata 7.4 hswy nytegopcetradtemaigesnm eano h evr There server. the on remain name meaningless the and creator group the only way, a This created, Once conversations. to also applies connections for drawback same The ovraincno edltdayoeadteei oAIedon o eeiga deleting for endpoint API no is there and anymore deleted be cannot conversation o-eprr eaaa hysol tr ihtelwhnigfut ..delete i.e. conversations. fruits and hanging connections and for low temporary APIs the of deletion amount with provide the start and reduce metadata should unused and They Signal from metadata. learn non-temporary should Wire conversation jurisdictions. way, and and Either [ stakeholders connections in different stated user between as metadata decisions i.e. the design remove split product to of difficult because members, be end-to-end would clients other metadata profile to Some saves sent get Signal only while which opt-in. servers, client-side via on Wire’s encrypted names on profile unencrypted and database. stored pictures the are from removed pictures be Profile should the and on unused shown is originally metadata was geolocation It metadata. needless special considered any have also not is does data person Geolocation this as creator conversation group. the the store permissions. leave to reason members is no all also server and is the meaningless on something metadata into this name reduce group to the users rename for to workaround possible A conversation. at names profile the store should additionally connections and invitation. of to is unused of endpoint messages There completely time invite API blocked. are the All an be they such metadata. only as add unneeded can removed should their user be Wire will delete a connection. and to case a deleted users a deleting allow such be for In cannot endpoint it backend. API established, Wire’s no been on forever has stored users two be between connection a Once page: support device official of the from data example geolocation An i.e. more. server and the creator on conversation stored registration, get metadata unnecessary Several its past. for the Linux in on enormously features improved has hardening which security app state-of-the-art desktop all uses Wire Nowadays, connected-with-someone-I-don-t-know-What-should-I-do- 3 https://support.wire.com/hc/en-us/articles/203122450-I-ve-accidentally- Iv cietlycnetdwt oen o’ nw htsol I should What know. don’t I someone do?” with connected accidentally “I’ve 3 60 .Fdrto ol epto help would Federation ]. cesd 22-February-2020 Accessed: , Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. iecudipoescrt o t psadpouto environment. production and apps its for security improve could Wire W niomn.Crety ao onieo efhsigi htafdrto with federation a that is self-hosting of downside major a Currently, environment. AWS hc eeapeeust o h euiyeauto fteWr rtcl ihsome With protocol. Wire the of evaluation security the for prerequisite a were which h iepooo,hsbe eeoe.Fnly twsas hw nti hsswhere thesis this in shown also was it of Finally, features end-to-end developed. essential for most been required better the has For essentially implements protocol, is which Wire supported. what plugin, the fully and Pidgin is works a become federation client messaging, will the Wire encrypted It once a supported. servers how not Wire of is own understanding server, host Wire non to official feasible self-hosted, the more a especially in servers, Wire supported other be could possible dependencies features AWS is more without it even effort, that set, shown developmental was feature further it reduced AWS thesis a this separate with In a server in Wire now. server a of Wire self-host as a to possible self-hosting More already by is privacy. achieved which more be account where for can conversations metadata metadata and reduce over connections should using control removing Wire by Consequently, mitigated support be uses. and metadata could Signal possible Certain metadata as other particular. techniques and same in features in the Signal losing well trust to without very to removed compared perform comes be all and not could it of general does device when in Wire single Further, issues privacy each improved. most usability transport verify be several issue to should also the impossible which are of establishment nearly has There one is it It is but partners. audits, security. establishment conversation security to trust many regard Proper the in to lacking improvements. thanks several level, security for good room a has chosen. Wire was Overall, Wire For service privacy. messaging transport secure and the messaging security evaluation, secure conversation evaluate this have establishment, to how trust services shows regarding thesis messaging This services many Double privacy. Still, the and security introduced concerning encryption. Signal issues end-to-end since for improved greatly algorithm has Ratcheting messaging secure general, In Conclusion CHAPTER 63 8 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. .Conclusion 8. 64 MS 6] otqatmrssac 6]adfederation. and [63] resistance post-quantum [67], (MLS) r urnl ndvlpetadcudb nlzdi uue esgn ae Security Layer Messaging future: which in the Wire analyzed with for be done features could be security and can interesting development several same in also The currently (3) as are are and features. known There client more also PWR. iOS with feature plugin the extended Pidgin guest of and security the updated the be i.e. (2) should API features integration Pro services / two Wire upon bot the the touched the not (1) or features users, as of ephemeral such analyses thesis things, this other in among include, should work Future Work Future 8.1 Proxy and Cargohold diinly h xeietlWr letCoax client Wire experimental the Additionally, . Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. [10] [9] [8] [7] [6] [4] [3] [2] [1] [5] e rporpi Library Cryptographic New a lcrncSociety Electronic Integration ..RC54 Pooe tnad,Ags 08 pae yRC 76 5878, 5746, RFCs by Updated 2008. August Standard), (Proposed 5246 RFC 1.2. rhv,Rpr 0611,2016. 2016/1013, Report Archive, X 06 SNXAssociation. USENIX 2016. TX, In pgp. use to not why 09(rpsdSadr) coe 2013. October Standard), (Proposed 7049 .Buhr .MGe,M aln,E arr,adK ora.TeSecure The Norrman. K. and Carrara, E. Naslund, M. McGrew, D. Baugher, M. 16 45 57 58 67 65 95 7919. 7905, 7685, 7627, Version 7568, Protocol 7507, (TLS) 7465, Security 6176, Layer Transport The Rescorla. E. and Dierks T. representations. key-fingerprint textual of study Fahl, empirical Sascha In An Acar, Yasemin Smith. Busse, Matthew Karoline and Schürmann, Dominik Dechand, Sergej ePrint Cryptology protocol. messaging Douglas signal the and of Garratt, analysis Luke security formal Dowling, A Benjamin Stebila. Cremers, 4880. RFC Cas by Format. Cohn-Gordon, Obsoleted Message Katriel OpenPGP 1998. November Thayer. Standard), R. (Proposed and Finney, 2440 5581. H. RFC RFC Donnerhacke, by Message L. Updated OpenPGP Callas, J. 2007. Thayer. November R. Standard), and (Proposed Shaw, 4880 D. Finney, RFC H. Format. Donnerhacke, L. Callas, RFC J. (CBOR). Representation Object Binary Concise Hoffman. P. and Bormann C. or, communication, Off-the-record Brewer. Eric and Goldberg, Ian Borisov, Nikita group for messaging instant Off-the-record Topaloglu. U. In and conversation. Seker, R. Bian, J. Schwabe. 2012. Heidelberg, Peter and Lange, Tanja Bernstein, J. Daniel 2004. 6904. March 5506, Standard), RFCs (Proposed by 3711 Updated RFC (SRTP). Protocol Transport Real-time 5hUEI euiySmoim(SNXScrt 16) Security (USENIX Symposium Security USENIX 25th ae 98,Ag2007. Aug 79–84, pages , 07IE nentoa ofrneo nomto es and Reuse Information on Conference International IEEE 2007 PS’4 ae 78,NwYr,N,UA 04 ACM. 2004. USA, NY, York, New 77–84, pages ’04, WPES , rceig fte20 C okhpo rvc nthe in Privacy on Workshop ACM 2004 the of Proceedings ae 5–7.Srne elnHiebr,Berlin, Heidelberg, Berlin Springer 159–176. pages , http://eprint.iacr.org/2016/1013 Bibliography h euiyIpc of Impact Security The ae 9–0,Austin, 193–208, pages , . 65 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. [14] [23] [15] [11] [22] 66 [24] [21] [20] [19] [18] [17] [13] [12] [16] CA eoreRcr.RC64 Pooe tnad,Jnay2013. January Standard), (Proposed 6844 RFC Record. Resource (CAA) n omnctossecurity communications and 49(rpsdSadr) pi 2015. April Standard), (Proposed 7469 0494 2014. 2014/904, pdf uesiadX1DSc euiyRve hs nri letfrWire Swiss for Client Wire Android – for 2 Phase Security-Review-Android.pdf 1 – Review Security Phase GmbH. Swiss D-Sec. – X41 and Review Kudelski Security D-Sec. X41 GmbH. and Kudelski 2010. May Derivation (Informational), Key 5869 Extract-and-Expand RFC HMAC-based (HKDF). Eronen. Function P. and Krawczyk Token H. 2012. Bearer October Framework: Authorization Standard), 2.0 (Proposed OAuth 6750 The RFC Hardt. 7817. Usage. Layer D. RFC Transport and by over Jones Updated M. SMTP 2002. February Secure Standard), for (Proposed Extension 3207 RFC Service Security. SMTP (HSTS). Security Hoffman. Transport P. Strict HTTP 2012. November Barth. Standard), A. (Proposed 6797 and RFC Jackson, C. Hodges, J. Standard), (Proposed 6749 RFC 2012. Framework. Authorization October 2.0 OAuth The Hardt. Authorization D. Authority Certification DNS Stradling. R. and Hallam-Baker P. Multi-party Chen. Hao In and Gundy, Van messaging. D off-the-record Matthew Ustaoğlu, Berkant Goldberg, Report Ian Archive, ePrint Cryptology TextSecure? is Secure How Schwenk, Joerg Holz. Bergsma, Thorsten Florian and Bader, Christoph Mainka, Christian Frosch, Tilman Standard), (Proposed 7936. 6455 RFC RFC by Updated Protocol. WebSocket 2011. The December Melnikov. RFC A. HTTP. and Fette for I. Extension Pinning Key Public Sleevi. R. and Palmer, C. Evans, C. uesiadX1DSc euiyRve hs e,CligfrWire for Calling Web, – 2 Phase – Review Wire Security for GmbH. Client D-Sec. Swiss X41 iOS and – Kudelski 2 Phase – Review Security GmbH. D-Sec. Swiss X41 and Kudelski Security-Review-Web-Calling.pdf Security-Review-iOS.pdf eray2017. February , https://wire-docs.wire.com/download/Wire+Audit+Report. https://www.x41-dsec.de/reports/X41-Kudelski-Wire- https://www.x41-dsec.de/reports/X41-Kudelski-Wire- https://www.x41-dsec.de/reports/X41-Kudelski-Wire- http://eprint.iacr.org/2014/904 rceig fte1t C ofrneo Computer on conference ACM 16th the of Proceedings ae 5–6.AM 2009. ACM, 358–368. pages , ac 2018. March , ac 2018. March , ac 2018. March , . Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. [28] [37] [36] [35] [33] [32] [31] [30] [27] [26] [25] [34] [29] TR) ea xesost eso rvra tlte o A SU) RFC (STUN). NAT for Utilities Traversal Session to Extensions Relay (TURN): h lcrncsociety electronic the //signal.org/blog/whatsapp-complete/ rhv,Rpr 0004 2020. 2020/014, Report Archive, 22-February-2020]. 2020]. 2020]. 2020]. ogLu ueeYVsemn n ihlsHpe.Ipoe ru off-the-record group Improved Hopper. In Nicholas messaging. and Vasserman, Y ePrint Eugene Cryptology Liu, Hong Trust. of Chosen-Prefix Web PGP First the - to Shambles Application a and is SHA-1 SHA-1 on Peyrin. Collision Thomas URN and (UUID) Leurent 2005. IDentifier Gaëtan July Unique Standard), Universally A (Proposed 4122 Salz. RFC R. Namespace. and Mealling, M. (Experi- Leach, 6962 P. RFC Transparency. Certificate Kasper. 2013. E. June and mental), Langley, A. Laurie, B. oi alnpk.Wasp’ inlpooo nerto snwcomplete. now is integration protocol signal Whatsapp’s Marlinspike. Moxie moving. is ecosystem The Reflections: Marlinspike. Moxie end-to-end on google with 22-February-2020]. partners accessed: systems allo. for whisper encryption Open Marlinspike. Moxie end to end 22-February-2020]. for accessed: protocol [Online; signal deploys messenger encryption. Facebook Marlinspike. Moxie messaging. group Private Marlinspike. Moxie February-2020]. messages. asynchronous for secrecy Forward Marlinspike. Moxie ratcheting. cryptographic 8155. Advanced RFC Marlinspike. by Moxie Updated NAT 2010. around April Relays Standard), Using (Proposed Traversal 5766 Rosenberg. J. and Matthews, P. Mahy, R. signal. for sender Sealed preview: Technology Lund. Joshua org/blog/sealed-sender/ blog/the-ecosystem-is-moving/ private-groups/ org/blog/asynchronous-security/ blog/advanced-ratcheting/ https://signal.org/blog/facebook-messenger/ rceig fte1t C okhpo okhpo rvc in privacy on Workshop on workshop ACM 12th the of Proceedings ae 4–5.AM 2013. ACM, 249–254. pages , a 04 Oln;acse:22-February-2020]. accessed: [Online; 2014. May , https://signal.org/blog/allo/ coe 08 Oln;acse:22-February- accessed: [Online; 2018. October , https://eprint.iacr.org/2020/014 oebr21.[nie cesd 22-February- accessed: [Online; 2013. November , a 06 Oln;acse:22-February- accessed: [Online; 2016. May , uut21.[nie cesd 22- accessed: [Online; 2013. August , pi 06 Oln;accessed: [Online; 2016. April , https://signal.org/blog/ https://signal.org/ https://signal.org/ a 06 [Online; 2016. May , https://signal. https://signal. uy2016. July , https: . 67 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. [38] [49] [48] [45] [44] [43] [42] [41] [39] [47] [46] 68 [40] e-ae plctos&Services & Applications Web-based Pooe tnad,Arl20.Osltdb F 37 pae yRC 5746, RFCs by updated 6347, RFC by Obsoleted 2006. April Standard), (Proposed 7983. RFC by Updated 2010. May Standard), (Proposed //signal.org/docs/specifications/doubleratchet/ euiySmoim(SNXScrt 18) Security (USENIX Symposium Security rhv,Rpr 0773 2017. 2017/713, Report Archive, 7350. 7507. 90(rpsdSadr) coe 04 boee yRC62,udtdb RFC by updated 6120, RFC by Obsoleted 2004. October Standard), (Proposed 3920 S,21.ACM. 2015. USA, messengers. smartphone in protection data Schmiedecker, and In Privacy Martin Schrittwieser. Huber, Sebastian Markus and Kieseberg, Peter Rottermanner, RFC Christoph by Updated for 2008. Utilities October Traversal Standard), Session (Proposed Wing. 5389 D. RFC and (STUN). Matthews, NAT P. Mahy, R. Rosenberg, J. 4347 RFC Security. Layer Transport Datagram Modadugu. (Proposed N. 2633 and RFC Rescorla 3851. E. RFC Specification. by Message Obsoleted 3 1999. Version June Standard), S/MIME Ramsdell. B. In ation. Channels. Exfiltration S/MIME using Breaking Encryption Efail: Email Schwenk. OpenPGP Jörg and and Schinzel, Somorovsky, Sebastian Juraj Ising, Fabian Friedberger, Dresen, Simon Christian Müller, Jens Poddebniak, Damian algorithm. ratchet 22-February-2020]. double accessed: [Online; The Marlinspike. Moxie and Perrin Function.Trevor Derivation Key 2016. Password-Based August scrypt (Informational), (Proposed The 7914 2595 Josefsson. RFC RFC S. and 7817. Percival ACAP. 4616, C. and RFCs POP3 by IMAP, Updated with 1999. June TLS Standard), Using 5764 Newman. RFC C. (SRTP). Protocol Transport Real-time Extension Secure (DTLS) the Security for Layer Keys Transport Datagram Establish to Rescorla. E. and McGrew D. 22-February-2020]. encryption accessed: end-to-end [Online; bring to microsoft skype. with to partners Signal Marlinspike. Moxie .SitAde xesbeMsaigadPeec rtcl(MP:Cr.RFC Core. 6122. (XMPP): Protocol Presence and Messaging Extensible ePrint Saint-Andre. P. Cryptology Threema. End-to-End and the WhatsApp, On Signal, Less: in is Chats More Group Schwenk. of Jörg Security and Mainka, Christian Rösler, Paul rceig fte1t nentoa ofrneo nomto nerto and Integration Information on Conference International 17th the of Proceedings https://signal.org/blog/skype-partnership/ https://eprint.iacr.org/2017/713 iA 1,pgs8:–31,NwYr,NY, York, New 83:1–83:10, pages ’15, iiWAS , atmr,M,21.UEI Associ- USENIX 2018. MD, Baltimore, , oebr2016. November , aur 2017. January , 7hUSENIX 27th https: . Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. [59] [61] [60] [58] [57] [56] Encryption. Object and Message Multi-End OMEMO XEP-0384: Straub. Andreas [55] Markov. Yarik and Albertini, Ange Karpman, Pierre Bursztein, Elie Stevens, Marc [54] [53] [52] [51] [50] dacsi rpooy–CYT 2017 CRYPTO – Cryptology in Advances h rtcliinfrfl h-.I oahnKt n oa hca,editors, Shacham, Hovav and Katz Jonathan In sha-1. full for collision first The 3–4,My2015. May 232–249, 22-February-2020]. 22-February-2020]. improving-webrtc/ ee an-nr n ei mt.XP06:Proa vnigProtocol. Eventing Personal XEP-0163: Smith. Kevin https://xmpp.org/extensions/xep-0163.html and 2011. Saint-Andre March Instant Peter Standard), (XMPP): (Proposed Protocol 6121 RFC Presence Presence. and and Messaging Messaging Extensible 7590. Saint-Andre. RFC P. by RFC Updated Core. 2011. (XMPP): March Protocol Standard), Presence (Proposed and 6120 Messaging Extensible Saint-Andre. P. Obsoleted 2004. October Instant Standard), (XMPP): 6121. (Proposed RFC Protocol 3921 by RFC Presence Presence. and and Messaging Messaging Extensible Saint-Andre. P. ieSisGb.Wr evrcd o 0%oe ore–tejunycon- journey the 22-February-2020]. messengers. – accessed: source [Online; open secure 100% now open-source-the-journey-continues-88e24164309c for code server Wire decisions tinues. GmbH. design Swiss Wire Product decisions/ GmbH. https://wire.com/en/blog/secure-messenger-product-design- Swiss Wire code. February-2020]. server improv- Wire sourcing and Open encoding GmbH. Swiss rate Wire bit constant – security Call WebRTC. ing GmbH. Swiss Wire client. Wire own your build now can You GmbH. Smith. Swiss Wire M. and Goldberg, I. Perl, H. Fahl, In S. messaging. Bonneau, Secure J. Sok: Dechand, S. Unger, N. https://xmpp.org/extensions/xep-0384.html Publishing. International blog/server-code-open-source-2017/ en/blog/open-source-code/ https://medium.com/@wireapp/wire-server-code-now-100- a 07 Oln;acse:22-February-2020]. accessed: [Online; 2017. May , https://wire.com/en/blog/constant-bit-rate-calls- ac 07 Oln;acse:22-February-2020]. accessed: [Online; 2017. March , 05IE ypsu nScrt n Privacy and Security on Symposium IEEE 2015 uy21.[nie cesd 22-February-2020]. accessed: [Online; 2016. July , ae 7–9,Ca,21.Springer 2017. Cham, 570–596, pages , pi 07 Oln;acse:22- accessed: [Online; 2017. April , https://wire.com/en/ 06 Oln;accessed: [Online; 2016. , accessed: [Online; 2010. , https://wire.com/ etme 2017. September , pages , 69 Die approbierte gedruckte Originalversion dieser Diplomarbeit ist an der TU Wien Bibliothek verfügbar. The approved original version of this thesis is available in print at TU Wien Bibliothek. [67] [66] [62] [65] [63] 70 [64] 22-February-2020]. 22-February-2020]. ieSisGb.MS-Teftr fcollaboration? of future The - MLS GmbH. Swiss Wire whitepaper. security download/Wire+Security+Whitepaper.pdf Wire GmbH. Swiss Wire whitepaper. privacy download/Wire+Privacy+Whitepaper.pdf Wire GmbH. Swiss Wire 22-February-2020]. cessed: audits. security application-level en/blog/application-level-security-audits/ Wire GmbH. Swiss Wire resistance. post-quantum and Wire en/blog/post-quantum-resistance-wire/ GmbH. Swiss Wire 22-February-2020]. review. cessed: security independent Wire’s en/blog/independent-security-audit-2017/ GmbH. Swiss Wire blog/mls-future-of-collaboration/ eebr21.[nie accessed: [Online; 2019. December , https://wire-docs.wire.com/ https://wire-docs.wire.com/ uut2018. August , uut2018. August , uy21.[nie accessed: [Online; 2018. July , eray21.[nie ac- [Online; 2017. February , https://wire.com/en/ ac 08 Oln;ac- [Online; 2018. March , https://wire.com/ https://wire.com/ https://wire.com/