Wickr Checks the FIPS Box

That’s right, my friends, the glorious day has come when I can finally say that Wickr’s crypto module is officially certified to the standard set forth in the Federal Information Processing Standard (FIPS) Publication 140-2, affectionately known as “FIPS 140-2”. This being Grammy season, on behalf of the team here at Wickr, I’d like to thank everyone who made it possible, from our wonderful developers, staff members, and their families to — in all seriousness, now — our federal customers and the many contributors to the OpenSSL Foundation.

For a software company, FIPS certification is an honor and an important milestone. It’s required for many government procurements, so obtaining it has practical implications for companies in terms of opening doors to new business. From the government’s point of view, it also helps guide companies that don’t necessarily have the security culture of a Wickr toward using vetted crypto in their products. Regardless, it’s an expensive undertaking in both time and money, so it’s nice to have it behind us.

But what does FIPS certification actually mean? Does it mean that Wickr software is “secure?” Well, not quite. It at least means that the software we’re using to perform cryptographic operations is solid, which is good, but how we or any other companies with FIPS-certified crypto actually use crypto is a matter of serious differentiation that can’t be captured in a “FIPS-Certified” checkbox.

Speaking of checkboxes, let me say what I really think. Nothing can be as clear — or misleading — as a checkbox on a web page. On the surface, the checkbox would appear to be a simple, innocent way to convey information. Unfortunately, determining whether it’s clear or misleading requires one to look deeper. I’ve seen security products, for example, shamelessly check the “end-to-end encryption” box in their docs even though their crypto was implemented with multiple segments of TLS and disk-based encryption on the server. The net value of a checkbox like that? Zero, and it’s downright perilous to use for any real decision-making. The bottom line is that you should always dig deeper and do your homework on a product you are looking to obtain even if it checks all the required boxes.

Obtaining FIPS certification is an exciting moment for Wickr. It means good things, and it will be especially useful to our federal customers. It doesn’t tell the whole story of Wickr security, however. We urge our potential clients to reach out to us to learn the full story behind our product and our crypto.