Moxie Marlinspike

Last updated

Moxie Marlinspike
Moxie Marlinspike in 2022 02.jpg
Marlinspike in 2022
BornEarly 1980s [1]
Georgia, U.S.
Known for
Scientific career
Fields
Website moxie.org OOjs UI icon edit-ltr-progressive.svg

Moxie Marlinspike is an American entrepreneur, cryptographer, and computer security researcher. [1] [2] Marlinspike is the creator of Signal, co-founder of the Signal Technology Foundation, and served as the first CEO of Signal Messenger LLC. He is also a co-author of the Signal Protocol encryption used by Signal, WhatsApp, [3] Google Messages, [4] Facebook Messenger, [5] and Skype. [6]

Contents

Marlinspike is a former head of the security team at Twitter [7] and the author of a proposed SSL authentication system replacement called Convergence. [8] He previously maintained a cloud-based WPA cracking service [9] and a targeted anonymity service called GoogleSharing. [10]

Career

Marlinspike began his career working for several technology companies, including enterprise infrastructure software maker BEA Systems Inc. [3] [11]

In 2010, Marlinspike was the chief technology officer and co-founder of Whisper Systems, [12] an enterprise mobile security startup company. In May 2010, Whisper Systems launched TextSecure and RedPhone. These were applications that provided end-to-end encrypted SMS messaging and voice calling, respectively. Twitter acquired the company for an undisclosed amount in late 2011. [13] The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security". [11] During his time as Twitter's head of cybersecurity, [14] the firm made Whisper Systems' apps open source. [15] [16]

Marlinspike left Twitter in early 2013 and founded Open Whisper Systems as a collaborative open source project for the continued development of TextSecure and RedPhone. [17] [18] [19] At the time, Marlinspike and Trevor Perrin started developing the Signal Protocol, an early version of which was first introduced in the TextSecure app in February 2014. [20] In November 2015, Open Whisper Systems unified the TextSecure and RedPhone applications as Signal. [21] Between 2014 and 2016, Marlinspike worked with WhatsApp, Facebook, and Google to integrate the Signal Protocol into their messaging services. [22] [23] [24]

On February 21, 2018, Marlinspike and WhatsApp co-founder Brian Acton announced the formation of the Signal Technology Foundation and its subsidiary, Signal Messenger LLC. [25] [1] Marlinspike served as Signal Messenger's first CEO until stepping down on January 10, 2022. [26]

Research

SSL stripping

In a 2009 paper, Marlinspike introduced the concept of SSL stripping, a man-in-the-middle attack in which a network attacker could prevent a web browser from upgrading to an SSL connection in a way that would likely go unnoticed by a user. He also announced the release of a tool, sslstrip, that would automatically perform these types of man-in-the-middle attacks. [27] [28] The HTTP Strict Transport Security (HSTS) specification was subsequently developed to combat these attacks. [29]

SSL implementation attacks

Marlinspike has discovered a number of different vulnerabilities in popular SSL implementations. Notably, he published a 2002 paper on exploiting SSL/TLS implementations that did not correctly verify the X.509 v3 "BasicConstraints" extension in public key certificate chains. This allowed anyone with a valid CA-signed certificate for any domain name to create what appeared to be valid CA-signed certificates for any other domain. The vulnerable SSL/TLS implementations included the Microsoft CryptoAPI, making Internet Explorer and all other Windows software that relied on SSL/TLS connections vulnerable to a man-in-the-middle attack. In 2011, the same vulnerability was discovered to have remained in the SSL/TLS implementation on Apple Inc.'s iOS. [30] [31] Also notably, Marlinspike presented a 2009 paper in which he introduced the concept of a null-prefix attack on SSL certificates. He revealed that all major SSL implementations failed to properly verify the Common Name value of a certificate, so that they could be tricked into accepting forged certificates by embedding null characters into the CN field. [32] [33]

Solutions to the CA problem

In 2011, Marlinspike presented a talk, "SSL And The Future Of Authenticity", [34] at the Black Hat security conference in Las Vegas. He outlined many of the problems with certificate authorities and announced the release of a software project called Convergence to replace them. [35] [36] In 2012, Marlinspike and Perrin submitted an Internet Draft for TACK, [37] which is designed to provide SSL certificate pinning and help solve the CA problem, to the Internet Engineering Task Force. [38]

Cracking MS-CHAPv2

In 2012, Marlinspike and David Hulton presented research that makes it possible to reduce the security of MS-CHAPv2 handshakes to a single DES encryption. Hulton built hardware capable of cracking the remaining DES encryption in less than 24 hours, and the two made the hardware available for anyone to use as an Internet service. [39]

Mobily surveillance controversy

In 2013, Marlinspike published emails on his blog that he claimed were from Saudi Arabian telecom service Mobily soliciting his help in surveilling their customers, including intercepting communications running through various applications. Marlinspike refused to help, making the emails public instead. Mobily denied the allegations. "We never communicate with hackers", the company said. [40]

Traveling

Marlinspike says that when flying within the United States he is unable to print his own boarding pass, is required to have airline ticketing agents make a phone call in order to issue one, and is subjected to secondary screening at TSA security checkpoints. [41]

While entering the U.S. on a flight from the Dominican Republic in 2010, Marlinspike was detained by federal agents for nearly five hours, all his electronic devices were confiscated, and at first agents claimed he would only get them back if he provided his passwords so they could decrypt the data. Marlinspike refused to do this, and the devices were eventually returned, though he noted that he could no longer trust them, saying, "They could have modified the hardware or installed new keyboard firmware." [42]

Recognition

Personal life

Originally from the state of Georgia, [3] Marlinspike moved to San Francisco in the late 1990s at age 18. [1] [11] The name Moxie Marlinspike is an assumed name partly derived from a childhood nickname. [1] [3]

Marlinspike is a sailing enthusiast and master mariner. [3] [47] In 2004, he bought a derelict sailboat and, with three friends, refurbished it and sailed around the Bahamas while making a "video zine" about their journey called Hold Fast. [1] [3] [11] He is also an anarchist, [3] and several of his essays and speeches are published on the website The Anarchist Library, including "An Anarchist Critique of Democracy" [48] and "The Promise of Defeat." [49]

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

Xcitium, formerly known as Comodo Security Solutions, Inc., is a cybersecurity company headquartered in Bloomfield, New Jersey.

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised, limiting damage. For HTTPS, the long-term secret is typically the private key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords. By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. This by itself is not sufficient for forward secrecy which additionally requires that a long-term secret compromise does not affect the security of past session keys.

This is a comparison of voice over IP (VoIP) software used to conduct telephone-like voice conversations across Internet Protocol (IP) based networks. For residential markets, voice over IP phone service is often cheaper than traditional public switched telephone network (PSTN) service and can remove geographic restrictions to telephone numbers, e.g., have a PSTN phone number in a New York area code ring in Tokyo.

In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents. The reference implementation is public domain software.

There are various implementations of the Advanced Encryption Standard, also known as Rijndael.

Convergence was a proposed strategy for replacing SSL certificate authorities, first put forth by Moxie Marlinspike in August 2011 while giving a talk titled "SSL and the Future of Authenticity" at the Black Hat security conference. It was demonstrated with a Firefox addon and a server-side notary daemon.

Whisper Systems was an American enterprise mobile security company that was co-founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson in 2010. The company was acquired by Twitter in November 2011. Some of the company's software products were released under open-source licenses after the acquisition. An independent group called Open Whisper Systems later picked up the development of this open-source software, which led to the creation of the Signal Technology Foundation.

TextSecure was an encrypted messaging application for Android that was developed from 2010 to 2015. It was a predecessor to Signal and the first application to use the Signal Protocol, which has since been implemented into WhatsApp and other applications. TextSecure used end-to-end encryption to secure the transmission of text messages, group messages, attachments and media messages to other TextSecure users.

<span class="mw-page-title-main">Open Whisper Systems</span> Open source software organization

Open Whisper Systems was a software development group that was founded by Moxie Marlinspike in 2013. The group picked up the open source development of TextSecure and RedPhone, and was later responsible for starting the development of the Signal Protocol and the Signal messaging app. In 2018, Signal Messenger was incorporated as an LLC by Moxie Marlinspike and Brian Acton and then rolled under the independent 501c3 non-profit Signal Technology Foundation. Today, the Signal app is developed by Signal Messenger LLC, which is funded by the Signal Technology Foundation.

HTTPS Everywhere is a discontinued free and open-source browser extension for Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Brave, Vivaldi and Firefox for Android, which was developed collaboratively by The Tor Project and the Electronic Frontier Foundation (EFF). It automatically makes websites use a more secure HTTPS connection instead of HTTP, if they support it. The option "Encrypt All Sites Eligible" makes it possible to block and unblock all non-HTTPS browser connections with one click. Due to the widespread adoption of HTTPS on the World Wide Web, and the integration of HTTPS-only mode on major browsers, the extension was retired in January 2023.

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority, used by more than 300 million websites, with the goal of all websites being secure and using HTTPS. The Internet Security Research Group (ISRG), the provider of the service, is a public benefit organization. Major sponsors include the Electronic Frontier Foundation (EFF), the Mozilla Foundation, OVH, Cisco Systems, Facebook, Google Chrome, Internet Society, AWS, NGINX, and Bill and Melinda Gates Foundation. Other partners include the certificate authority IdenTrust, the University of Michigan (U-M), and the Linux Foundation.

<span class="mw-page-title-main">Signal (messaging app)</span> Privacy-focused encrypted messaging app

Signal is an encrypted messaging service for instant messaging, voice, and video calls. The instant messaging function includes sending text, voice notes, images, videos, and other files. Communication may be one-to-one between users or may involve group messaging.

Peerio was a cross-platform end-to-end encrypted application that provided secure messaging, file sharing, and cloud file storage. Peerio was available as an application for iOS, Android, macOS, Windows, and Linux. Peerio (Legacy) was originally released on 14 January 2015, and was replaced by Peerio 2 on 15 June 2017. The app is discontinued.

In cryptography, the Double Ratchet Algorithm is a key management algorithm that was developed by Trevor Perrin and Moxie Marlinspike in 2013. It can be used as part of a cryptographic protocol to provide end-to-end encryption for instant messaging. After an initial key exchange it manages the ongoing renewal and maintenance of short-lived session keys. It combines a cryptographic so-called "ratchet" based on the Diffie–Hellman key exchange (DH) and a ratchet based on a key derivation function (KDF), such as a hash function, and is therefore called a double ratchet.

The Signal Protocol is a non-federated cryptographic protocol that provides end-to-end encryption for voice and instant messaging conversations. The protocol was developed by Open Whisper Systems in 2013 and was first introduced in the open-source TextSecure app, which later became Signal. Several closed-source applications have implemented the protocol, such as WhatsApp, which is said to encrypt the conversations of "more than a billion people worldwide" or Google who provides end-to-end encryption by default to all RCS-based conversations between users of their Google Messages app for one-to-one conversations. Facebook Messenger also say they offer the protocol for optional Secret Conversations, as does Skype for its Private Conversations.

<span class="mw-page-title-main">Signal Foundation</span> American non-profit organization

The Signal Technology Foundation, commonly known as the Signal Foundation, is an American non-profit organization founded in 2018 by Moxie Marlinspike and Brian Acton. Its mission is to "protect free expression and enable secure global communication through open source privacy technology." Its subsidiary, Signal Messenger LLC, is responsible for the development of the Signal messaging app and the Signal Protocol.

MobileCoin is a peer-to-peer cryptocurrency developed by MobileCoin Inc., which was founded in 2017 by Josh Goldbard and Shane Glynn.

<span class="mw-page-title-main">Hugo Krawczyk</span> Argentine Israeli cryptographer

Hugo Krawczyk is an Argentine-Israeli cryptographer best known for co-inventing the HMAC message authentication algorithm and contributing in fundamental ways to the cryptographic architecture of central Internet standards, including IPsec, IKE, and SSL/TLS. In particular, both IKEv2 and TLS 1.3 use Krawczyk’s SIGMA protocol as the cryptographic core of their key exchange procedures. He has also contributed foundational work in the areas of threshold and proactive cryptosystems and searchable symmetric encryption, among others.

References

  1. 1 2 3 4 5 6 Wiener, Anna (October 19, 2020). "Taking Back Our Privacy : Moxie Marlinspike, the founder of the end-to-end encrypted messaging service Signal, is "trying to bring normality to the Internet."". The New Yorker . Archived from the original on March 5, 2021. Retrieved October 27, 2020.
  2. Rosenblum, Andrew (April 26, 2016). "Moxie Marlinspike Makes Encryption for Everyone". Popular Science. Bonnier Corporation. Retrieved July 9, 2016.
  3. 1 2 3 4 5 6 7 Greenberg, Andy (July 31, 2016). "Meet Moxie Marlinspike, the Anarchist Bringing Encryption to All of Us". Wired. Condé Nast. Archived from the original on January 25, 2021. Retrieved July 31, 2016.
  4. Amadeo, Ron (June 16, 2021). "Google enables end-to-end encryption for Android's default SMS/RCS app". Ars Technica. Retrieved March 3, 2022.
  5. Greenberg, Andy (October 4, 2016). "You can finally encrypt Facebook Messenger, so do it". Wired.
  6. Newman, Lily Hay (January 11, 2018). "Skype Finally Starts Rolling Out End-to-End Encryption". Wired.
  7. Hern, Alex (October 17, 2014). "Twitter's former security head condemns Whisper's privacy flaws". The Guardian. Retrieved January 22, 2015.
  8. Messmer, Ellen (October 12, 2011). "The SSL certificate industry can and should be replaced". Network World. IDG. Archived from the original on March 1, 2014. Retrieved September 25, 2016.
  9. "New Cloud-Based Service Steals Wi-fi Passwords". PC World. Archived from the original on April 20, 2012. Retrieved December 9, 2013.
  10. "A Better Way To Hide From Google". Forbes. November 25, 2013. Archived from the original on October 12, 2013. Retrieved December 9, 2013.
  11. 1 2 3 4 Yadron, Danny (July 9, 2015). "Moxie Marlinspike: The Coder Who Encrypted Your Texts". The Wall Street Journal. Archived from the original on July 10, 2015. Retrieved September 27, 2016.
  12. Mills, Elinor (March 15, 2011). "CNet: WhisperCore App Encrypts All Data For Android". News.cnet.com. Retrieved December 9, 2013.
  13. "Twitter Acquires Moxie Marlinspike's Encryption Startup Whisper Systems". Forbes. Retrieved October 4, 2013.
  14. Powers, Shawn M.; Jablonski, Michael (February 2015). The Real Cyber War: The Political Economy of Internet Freedom. University of Illinois Press. p. 198. ISBN   978-0-252-09710-2. JSTOR   10.5406/j.ctt130jtjf.
  15. Chris Aniszczyk (December 20, 2011). "The Whispers Are True". The Twitter Developer Blog. Twitter. Archived from the original on October 24, 2014. Retrieved January 22, 2015.
  16. "RedPhone is now Open Source!". Whisper Systems. July 18, 2012. Archived from the original on July 31, 2012. Retrieved January 22, 2015.
  17. Yadron, Danny (July 10, 2015). "What Moxie Marlinspike Did at Twitter". Digits. The Wall Street Journal. Archived from the original on March 18, 2016. Retrieved September 27, 2016.
  18. Andy Greenberg (July 29, 2014). "Your iPhone Can Finally Make Free, Encrypted Calls". Wired. Retrieved January 18, 2015.
  19. "A New Home". Open Whisper Systems. January 21, 2013. Retrieved July 11, 2015.
  20. Donohue, Brian (February 24, 2014). "TextSecure Sheds SMS in Latest Version". Threatpost. Retrieved July 14, 2016.
  21. Greenberg, Andy (November 2, 2015). "Signal, the Snowden-Approved Crypto App, Comes to Android". Wired. Condé Nast. Retrieved November 24, 2015.
  22. Metz, Cade (April 5, 2016). "Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People". Wired. Condé Nast. Retrieved August 2, 2016.
  23. Greenberg, Andy (July 8, 2016). "'Secret Conversations:' End-to-End Encryption Comes to Facebook Messenger". Wired. Condé Nast. Retrieved September 24, 2016.
  24. Greenberg, Andy (May 18, 2016). "With Allo and Duo, Google Finally Encrypts Conversations End-to-End". Wired. Condé Nast. Retrieved September 24, 2016.
  25. Marlinspike, Moxie; Acton, Brian (February 21, 2018). "Signal Foundation". Signal.org. Retrieved February 21, 2018.
  26. Marlinspike, Moxie (January 10, 2022). "New year, new CEO". signal.org. Signal Messenger. Retrieved January 10, 2022.
  27. Greenberg, Andy (February 18, 2009). "Breaking Your Browser's Padlock". Forbes. Archived from the original on February 27, 2014.
  28. Kelly Jackson Higgins February 24, 2009 (February 24, 2009). "SSLStrip Hacking Tool Released". Darkreading.com. Retrieved December 9, 2013.{{cite web}}: CS1 maint: numeric names: authors list (link)
  29. Bramwell, Phil (2018). Hands-On Penetration Testing on Windows: Unleash Kali Linux, PowerShell, and Windows debugging tools for security testing and analysis. Packt Publishing. p. 96. ISBN   978-1-78829-509-3.
  30. Apple iOS Bug Worse Than Advertised/
  31. "iPhone data interception tool released". Scmagazine.com.au. July 27, 2011. Archived from the original on December 14, 2013. Retrieved December 9, 2013.
  32. Zetter, Kim (July 30, 2009). "Vulnerabilities Allow Attackers To Impersonate Any Website". Wired.com. Retrieved December 9, 2013.
  33. Goodin, Dan (July 30, 2009). "Wildcard certificate spoofs web authentication". Theregister.co.uk. Retrieved December 9, 2013.
  34. "SSL And The Future Of Authenticity". Youtube.com. August 18, 2011. Archived from the original on December 21, 2021. Retrieved December 9, 2013.
  35. "New SSL Alternative". Informationweek.com. Archived from the original on October 1, 2011. Retrieved December 9, 2013.
  36. "Future of SSL in doubt?". Infosecurity-magazine.com. August 9, 2011. Retrieved December 9, 2013.
  37. "Trust Assertions For Certificate Keys". Tack.io. Retrieved December 9, 2013.
  38. Goodin, Dan (May 23, 2012). "SSL fix flags forged certificates". Arstechnica.com. Retrieved December 9, 2013.
  39. "New Tool From Moxie Marlinspike Cracks Some Crypto Passwords". threatpost. August 19, 2012. Archived from the original on August 19, 2012.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  40. Smith, Matt (May 15, 2013). "Saudi's Mobily denies asking for help to spy on customers". Reuters. Retrieved February 21, 2018.
  41. Mills, Elinor (November 18, 2010). "Security researcher: I keep getting detained by feds". CNET . Retrieved June 19, 2019.
  42. Zetter, Kim (November 18, 2010). "Another Hacker's Laptop, Cellphones Searched At Border". Wired.com. Retrieved June 19, 2019.
  43. "Moxie Marlinspike - 40 under 40". Fortune. Time Inc. 2016. Archived from the original on August 18, 2017. Retrieved September 22, 2016.
  44. WIRED Staff (April 26, 2016). "25 Geniuses Who Are Creating the Future of Business". Wired. ISSN   1059-1028 . Retrieved March 19, 2020.
  45. "The Levchin Prize for Real World Cryptography". RealWorldCrypto.
  46. Levchin, Max (January 4, 2017). "2017 Levchin Prize for Real World Cryptography". Yahoo! Finance. Retrieved February 7, 2018.
  47. "Moxie Marlinspike >> About" . Retrieved November 22, 2022.
  48. Marlinspike, Moxie; Hart, Windy (June 21, 2012). "An Anarchist Critique of Democracy". The Anarchist Library. Retrieved November 22, 2022.
  49. Marlinspike, Moxie (August 4, 2020). "The Promise of Defeat". The Anarchist Library. Retrieved November 22, 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.