Moxie Marlinspike

Early Life

Originally from Georgia, Marlinspike relocated to San Francisco in the late 1990s at age 18. The name Moxie Marlinspike is an assumed name, partly derived from a childhood nickname. Early in his career he worked for several technology companies, including enterprise infrastructure software maker BEA Systems.

Career

In 2010, Marlinspike co-founded Whisper Systems, an enterprise mobile security startup, where he served as chief technology officer. That same year, Whisper Systems launched TextSecure and RedPhone — applications providing end-to-end encrypted SMS messaging and encrypted voice calling, respectively. Twitter acquired Whisper Systems in late 2011, primarily to bring Marlinspike on board to strengthen the company's security posture. During his tenure as Twitter's head of cybersecurity, the firm open-sourced the Whisper Systems applications.

Marlinspike departed Twitter in early 2013 and established Open Whisper Systems as a collaborative open source project to continue development of TextSecure and RedPhone. Around this time, he and fellow researcher Trevor Perrin began developing the Signal Protocol, an early version of which debuted in the TextSecure app in February 2014. In November 2015, Open Whisper Systems merged TextSecure and RedPhone into a single application called Signal. Between 2014 and 2016, Marlinspike collaborated with WhatsApp, Facebook, and Google to integrate the Signal Protocol into their respective messaging platforms.

On February 21, 2018, Marlinspike and WhatsApp co-founder Brian Acton announced the formation of the Signal Technology Foundation and its subsidiary, Signal Messenger LLC. Marlinspike served as Signal Messenger's first CEO until stepping down on January 10, 2022. In 2017, he also served as an early technical advisor to cryptocurrency company MobileCoin, which was designed to power in-app payments for Signal.

Security Research

Marlinspike has produced influential research across several areas of cryptography and network security.

In a 2009 paper, he introduced the concept of SSL stripping, a man-in-the-middle attack technique that could silently prevent a browser from upgrading to an SSL connection. He released an accompanying tool, sslstrip, to demonstrate the attack. The HTTP Strict Transport Security (HSTS) specification was subsequently developed in direct response to this work.

He also identified critical vulnerabilities in SSL/TLS implementations. A 2002 paper detailed how implementations failing to correctly verify the X.509 v3 BasicConstraints extension could be exploited to forge apparently valid CA-signed certificates for any domain. Affected implementations included Microsoft's CryptoAPI, exposing Internet Explorer and other Windows software to man-in-the-middle attacks; the same flaw was later found in Apple's iOS in 2011. A separate 2009 paper introduced the null-prefix attack on SSL certificates, demonstrating that major SSL implementations could be tricked into accepting forged certificates by embedding null characters into the Common Name field.

In 2011, Marlinspike presented at the Black Hat security conference in Las Vegas, outlining systemic problems with certificate authorities and releasing a software project called Convergence as a proposed replacement. In 2012, he and Perrin submitted an Internet Draft for TACK — a certificate pinning mechanism — to the Internet Engineering Task Force.

Also in 2012, Marlinspike and David Hulton presented research demonstrating that MS-CHAPv2 handshake security could be reduced to a single DES encryption, and made cracking hardware available as a public internet service.

In 2013, Marlinspike published emails he claimed were from Saudi Arabian telecom Mobily soliciting his assistance in surveilling customers. He declined and made the correspondence public; Mobily denied the allegations.

Recognition

In 2016, Fortune magazine included Marlinspike in its 40 Under 40 list, citing his role in encrypting the communications of more than a billion people. Wired named him to its Next List 2016 as one of 25 innovators shaping the future of business. In 2017, Marlinspike and Trevor Perrin received the Levchin Prize for Real World Cryptography for the development and widespread deployment of the Signal Protocol.

Personal Life

Marlinspike is a sailing enthusiast and master mariner. In 2004, he purchased a derelict sailboat, refurbished it with three friends, and sailed around the Bahamas, documenting the journey in a video zine titled Hold Fast. He identifies as an anarchist, and several of his essays and speeches — including "An Anarchist Critique of Democracy" and "The Promise of Defeat" — are published on The Anarchist Library.