How does key management work? Is it all done through Whisper Systems' servers? If that's the case, how is this effectively better than iMessage? iMessage is also (nominally) quite secure, except for the fact that you have to trust Apple to verify pubkeys, which makes it quite feasible to MITM if you can subvert Apple via legal or technical means.
The latter part is the critical bit here; by comparing fingerprints out-of-band you can guarantee that your keys haven't been intercepted and replaced during exchange.
What's the point of that? Why not just indicate somewhere that the conversation isn't completely secure, rather than have the user believe it is when it's not?
That's like saying that SSH isn't more secure than Telnet unless you personally drive to the data center and verify the fingerprints of every single server by hand.
In reality, TOFU is a form of key verification and it is highly effective against MITM attacks because there's no way for an adversary to reliably determine whether or not a user is seeing a fingerprint for the first time. If at any point the fingerprint changes, the users are warned.
Users can also easily check and compare fingerprints too. They are not mutually exclusive.
I'm talking about absolute terms and you're replying with relative terms. I didn't say that SSH isn't more secure than telnet, I said that you can't be secure against an active MITM unless you verify the keys. That's a fact, I'm not sure how one can argue against it.
Sure, TOFU is better than nothing, and might even be very good, but there's still a way for an active adversary to MITM you.
Yeah, I don't think we actually disagree. Key verification is important, which is why it's a feature in Signal.
In order for an active adversary to perform a successful MITM attack against a TOFU scheme they would need to successfully determine when someone is seeing a fingerprint for the first time (or get lucky) and then successfully maintain their MITM position across every single network the device uses, forever. If they fail at either of those, the user will be warned.
I keep bringing up SSH because it's an example of a fingerprint verification system based on TOFU that works incredibly well at preventing MITM attacks. No one is having key signing parties with their servers, and yet connections remain secure.
I agree, but it's much easier for me to tell a friend "hey is this your key?" when we're together than go all the way up to my server and connect directly to it. That's why I think that there should be a UI element that says "you're pretty secure, but if you just check this you're golden".
It never asked me to verify his pubkey.
How does key management work? Is it all done through Whisper Systems' servers? If that's the case, how is this effectively better than iMessage? iMessage is also (nominally) quite secure, except for the fact that you have to trust Apple to verify pubkeys, which makes it quite feasible to MITM if you can subvert Apple via legal or technical means.