Cross-border documentation of failures around security and implementation process #12
Comments
|
Should this not be a markdown page on its own rather than an issue? This issue could stand for discussions concerning that page. |
|
My motivation to have it as an issue was that listing new issues here would conversely add a notification about this issue in the issues we would reference from here (thereby enlisting people like you interested in their own country to see the bigger picture). The issue network as the basis of a social network. Makes sense? I agree though, it should be its own page. Would it make more sense to have a wiki page, or its own markdown page? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Many national teams setting out to deploy the Google and Apple Exposure Notification API are encountering some problems around unforeseen security issues in the Bluetooth API and the process of addressing these issues while balancing privacy interests.
Indeed, the protocol developed by DP-3T was deemed "safe enough", based on:
Unfortunately, the reality is much more subtle than that. In actually implementing their own spin on the protocol, Apple and Google introduced a few weaknesses.
These were first described in a paper by Vaudenay and Vuagnoux. See also here for context on how this paper came to light.
In subsequent work, joint with Joel Reardon, we describe a SDK attack potentially leveraging one of those weaknesses.
This leads to an uncomfortable situation for developers of those national systems, sitting between shifting API grounds and unmet expectations to their public health authorities. We document here how each group is publicly dealing with the attacks, and constructing a new process of documentation and reporting.
The text was updated successfully, but these errors were encountered: