Moxie Marlinspike is an American

entrepreneur Entrepreneurship is the creation or extraction of economic value in ways that generally entail beyond the minimal amount of risk (assumed by a traditional business), and potentially involving values besides simply economic ones. An entreprene ...

cryptographer Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adversarial behavior. More gen ...

, and

computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...

researcher. Marlinspike is the creator of

Signal A signal is both the process and the result of transmission of data over some media accomplished by embedding some variation. Signals are important in multiple subject fields including signal processing, information theory and biology. In ...

, co-founder of the

Signal Technology Foundation The Signal Technology Foundation, commonly known as the Signal Foundation, is an American non-profit organization founded in 2018 by Moxie Marlinspike and Brian Acton. Its mission is to "protect free expression and enable secure communication, se ...

, and served as the first CEO of Signal Messenger LLC. He is also a co-author of the

Signal Protocol The Signal Protocol (formerly known as the TextSecure Protocol) is a non- federated cryptographic protocol that provides end-to-end encryption for voice and instant messaging conversations. The protocol was developed by Open Whisper Systems in ...

encryption used by Signal,

WhatsApp WhatsApp (officially WhatsApp Messenger) is an American social media, instant messaging (IM), and voice-over-IP (VoIP) service owned by technology conglomerate Meta. It allows users to send text, voice messages and video messages, make vo ...

, Google Messages,

Facebook Messenger Messenger, formerly known as Facebook Messenger, is an American proprietary instant messaging service developed by Meta Platforms. Originally developed as Facebook Chat in 2008, the client application of Messenger is currently available o ...

, and

Skype Skype () was a proprietary telecommunications application operated by Skype Technologies, a division of Microsoft, best known for IP-based videotelephony, videoconferencing and voice calls. It also had instant messaging, file transfer, ...

. Marlinspike is a former head of the security team at

Twitter Twitter, officially known as X since 2023, is an American microblogging and social networking service. It is one of the world's largest social media platforms and one of the most-visited websites. Users can share short text messages, image ...

and the author of a proposed SSL authentication system replacement called

Convergence Convergence may refer to: Arts and media Literature *''Convergence'' (book series), edited by Ruth Nanda Anshen *Convergence (comics), "Convergence" (comics), two separate story lines published by DC Comics: **A four-part crossover storyline that ...

. He previously maintained a cloud-based WPA cracking service and a targeted anonymity service called GoogleSharing.

Career

Marlinspike began his career working for several technology companies, including enterprise infrastructure software maker BEA Systems Inc. In 2010, Marlinspike was the chief technology officer and co-founder of Whisper Systems, an enterprise mobile security startup company. In May 2010, Whisper Systems launched TextSecure and RedPhone. These were applications that provided end-to-end encrypted SMS messaging and voice calling, respectively. Twitter acquired the company for an undisclosed amount in late 2011. The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security". During his time as Twitter's head of cybersecurity, the firm made Whisper Systems' apps

open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...

. Marlinspike left Twitter in early 2013 and founded Open Whisper Systems as a collaborative open source project for the continued development of TextSecure and RedPhone. At the time, Marlinspike and Trevor Perrin started developing the

, an early version of which was first introduced in the TextSecure app in February 2014. In November 2015, Open Whisper Systems unified the TextSecure and RedPhone applications as

. Between 2014 and 2016, Marlinspike worked with

Facebook Facebook is a social media and social networking service owned by the American technology conglomerate Meta Platforms, Meta. Created in 2004 by Mark Zuckerberg with four other Harvard College students and roommates, Eduardo Saverin, Andre ...

, and

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

to integrate the Signal Protocol into their messaging services. On February 21, 2018, Marlinspike and

co-founder

Brian Acton Brian Acton (born February 17, 1972) is an American business executive and computer programmer serving as the executive chairperson of Signal Technology Foundation, which he co-founded with Moxie Marlinspike in 2018. Acton also serves as inter ...

announced the formation of the

and its subsidiary, Signal Messenger LLC. Marlinspike served as Signal Messenger's first CEO until stepping down on January 10, 2022. In the wake of the United States government group chat leak Marlinspike posted in March 2025 "There are so many great reasons to be on Signal. Now including the opportunity for the Vice President of the USA to randomly add you to a group chat for coordinating sensitive military operations. Dont sleep on this opportunity."

Research

SSL stripping

In a 2009 paper, Marlinspike introduced the concept of SSL stripping, a

man-in-the-middle attack In cryptography and computer security, a man-in-the-middle (MITM) attack, or on-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communi ...

in which a network attacker could prevent a

web browser A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...

from upgrading to an SSL connection in a way that would likely go unnoticed by a user. He also announced the release of a tool, sslstrip, that would automatically perform these types of man-in-the-middle attacks. The

HTTP Strict Transport Security HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other c ...

(HSTS) specification was subsequently developed to combat these attacks.

SSL implementation attacks

Marlinspike has discovered a number of different

vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." The understanding of social and environmental vulnerability, as a methodological approach, involves ...

in popular SSL implementations. Notably, he published a 2002 paper on exploiting

SSL/TLS Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, b ...

implementations that did not correctly verify the X.509 v3 "BasicConstraints" extension in

public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a Key authentication, public key. The certificate includes the public key and informati ...

chains. This allowed anyone with a valid CA-signed certificate for any

domain name In the Internet, a domain name is a string that identifies a realm of administrative autonomy, authority, or control. Domain names are often used to identify services provided through the Internet, such as websites, email services, and more. ...

to create what appeared to be valid CA-signed certificates for any other domain. The vulnerable SSL/TLS implementations included the

Microsoft CryptoAPI The Microsoft Windows platform specific Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, MS-CAPI or simply CAPI) is an application programming interface included with Microsoft Windows ...

, making

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated as IE or MSIE) is a deprecation, retired series of graphical user interface, graphical web browsers developed by Microsoft that were u ...

and all other Windows software that relied on SSL/TLS connections vulnerable to a man-in-the-middle attack. In 2011, the same vulnerability was discovered to have remained in the SSL/TLS implementation on

Apple Inc. Apple Inc. is an American multinational corporation and technology company headquartered in Cupertino, California, in Silicon Valley. It is best known for its consumer electronics, software, and services. Founded in 1976 as Apple Comput ...

iOS Ios, Io or Nio (, ; ; locally Nios, Νιός) is a Greek island in the Cyclades group in the Aegean Sea. Ios is a hilly island with cliffs down to the sea on most sides. It is situated halfway between Naxos and Santorini. It is about long an ...

. Also notably, Marlinspike presented a 2009 paper in which he introduced the concept of a null-prefix attack on SSL certificates. He revealed that all major SSL implementations failed to properly verify the Common Name value of a certificate, so that they could be tricked into accepting forged certificates by embedding

null character The null character is a control character with the value zero. Many character sets include a code point for a null character including Unicode (Universal Coded Character Set), ASCII (ISO/IEC 646), Baudot, ITA2 codes, the C0 control code, and EB ...

s into the CN field.

Solutions to the CA problem

In 2011, Marlinspike presented a talk, "SSL And The Future Of Authenticity", at the Black Hat security conference in

Las Vegas Las Vegas, colloquially referred to as Vegas, is the most populous city in the U.S. state of Nevada and the county seat of Clark County. The Las Vegas Valley metropolitan area is the largest within the greater Mojave Desert, and second-l ...

. He outlined many of the problems with

certificate authorities In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...

and announced the release of a software project called

to replace them. In 2012, Marlinspike and Perrin submitted an

Internet Draft An Internet Draft (I-D) is a document published by the Internet Engineering Task Force (IETF) containing preliminary technical specifications, results of networking-related research, or other technical information. Often, Internet Drafts are int ...

for TACK, which is designed to provide SSL certificate pinning and help solve the CA problem, to the

Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...

Cracking MS-CHAPv2

In 2012, Marlinspike and David Hulton presented research that makes it possible to reduce the security of MS-CHAPv2 handshakes to a single DES encryption. Hulton built hardware capable of cracking the remaining DES encryption in less than 24 hours, and the two made the hardware available for anyone to use as an Internet service.

Mobily surveillance controversy

In 2013, Marlinspike published emails on his blog that he claimed were from Saudi Arabian telecom service

Mobily Mobily () is a Saudi Arabian telecommunications services company that offers fixed line, mobile telephony, and Internet services. The company was established in 2004, and, in the summer of that year, won the bid for Saudi Arabia's second GSM ...

soliciting his help in surveilling their customers, including intercepting communications running through various applications. Marlinspike refused to help, making the emails public instead. Mobily denied the allegations. "We never communicate with hackers", the company said.

Traveling

Marlinspike says that when flying within the United States he is unable to print his own

boarding pass A boarding pass or boarding card is a document provided by an airline during airport check-in, giving a passenger permission to enter the restricted area of an airport (also known as the airside portion of the airport) and to board the airp ...

, is required to have airline ticketing agents make a phone call in order to issue one, and is subjected to secondary screening at TSA security checkpoints. While entering the U.S. on a flight from the Dominican Republic in 2010, Marlinspike was detained by federal agents for nearly five hours, all his electronic devices were confiscated, and at first agents claimed he would only get them back if he provided his passwords so they could decrypt the data. Marlinspike refused to do this, and the devices were eventually returned, though he noted that he could no longer trust them, saying, "They could have modified the hardware or installed new keyboard firmware."

Recognition

* In 2016, ''

Fortune Fortune may refer to: General * Fortuna or Fortune, the Roman goddess of luck * Luck * Wealth * Fate * Fortune, a prediction made in fortune-telling * Fortune, in a fortune cookie Arts and entertainment Film and television * ''The Fortune'' (19 ...

'' magazine named Marlinspike among its

40 under 40 ''Fortune'' magazine's 40 Under 40 is a list of individuals the publication considers to be the most influential young leaders for the year. The list has existed in two phases: From 1999 to 2003, the list was presented purely as a numeric rankin ...

for being the founder of Open Whisper Systems and " ncryptingthe communications of more than a billion people worldwide". ''

Wired Wired may refer to: Arts, entertainment, and media Music * ''Wired'' (Jeff Beck album), 1976 * ''Wired'' (Hugh Cornwell album), 1993 * ''Wired'' (Mallory Knox album), 2017 * "Wired", a song by Prism from their album '' Beat Street'' * "Wired ...

'' also named him to its "Next List 2016," as one of "25 Geniuses Who Are Creating the Future of Business." * In 2017, Marlinspike and Perrin were awarded the Levchin Prize for Real World Cryptography "for the development and wide deployment of the Signal protocol".

Personal life

Originally from the state of

Georgia Georgia most commonly refers to: * Georgia (country), a country in the South Caucasus * Georgia (U.S. state), a state in the southeastern United States Georgia may also refer to: People and fictional characters * Georgia (name), a list of pe ...

, Marlinspike moved to

San Francisco San Francisco, officially the City and County of San Francisco, is a commercial, Financial District, San Francisco, financial, and Culture of San Francisco, cultural center of Northern California. With a population of 827,526 residents as of ...

in the late 1990s at age 18. The name ''Moxie Marlinspike'' is an assumed name partly derived from a childhood nickname. Marlinspike is a

sailing Sailing employs the wind—acting on sails, wingsails or kites—to propel a craft on the surface of the ''water'' (sailing ship, sailboat, raft, Windsurfing, windsurfer, or Kitesurfing, kitesurfer), on ''ice'' (iceboat) or on ''land'' (Land sa ...

enthusiast and

master mariner A master mariner is a licensed mariner who holds the highest grade of licensed seafarer qualification; namely, a master's license. A master mariner is therefore allowed to serve as the captain (nautical), master of a merchant ship for which natio ...

. In 2004, he bought a derelict sailboat and, with three friends, refurbished it and sailed around the

Bahamas The Bahamas, officially the Commonwealth of The Bahamas, is an archipelagic and island country within the Lucayan Archipelago of the Atlantic Ocean. It contains 97 per cent of the archipelago's land area and 88 per cent of its population. ...

while making a " video zine" about their journey called ''Hold Fast''. He is also an

anarchist Anarchism is a political philosophy and Political movement, movement that seeks to abolish all institutions that perpetuate authority, coercion, or Social hierarchy, hierarchy, primarily targeting the state (polity), state and capitalism. A ...

, and several of his essays and speeches are published on the website ''The Anarchist Library'', including "An Anarchist Critique of Democracy" and "The Promise of Defeat."

References

External links

* {{DEFAULTSORT:Marlinspike, Moxie Living people Computer security specialists Cypherpunks American chief technology officers Businesspeople from Georgia (U.S. state) 1980s births Twitter, Inc. people American anarchists 21st-century anarchists Year of birth missing (living people)