Whisperbot - No thanks, I'll use e-mail
Whisperbot is a new free service that claims it delivers confidential messages to your friends without e-mail.
According to their own site, they say: Stop using e-mail for your confidential messages!
While this is a nice slogan to have on a site, we say, stick to e-mail and add encryption.
Here is why Whisperbot should be avoided for any confidential messages:
- Message transport in cleartext - the submitter and the reader are accessing the 'confidential' messages via HTTP protocol by default - thus any typed and read content is open to sniffing and archiving via proxies
- Message is stored on Whisperbot servers with unspecified and not very reliable security measures - supposedly, Whisperbot stores the messages in encrypted format. This cannot be confirmed, but even if it can, since the message is presented to the recipient in the original form, the message is stored in reversible encryption. Thus, the security of the message is the same as a safe full of money with the key left in the lock.
- Security is based on obscurity - the main point of the security measures of Whisperbot is that the path to the message is unique and not known to anyone except the recipient. But the path to the message is sent to the recipient via cleartext e-mail, which can be captured and read at any number of places on the path of the e-mail message.
- Message retention cannot be controlled - the message is kept on the Whisperbot servers for an undisclosed amount of time, thus opening it up to the possibility of a later access by someone else.
Instead, for confidential messages you should rely on e-mail, with the added security of GNU Privacy Guard (GPG)
Talkback and comments are most welcome
Related posts
3 Controls to Secure Corporate Off Computers
Example - SMTP message spoofing
No Privacy - Saw You Cheating on Image Search
Creating secure CD/DVD media for transport usingTruecrypt
Subscribe to:
Post Comments (Atom)
4 comments:
That's true, your advice. I'd find it hateful having my confidential messages lying out there for anybody to sniff. Like you suggested, I'd prefer my old trusty email program to using this one.
huhu... maybe it's still new and need to improve to deliver excellence service. for me there is no top secret between my friends and I so, my answer is I will not use that service.. huhu..
Thanks for taking the time to share your thoughts. We created whisper bot as a simple way to send something secure to someone without the need for them to have any particular software or setup.
Just to reply to some of your comments....
1. Message transport in cleartext
Actually, there is an https secure version at https://www.whisperbot.com
2. Message is stored on Whisperbot servers with unspecified and not very reliable security measures
Yes, its in a database, of course. But, I rebut that its not secure - I'll happily share with you the database content and I'll let you see if you can decrypt it. Everything - from message to email address is encrypted - and we're not talking md5 here ;-)
3. Security is based on obscurity
There is an option to use a passphrase - so, even if someone else gets the link, they can't read the message without the passphrase.
4. Message retention cannot be controlled
Agreed with the need for a delete button of sorts - right now, we just trim the message after it's been read and stored for a period of time.
It's not for everyone, but it's there and free, if you would like to use it :-).
matt
www.whisperbot.com
i agree with newbie, maybe its beta version and try to tested by user, i hope our tryout about this program give them continous improvement. just drop ec and smile today
Post a Comment