Multiple security flaws found in DeepSeek iOS app, incl sending unencrypted data

t1234s

Is this a flaw or feature that allows government spying?

anotherhue

In Anno 2025 how does 3DES get past a reviewer?

tedunangst

What's wrong with 3DES?

ziddoap

>Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN

>CVE-2016-2183, CVE-2016-6329

>[...] short block size makes a block cipher vulnerable to birthday attacks, even if there are no cryptographic attacks against the block cipher itself. We observe that such attacks have now become practical for the common usage of 64-bit block ciphers

>We show that a network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies

https://sweet32.info/

anotherhue

It's been slowly phased out for some time, so to see it appear in a net-new project is highly unusual.

Here's just a random example of it being removed back in 2016 https://cvsweb.openbsd.org/src/usr.bin/ssh/myproposal.h?rev=...

hiatus

https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-De...

hiatus

By design.

ziddoap

Obviously DeepSeek chose it by design, but the question is how it got past the app store reviewers.

hiatus

Why would app store reviewers care about your encryption choices?

null

[deleted]

HN

Multiple security flaws found in DeepSeek iOS app, incl sending unencrypted data

Multiple security flaws found in DeepSeek iOS app, incl sending unencrypted data