Breyten Ernsting

Webdeveloper at Open State Foundation.

A Note on the Security of Heml.is

Heml.is advertises itself as a secure messenger. But how secure is it? Let’s look into this.

The main thing that caught my eye when looking at the frequently asked questions was the following:

The fundamental benefits of Heml.is will be the app together with our infrastructure, which is what really makes the system interesting and secure.

Further down they state that:

The way to make the system secure is that we can control the infrastructure. Distributing to other servers makes it impossible to give any guarantees about the security.

This shows that Heml.is relies on security through obfuscation. This is not a good practice, as it is possible that there would be security issues. These would not be obvious, however. But we have nothing to fear because:

We’ll have audits from trusted third parties on our platforms regularily.

In other words: “just trust us”.

Now, doesn’t that sound familiar?

Comments