Wire results:

Initial contact: Wire offers a weaker guarantee than the “trust on first use” semantics of other private messengers. Wire will always trust any key or any key change without any notification, blocking or otherwise, unless you explicitly verify all of a contact’s keys and they verify all of yours (very difficult to do, see below).

Message after key change: In my testing, I was able to reproduce results that have not been consistently verified. I have seen key changes without any warnings (as in the screenshots above), but have also seen a key change with a warning after the fact (this did not prevent Bob from sending the message to Alice), and others testing on Twitter (thanks Zaki Manian and @tqbf) have seen blocking warnings.

Wire has responded to say the correct behavior is if both Alice and Bob have bidirectionally verified each-other’s devices, Bob will see a blocking warning here before he can send a message to Alice after a key change. I think this behavior might not be rock solid, and the bidirectional verification requirement is very strange.

Key change while message in transit: Some messengers lose this message, others handle it insecurely. Wire loses the message, and I’m uncertain about the security. There is the same level of uncertainty as with the “message after key change” test above.

Verification UI/UX: Some messengers I tested felt sloppy here, but Wire feels actively user hostile. Unlike Signal’s protocol, where each device shares a common identity, Wire has made the awful decision to give each device its own identity.

Wire also counts each re-install on a single physical device as a “new device,” which means that a user’s device list quickly starts to look like the screenshots above (this test started with one “device” and quickly ballooned to three “devices,” even though only one physical phone was ever involved).

This means that a user with three physical devices has to get all their devices together and make six comparisons between them every time they make a change on any of them, and users wishing to verify each-other have to do an N² comparison between all of their respective devices.

The actual fingerprint format is 64 hexadecimal characters, formatted in a way that should come with an epilepsy warning. This means that two users with three devices would have to compare an awful 1152 characters in order to verify each-other.

Wire summary:

Very bad: Wire’s key change notification behavior is at best flaky.

Very bad: Wire’s design is hostile to secure communication at a structural level. Even if they fix the flaky key change issues, the way they’ve chosen to design their e2e encryption means that it will always be almost impossible for users to engage with Wire securely.

Very bad: Wire has a weaker guarantee than “trust on first use.” It is similar to messengers that require users to enable a setting for key change notifications, but instead of a setting, users have to complete an impossible task (like comparing 1152 characters), and also ensure that all their conversation partners do the same. This does not feel like key verification that was designed to be used.

Still very bad: I poked around some more and noticed two other critical vulnerabilities, which I’ll write up soon.

In short, I think Wire is the new Telegram.