Raising $85.000 in a little over a day by offering a secure replacement for Whatsapp, MessageMe and iMessage is quite an accomplishment.
One of the Pirate Bay founders co-founded 'Hemlis' which means "Secret" in Swedish. Their inspiration is the recent revelations by NSA whistle blower Edward Snowden.
They say they understand our love to share stuff on the internet but What we don't love though is that private communication has more or less turned into an open stream for companies and governments to listen into.
Companies like Facebook, Twitter, Apple and Google have been forced to open up their systems and hand out information about their users. At the same time they have been forbidden to tell anyone about it!
We're building a message app where no one can listen in, not even us. We would rather close down the service before letting anyone in.
Their goal is to provide a completely secure messenger service with end-to-end encryption, meaning messages can't be read by the company. Backers of the project get encryption keys and early access to unique user names. More info on heml.is.
They intent to use open and proven standards like XMPP and PGP for encryption. They are committed to making the whole process of key-exchange and encryption as easy as possible.
To use the system, you need to share a private key with another user; a critical issue. edited as this was incorrect.
Can you imagine that they will ever reach the needed scale to become a usable messenger?
Ah, I just see that there are only a little over 5400 founders who generated the $85K, so that's one answer to my own question.
Where do they say you need to share a private key with another user?
Yeah, I question the assertion that sharing a 'private' key is required – that makes no sense.
I went to their website: SSL certificate is not trusted. Is that a joke?
Hmm, I was actually surprised to find out Blackberry/RIM is a Canadian company. Always thought they were American.
Private key? Seriously? What a crock then. Capturing the key is simple and insecure.
Why not use Public Key Encryption?
I'm pretty sure that's what it would use, +K.B. Burnfield – I think this is quoted incorrectly or a bad statement, which is why I said what I said.
+Jason Bunting I should hope so—- any private key system (epecially public) is damn near useless.
You will be right +Wayne Radinsky +Jason Bunting I misread the buying of 'codes' as in ' Can I give unlock codes to my friends?
Sure, that is why you can fund to get multiple codes.' I took that for a setup to guarantee the PGP problem of key identity. I don't know how they will solve this though. The site is lacking info.
+Max Huijgen If this isn't public key it's not worth a penny as a public tool.
You would have to send or give your private key to each person… How you going to do that? Email? Phone call? Write a physical letter? Whisper it to them at the local coffee house?
The trusted web was PGP's answer +K.B. Burnfield
+Max Huijgen Have you looked at Phil Zimmerman's SILENT CIRCLE?
http://www.fastcompany.com/3001938/phil-zimmermanns-silent-circle-builds-secure-seductive-fortress-around-your-smartphone
Still exist with EU Datasecuritylaws. Austrian company. SSL, and so on. Millions Users: +mysms (Same as whatsapp PLUS SMS.)
Google, Yahoo and Hotmail need to step up and offer built in, easy to use open public key encryption options (like PGP) for Gmail and their services.
Every dev of a mail program needs to do the same. PGP should be built into every email application.
Once it's out there at that level of integration and ease of use the normals will start to use it as well as the tech folk.
Let the games begin, next move they make this illegal as a scararist threat. 😉
+Edward Kowalski Phil Zimmerman used to have to save his latest version of PGP to a floppy, put it in his pocket and fly to Europe to release it.
Once it's out, it's out.
Great. Does not address the real issue. They just gave terrorist a better platform to use.
+K.B. Burnfield I rest my case! ;))
+Carmelyne Thompson the persons who plan to use it for evil intent, already can use better tools. Hemlis' idea is more to have secure communication available for the average joe.
Thanks for the link to the Silent Circle +K.B. Burnfield But relying on Canadian servers seems a weak link. The encryption is strong enough and end-to=end or it's not. From the article: "Silent Circle stresses that their product offers secure communications within the networks and only uses Canadian servers that are outside of U.S. government control. Canada has far more stringent data privacy regulations than either the United Stations or the European Union, meaning that users' encrypted communications are less likely to be intercepted by American authorities."
+Lynx Werter but mysms offers no encryption, correct?
Now Hemlis offers encryted end-to-end content, but we now know that the NSA and its partners are mostly interested in meta-data. Who contacted who at what time.
That's machine readable and very revealing it seems. It's there that the actual server will be the weak link unless there is a solution for it.
+Max Huijgen no, encryption in all messages. " When using mysms Services you may exchange private messages (including, but not limited to text, images, video, and any file) with whom you choose. Text messages are encrypted and sent via SSL, ensuring the maximum security for your data." The Name of the App is bad because most users thinks this is an App about SMS. No, its more a whatsapp alternative with SMS capabilities on top. http://www.mysms.com/en/privacy
Ah, found more information addressing the meta-data problem:
For those interested in a bit of our tech backend infrastructure: We’re building encrypted tunnels/MPLS networks between countries, with anycast ingress/egress points so that your traffic should pass as few borders as possible. Messages will be sent to as close as possible to the recipient, which makes it impossible for agencies like NSA and FRA to see who’s talking to whom. This sort of virtual local network makes Heml.is much more secure than a regular system that can’t avoid border crossings.
And talking about the key-exchange, here is a solution by an existing messenger service http://threema.ch/
What do the verification levels (dots) mean?
Level 1Level 1 (red): the ID and public key have been obtained from the server because you received a message from this contact for the first time. No matching contact was found in your address book (by phone number or e-mail), and therefore you cannot be sure that the person is who they claim to be in their messages.
Level 2Level 2 (orange): the ID has been matched with a contact in your address book (by phone number or e-mail). Since the server verifies phone numbers and e-mail addresses, you can be reasonably sure that the person is who they claim to be.
Level 3Level 3 (green): you have personally verified the ID and public key of the person by scanning their 2D code. Assuming their device has not been hijacked, you can be very sure that messages from this contact were really written by the person that they indicate.
The verification levels don't change anything in the encryption strength (it is always the same high-grade ECC based encryption), but they are a measure of the trust that the public keys saved for your contacts really belong to them. Having the wrong public keys leaves you open to Man-in-the-Middle (MITM) attacks, therefore it is important to verify the keys.
Half billion text messages synced in december last year since start of +mysms 2 years ago. Give it a try. http://www.mysms.com/de/press/132-mysms-launches-cloud-synchronized-sms-across-8-different-platforms-100m-texts-synced-during-beta