Wire’s independent security review

Wire
Wire
Feb 9, 2017 · 2 min read

Ever since Wire launched end-to-end encryption and open sourced its apps one question has consistently popped up: “Is there an independent security review available?” Well, there is now!

Kudelski Security and X41 D-Sec published a joint review of Wire’s encrypted messaging protocol implementation. They found it to have “high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs.”

Download full report

The issues that were discovered during the review have been fixed and deployed on iOS and Android. Deployment is ongoing for Wire for Web and desktop apps.

Update: Fixes for Wire for Web and desktop went live on February 17.

What’s in a review?

Security reviews can be broadly split into three levels:

  • Review of the protocol specification
  • Review of the implementation of that protocol
  • Complete solution review that includes all components of the system

Kudelski and X41 D-Sec reviewed the second level — the implementation of the Proteus messaging protocol and Cryptobox API and its C wrapper Cryptobox-C. Cryptobox defines a simple, high-level API to Proteus in order to hide the protocol’s complexity to callers in Wire applications. Finally, the review included CoffeeScript counterparts of Proteus and cryptobox, as implemented in the proteus.js and cryptobox.js.

The review covers Proteus implementation in all platforms where Wire is available — iOS, Android, macOS, Windows, Linux, and Wire for Web that works in modern, webRTC-supported browsers.

Why Kudelski Security and X41 D-Sec?

Substantial experience and interest in researching protocols similar to Wire’s, and reviewing secure messengers in general played a huge role in deciding who we wanted to partner with for this review. Team members at Kudelski Security and X41 D-Sec have both demonstrated this in the past and continue to independently review not just Wire, but also other apps in the secure communication space.

Publishing independent protocol implementation reviews is unfortunately not yet a norm in the messaging space. Reviews from a couple of years ago may be getting stale as the apps are constantly evolving and code base changing.

Going forward every major development at Wire will also include a security review. We’ll continue to partner with security experts like Kudelski Security and X41 D-Sec to work on a complete solution review.

All Wire client code is on GitHub and the server code will be open sourced by the end of Q1, 2017.

See also: Wire Cryptography Audit (with X41 D-Sec)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store