How do people feel about oneID? or a TFI service in general?

I direct you to Bruce Schneier and Phil Zimmerman.

"Some rely on proprietary encryption algorithms. Invariably, these are very weak. Counterpane has had considerable success breaking published encryption algorithms; our track record against proprietary ones is even better. Keeping the algorithm secret isn't much of an impediment to analysis, anyway--it only takes a couple of days to reverse-engineer the cryptographic algorithm from executable code."

  • Schneier

"Or maybe he won't even reveal how his proprietary encryption scheme works, but assures me it's a brilliant scheme and I should trust it. I'm sure he believes that his algorithm is brilliant, but how can I know that without seeing it?"

  • Zimmerman

The OWASP project flat out states "Proprietary encryption algorithms are not to be trusted..."

Schneier and Zimmerman wrote about this in a time where proprietary cryptography was usually snake oil. But the landscape today is different. Proprietary encryption is still not to be trusted, because it is more often than not hostile towards the user. OneID could easily use any of the extremely strong and fast free asymmetric algorithms that exist. But instead they chose to write their own algorithm, and hide it from scrutiny. This is not something trustworthy software does. Security through obscurity has never been, and will never be effective. So when I read about OneID, and I can't find a single technical detail about the crypto - I think to myself "what is wrong with the algorithm?". There are two reasons in my mind that they'd hide the workings of their cryptosystem. One: It doesn't work. Two: It is backdoored.

I had to look up their patents to see what the system actually does. Located here; the patent docs are atrocious. They're on the same level as Apple's "Slide to unlock" and "rounded corners" patents. There is still not a single detail about what their algorithm actually does. Their developer docs aren't any help either, the bulk of the text being buzzwords.

The big killer for me is the fact that it's free for end users. Not so free for the nonprofits they keep marketing to on their blog. But for you and I, the service is free. That kind of "free as in beer but not as in freedom" business model reeks of businesses like Facebook.

/r/cryptography Thread Link - newscult.com