
Security researchers call for Guardian to retract false WhatsApp backdoor story - sidcool
https://techcrunch.com/2017/01/20/security-researchers-call-for-guardian-to-retract-false-whatsapp-backdoor-story/
======
msravi
> The design decision referenced in the Guardian story prevents millions of
> messages from being lost

So it's a classic tradeoff - convenience vs. security, and the Guardian story
correctly reported it.

> and WhatsApp offers people security notifications to alert them to potential
> security risks.

which is not enabled by default.

Sounds to me like apart from the hyperbolic use of the word "backdoor" (which
apparently has now been removed), The Guardian is in the clear here.

~~~
idlewords
The Guardian headlines (which are still up right now, see
[https://www.theguardian.com/technology/whatsapp](https://www.theguardian.com/technology/whatsapp))
refer to an "encryption vulnerability" and "security flaw". These are
demonstrably false statements, as the letter explains in detail.

The Guardian needs to retract and sanction its editor. The story is
journalistic malpractice and puts people at risk.

This is not about word use, but about publishing stories that are already
causing people in high-risk places to move off of a secure messenger to SMS.

~~~
Ar-Curunir
It is a security flaw; it's probably not a backdoor.

The flaw is as follows: I'm trying to send you a message, but your phone is
offline and lost. When you get a new phone, your key has changed, but WhatsApp
will deliver my message _before_ informing me of the key change. This applies
also to calls and such (which shouldn't be "delivered" if the other person is
offline).

Why could this be bad? WhatsApp could exploit it as follows (maybe under
orders from the govt.):

1) Make it seem like a user lost their phone.

2) Wait for a message to be delivered to the user's account.

3) Bring the user back online with a new key (generated by WhatsApp
themselves).

4) Read the "encrypted" message.

It's a real vulnerability in the protocol, but the severity depends on your
threat model. As I said above, this might be an acceptable trade off for
messaging, but not for things like calls, where if the user is offline you
don't want the call to go through anyway. All this has been pointed out
clearly by the student who discovered it.

~~~
idlewords
It's a security/usability trade-off, not a flaw.

Making Signal show white-on-white text would make it more secure against
attackers reading over your shoulder. So why doesn't Signal do that?

These are legitimate trade-offs that the Guardian is portraying as
vulnerabilities.

~~~
Ar-Curunir
You're being facetious here with the strawman; this is clearly a choice in the
protocol that exposes something that is not exposed by, say, Signal. Even if
it is a deliberate choice, it doesn't necessarily make it not a flaw; as I
said, it depends on your threat model.

Anyway, I don't think it's a reasonable choice. How any times do people change
phones?!? Even if you're rich you don't do that more than once a year. It
doesn't happen often enough for the user to become "accustomed" to warnings
and simply click through them.

~~~
idlewords
I'm not joking here, or making a strawman argument. You could make Signal show
white-on-white, so the recipient had to select text to see it.

But you don't, because shoulder surfing is not the threat model for Signal.
And individually targeted MITM attacks by governments that can take over a
server are not the threat model for WhatsApp.

~~~
RodericDay
You know, I've always liked your writing a whole lot. However your behavior in
reaction to this story seems bizarre to me.

I see all these people come in defense of WhatsApp using bizarre statistics
about domestic violence (big correlation with hacking?). Then someone
(tptacek?) was going around saying not a single crypto expert disagrees with
their consensus (trucking all over the original source, Tobias Boelter). Then
there are all these jokey "Is WhatsApp Backdoored Yet?" expressions. It's a
frenzy.

There seem to be a whole bunch of people who take The Guardian article as _"
omg, after this article, people will drop WhatsApp and use something like
Messenger instead!"_. Which, sure enough, maybe a common scenario, and worse.
However, the article was obviously meant to push people outside of Facebook
gardens, and into a more secure alternative. It's supposed to make you go _"
WhatsApp is unsafe, I will use Signal instead"_. One of those "trade-offs"
you're talking about in the first place, just like the security vs. purity
one. In this case, erring on the side of activism.

As a sideline observer with very little crypto knowledge, I think Boelter
presented an interesting case, while the anti-Guardian crowd reacted like
crazy people, pulling fire alarms, hurling insults, and Streisand-effect-ing
the story into a huge controversy.

I mean, the EFF article itself, in defense of WhatsApp and against The
Guardian, says:

[https://www.eff.org/deeplinks/2017/01/google-launches-key-
tr...](https://www.eff.org/deeplinks/2017/01/google-launches-key-transparency-
while-tradeoff-whatsapp-called-backdoor)

> If you are a high-risk user whose safety might be compromised by a single
> revealed message, you may want to consider alternative applications. As we
> mention in our Surveillance Self-Defense guides for Android and iOS, we
> don't currently recommend WhatsApp for secure communications.

It goes on to qualify this statement by saying that's a rare threat model.
However, that right there, is enough to justify the original piece. The idea,
I think, is that everyone should be on something like Signal, so that merely
using Signal wouldn't be taken as a reason for suspicion. If you disagree,
your argument could surely be better than jokes about white text.

Just my two cents as a nobody.

~~~
idlewords
I'm not sure why you're taking the white text example as a joke.

~~~
RodericDay
Weird to have such a bad interaction with one of my minor personal heroes.
Shucks I guess!

------
tptacek
A reminder, for people scratching their heads over how any legitimate-seeming
criticism of the trade-off WhatsApp took could generate this much ire from
this many experts:

WhatsApp has something like a billion users. Virtually none of them asked for
end-to-end encryption. They don't know that they want it, but they got it
anyways when Whisper worked with WhatsApp to add Signal Protocol to WhatsApp.

But just because they don't want it doesn't mean they don't need it. Many
WhatsApp users badly need messaging security that works better than their
alternatives. They don't know it, but with the flip of a switch, they got that
security. More than anything else, this is why Dan Boneh and the
RealWorldCrypto steering committee awarded Moxie Marlinspike and Trevor Perrin
the Levchin crypto prize this year.

Comes now The Guardian with a story saying "WHATSAPP BACKDOORED, BAD, SWITCH".
None of WhatsApp's users are close to being able to evaluate what that means.
But they know what "bad" and "switch" means. And in the global-scale game of
telephone we're all playing now, that's what they're doing. You don't have to
wonder: Zeynep will tell you it's happening.

Nerds on Twitter are puzzled. Isn't this a good thing? Signal is even stricter
about security than WhatsApp. Wouldn't it be better for all these people to be
on Signal? WhatsApp users will in fact probably try installing Signal. They'll
even use it for a couple minutes. _But their peers aren 't on Signal_, and
they're switching immediately to messengers where they can find their friends.
Not WhatsApp, though: The Guardian (or their shrill uncle on Facebook) told
them not to. Nope, they're switching to SMS.

State security services could not be happier about this. You can't buy this
kind of PR for money; you have to spend security researcher vanity to get it.
Zeynep will tell you about this too: there are state telecom and security
apparatuses right now signal-boosting The Guardian's irresponsible report. And
there are activists circulating warnings to switch from WhatsApp to other
messengers. It's a disaster: the lie is outrunning us.

The Guardian must retract this story, clearly and loudly. There's a way to
report on the tradeoffs WhatsApp made, but this wasn't it; this was "VACCINES
MAY CAUSE AUTISM". Don't take my word for it: look at who signed the letter,
including Matthew Green, Bruce Schneier, Matt Blaze, Steve Checkoway, Chris
Palmer, Dave Adrian, Bart Preneel, Jonathan Zdziarski, Steve Bellovin, and
Emin Gür Sirer.

~~~
jakobegger
I can't believe how all these security experts are suggesting the Guardian
retract a factually correct article because stupid users might switch from
Whats App to SMS. Do you really think the average user is that stupid?

Maybe the Guardian article prompted thousands of people to learn more about
cryptography? This is probably the first time many people have learned that a
security protocol can have flaws.

To me it sounds like a bunch of security experts are angry that they weren't
quoted in the most prominent security story of the year.

~~~
Analemma_
> can't believe how all these security experts are suggesting the Guardian
> retract a factually correct article because stupid users might switch from
> Whats App to SMS. Do you really think the average user is that stupid?

The security experts you're complaining about are citing _empirical evidence_
that people mostly switch back to SMS if they stop using WhatsApp. They are
right, and you are wrong.

> Maybe the Guardian article prompted thousands of people to learn more about
> cryptography? This is probably the first time many people have learned that
> a security protocol can have flaws.

Everyone in this discussion agrees that there is no 100% correct answer here,
and that this is all a question of tradeoffs. The security community wants the
option that _minimizes_ harm to the _most_ people, and the Guardian's
reporting is doing the opposite of that. Yes, a few people may have been more
informed about cryptography. The overwhelming evidence is that many more
people instead are switching to a less-secure alternative because they didn't
understand what they were reading.

> To me it sounds like a bunch of security experts are angry that they weren't
> quoted in the most prominent security story of the year.

I don't know where to begin with this. You just told us not to assume the
worst of ordinary people but seem happy to do that with domain experts.

~~~
jakobegger
Did you actually read the open letter?

There is no actual empirical evidence presented in the letter, just a
paragraph with anecdotal evidence that people are unsure what to do, and
assertions that the author's years of experience show that the Guardian's
article has bad effects.

The letter complains that the journalist did not ask any established security
researchers, and discredits the source as a 'single well meaning graduate
student'.

I honestly don't understand why all these domain experts are getting so riled
up over a single story; instead of welcoming the attention it brings, they are
asking a paper to retract a factually correct article, because the presented
flaw should be described as a sensible tradeoff, instead of as a back door.

------
mbgaxyz
Bruce Schneier:

"How serious this is depends on your threat model. If you are worried about
the US government -- or any other government that can pressure Facebook --
snooping on your messages, then this is a small vulnerability. If not, then
it's nothing to worry about."

[https://www.schneier.com/blog/archives/2017/01/whatsapp_secu...](https://www.schneier.com/blog/archives/2017/01/whatsapp_securi.html)

~~~
tptacek
You don't have to wonder whether Schneier believes The Guardian should
retract; he signed Zeynep's open letter.

------
jakobegger
When Apple said that iMessage uses end-to-end encryption, everyone started
complaining that it's not real end-to-end since we have to trust Apple for key
exchange.

Now we have the same thing with What's App: we have to trust them with the key
exchange. It's marginally better, since they have an optional way to enable
notifications after a key was changed.

I applaud the Guardian to run with the story. Whether to call it a back door /
flaw / trade-off is just quarreling over semantics, when the important part is
that you need to trust a central service.

If you want to be sure that noone can intercept your messages, use PGP or
S/MIME, (preferably encrypting your message on an air-gapped computer)

Saying that we shouldn't worry about state-level actors is a bit naive after
PRISM was revealed.

If you are doing something that someone in power might dislike, you should not
rely on Whats App.

~~~
jocro
> Whether to call it a back door / flaw / trade-off is just quarreling over
> semantics

I think this is writing off a significant portion of the meta-story here,
semantics matter very much in journalism. While the technical nuances of trust
are important, they won't be understood or digested by the average reader.
What will be remembered is the headline, which doesn't say "Whatsapp is as
secure as iMessage" it just says "Whatsapp has a backdoor".

The story you tell is framed by the audience that's listening, and the framing
the Guardian chose unfairly paints Whatsapp as not just secure, but less
secure than alternatives by singling them out. That's not an accurate story.

------
idlewords
Note that the Guardian has published multiple stories about this fake issue,
and seems to be doubling down on its coverage:
[https://www.theguardian.com/technology/whatsapp](https://www.theguardian.com/technology/whatsapp)

The list of names at the end of Zeynep's article is pretty much a who's who of
people you don't want to be publicly called wrong by when reporting on
security.

~~~
morganvachon
A conspiracy theorist would say that it sounds like a hit piece, as if the
Guardian has been nudged by some higher power to slander WhatsApp in an
attempt to push their general readership to drop E2E encrypted messaging
altogether, because the "more secure" options are too difficult or less
popular. The Guardian in particular would be chosen because of its normally
accurate and privacy-conscious coverage in the past; i.e. it has street cred
among activists and others who wish to communicate securely and privately.

A realist would, however, see this as a news outlet unable to own their
mistake and instead doubling down as you said, in a failed attempt to save
face. A journalist wrote this story seemingly by the seat of her pants, and
her employer is on a noble if misguided campaign to defend her article.

I'm taking the realist path on this one; I don't think there's any grand
conspiracy behind their baffling decision to stand behind obviously shoddy
reporting. The fact that so many top security researchers -- who certainly
aren't going to be influenced by any particular government or corporate
interest -- are calling for a retraction is all the assurance I need that the
story is baseless and the Guardian is inexplicably enjoying the taste of shoe
leather.

~~~
idlewords
I take the realist path too, but if this kind of negligent disinformation
succeeds, people who _do_ want to discredit secure apps will notice and
remember.

~~~
ABCLAW
Maciej, I have tremendous respect for you. What follows is a long post, so
please don't feel like I am beating up on you - I am responding to a few
things in this thread.

\---

This wasn't negligent disinformation (post-revision of the usage of
'backdoor') on the part of the Guardian. The reaction to the information
presented on the part of the public - to switch to SMS in significant numbers
- was irrational.

That said, there is a productive issue raised by the Guardian that has been
smoked out into the open, namely the revelation of two contradictory
assumptions underlying the decision, as discussed by Moxie in the previous HN
thread, to defend against state level snooping.

The rationale goes a bit like this: 1 - People change keys in the regular
course of using Whatsapp. It therefore needs to accept that without impeding
usability.

2 - Most users do not care about security enough to prefer one service to
another for the Whatsapp market segment - Those users use Signal or other
offerings.

3 - Whatsapp's lack of 'post consent' resending is intentional, and designed
to prevent the server from knowing who is monitoring the status of their keys.

4 - As such, Whatsapp effectively defends against dragnet surveillance! As
security minded individuals will note inappropriate key changes once a MITM
attack begins, confer, and determine they have been compromised at scale.

The key flaw here is that 2 and 3 mean that for targeted surveillance,
powerful attackers are unlikely to be uncovered while exfiltrating specific
communications, and likely don't see very much reputational or legal risk to
potentially triggering a key change event.

So people are vulnerable to feasible, targeted message exfiltration, contrary
to what they may have believed when E2E was rolled out. That's newsworthy.

The fact that the security community is striking back makes me feel like they
are circling the wagons now that the Guardian has caught them with their pants
down - They should have been the ones raising these issues and providing the
appropriate framing to protect the public.

~~~
idlewords
The thing the Guardian did that was really unforgivably bad is not canvass
expert opinion. They didn't even care that 'backdoor' has a specific technical
meaning, they just stuck it in the headline and then edited it out after
getting called out.

~~~
ABCLAW
I think this is a valid concern, but one that applies to most media. In my
field, I often see pieces circulated which are incorrect with facts sourced
from less precise colleagues of mine.

I don't believe the piece was not 'newsworthy', though, and I believe the
security industry's response should have been one of collaboration rather than
admonition - it leaves a bad taste in my mouth to see an industry with a clear
communication problem striking at their best potential ally. The Guardian are
not the 'bad guys' for trying to inform us of a vulnerability.

~~~
morganvachon
> _The Guardian are not the 'bad guys' for trying to inform us of a
> vulnerability._

This is my ultimate takeaway as well; their intent was good, it was their
implementation that fell short. I'm just really bothered that they are
unwilling to own their mistake and retract the article, or at the very least
allow a counter-editorial to be written and published by them.

~~~
idlewords
They've offered to publish a counter-editorial. But that would just lead to a
headline like "Experts Divided Over Critical WhatsApp Vulnerability".

They need to retract.

------
roddux
I'm not much for conspiracy theories, but it's interesting to note that The
Guardian actually recommends _people concerned about surveillance_ to stop
using WhatsApp, without offering any alternatives.

>If you use WhatsApp as a way to avoid government surveillance due to its end-
to-end encryption service, you should stop using it immediately.

In the wake of the UK snoopers charter having sailed through parliament, this
seems odd. Occam's razor tells us that it's coincidence and bad reporting, but
still.

~~~
dijit
TheGuardian was also one of the publications allowed access to the unfettered
and uncensored Snowden documents.

~~~
idlewords
The Guardian is a big place. Note that this article was written by a
freelancer. It's not a coded signal to the readership to beware; it's an
egregious error of editorial judgement, followed by doubling down to avoid
admitting error.

------
michel-slm
As a Guardian supporting member, I'm forwarding this directly to their
editorial complaints. There are other publications that deserve my money if
the Guardian refuses to stop being sensationalist.

~~~
tptacek
Thank you. This is really exactly what needs to happen. My understanding,
thirdhand, is that The Guardian ran this story based on a single source; Moxie
apparently tried to talk to them and was rebuffed.

The Guardian must retract this story, loudly and clearly.

Moreover, in the future, The Guardian and every outlet like it needs to
understand that stories like this require more than one source. If you've got
a _legitimate_ story about a crypto backdoor in a popular product, security
researchers will fall over themselves to comment on it.

As you can see in this case, they're falling over themselves to disavow it. In
the last hour, we've added Collin Mulliner, Matt Blaze, Peter Honeyman (\o/),
Chris Kanich, and Nicolas Christin --- and all we're doing is circulating the
letter on Twitter. It'll pick up steam from there.

This is not a position The Guardian or any other major news outlet should ever
find itself in. This situation is what the concept of "retraction" was
invented to cover.

~~~
Ar-Curunir
It's not a backdoor, but it's not "not a protocol flaw" either. If The
Guardian had reported it as a flaw in the protocol, would you have been okay
with the coverage?

~~~
tptacek
No. That's what their current reporting says, too. The reporting challenge
here is the same as vaccine reporting: _primum non nocere_.

~~~
Ar-Curunir
But the fact is that it _is_ a protocol flaw (deliberate choice or not).

The Guardian should have inserted caveats stating that this flaw is highly
unlikely to have been exploited, but I would argue that not telling the people
of the flaw is as bad as telling them that it's backdoored.

~~~
tptacek
And a small number of people really are allergic to vaccines. _Primum non
nocere_. The Guardian failed, badly, and needs to retract loudly.

~~~
yarou
Even if they retracted, isn't the damage already done?

The problem with yellow journalism and sensationalism is that purportedly
respectable institutions spin narratives that are dangerous.

I'd be curious to see some empirical data on the impact of this story, i.e.
how many users switched from WhatsApp to Signal or vanilla SMS.

------
jknz
The logic behind this seems off?

Signal and whastapp have different behaviors regarding this. (Signal does not
have the issue of re-sending messages as was previously reported here).

This letter signed by a lot of very serious security cryptographers means that
there is a consensus among the community about the "best" behavior in terms of
security, trade-offs, etc.

If there is indeed a consensus about what the "best" behavior is, then both
Whatsapp and Signal should adopt this "best" behavior.

However Whatsapp and Signal do not have adopted the same behavior. So the
consensus does not seem to be there, otherwise both Whatsap and Signal would
have adopted the "best" consensual behavior.

So by first order logic... There is no consensus on this?

~~~
tptacek
No, that's not what the consensus is about. Many of the people who signed this
letter disagree about what the ideal UX of a secure messenger is.

It's not about ideal UX. Nobody knows what that UX is yet. WhatsApp is the
first messenger with a world-scale userbase to tackle this problem; they're on
the vanguard of work on this problem. Signal has a much smaller userbase and,
importantly, that userbase adopts Signal _specifically to get cryptographic
security_. Signal can innovate in different directions than WhatsApp, and
WhatsApp can in the long term adopt the techniques Signal comes up with that
actually work out.

It's a _good thing_ that there is both a messenger that protects a billion
people without them having to understand public key crypto and another
messenger that protects a much smaller number of people but that also serves
as a laboratory for crypto UX.

If you understand just one thing about the WhatsApp/Guardian dilemma,
understand this: 99.99% of WhatsApp's users don't care about cryptographic
security. They don't even know what that means. _But that doesn 't mean they
don't need cryptographic security_. Many of them need it badly whether they
know it or not. But they're only going to use messengers that will allow them
to talk to their peers, and none of their peers are on Signal. If you tell
them WhatsApp is bad, they move to SMS.

------
_Codemonkeyism
Most comments here are like not reporting HTTPS certificate problems/MITM
leakage with arguing that it's better to have HTTPS than not.

I wonder what people here would say if browsers would act with certificates
the way WhatsApp handles key renewal.

We even discuss certificate pinning etc. in the web space.

------
xaa
As an "expert" in another area that has been invoked a few times in this
thread, biology (WRT the vaccine analogy), I do sympathize with the position
of tptacek and others.

It is so very tempting to think that we experts not only know the facts better
than the public, which we usually do, but that we also know what's best for
the public. But I fear that withholding valid but easily misinterpretable
information from the public is a dangerous road to go down. It puts us in the
position of making choices for people.

You can see how, if we start withholding information from the public because
we feel they are too ignorant to handle it, it creates a bit of a self-
fulfilling prophecy.

2017 is really not a very good time for experts in any field to be telling
others to do things "because we say so" or to ask that information be withheld
because we know what's best for people. For better and worse, people are
increasingly distrusting expertise and, as a consequence, (trying to) think
for themselves. This can be a good thing if we let go of a little ego. On the
other hand, our remaining credibility is fragile, and we need to spend it
wisely.

It also does create the _appearance_ of hypocrisy, although not necessarily
the reality, when security researchers are in favor of full and public
disclosure in some cases but not others.

~~~
idlewords
Nobody is talking about withholding information. What we're talking about is
framing a story about a fairly subtle point of security UI design in a way
that doesn't panic people into moving from a secure messenger to SMS, which is
_actually happening_ and which is a terrible outcome.

Ancillary to that, imagine a major story about vaccine risk that didn't talk
to any doctors. That's what the Guardian did here.

~~~
xaa
Also, another reason the vaccine analogy fails is that this situation is being
likened to the Guardian overemphasizing the risks of vaccines on the
assumption that the only choices are "vaccine" or "no vaccine".

But the story is really more like "Complications associated with Vaccine A"
when several alternative vaccines without those risks exist.

------
feral
There's a split in the HN community on this issue.

The split seems to be:

\- Some people are OK with compromise for usability

\- Others think being uncompromising is the only way to eventually achieve
security. (This group is also, rightly imo, suspicious of WhatsApp/Facebook or
any centralized product)

I do understand the latter mindset. Often the only way to get high security is
dogged attention to detail, letting nothing slide. Attackers love to promote
products which provide the illusion of security, but contain flaws or
backdoors; and often the illusion of security is worse than nothing.

But I'm with the group that favors usability compromise here. Open source
projects have successfully built high security products, but rarely gotten
mass consumer adoption, precisely because of an unwillingness to make
concessions to usability.

Without usability concessions, we end up with 30 character random login
passwords - written on stickies on the terminal.

Even if you don't agree with the particular compromises in this case, please
engage with those who do. There's no reason to think they are shills trying to
undermine security. Favoring usability here is at least reasonable, with the
same shared end goal of increased security for end users - this should be
acknowledged, especially given the mass adoption success of WhatsApp/OWS.

~~~
lmm
If we don't care about being secure against an attacker who controls Facebook
then what was the point of end-to-end encryption in the first place? If you're
going to "compromise" that far you might as well just use any number of
centralised messengers with transport encryption.

> There's no reason to think they are shills trying to undermine security.

Moxie's comments about OpenPGP are ample reason. And in any case our response
needs to be robust against the possibility that they are.

> this should be acknowledged, especially given the mass adoption success of
> WhatsApp/OWS.

The mass adoption is precisely why it's so important.

~~~
stouset
People aren't using WhatsApp to replace GPG with a carefully-curated web of
trust. They're using it to replace SMS which can be surveilled both _en masse_
by governments and telecoms, and surveilled by individuals savvy enough to set
up a fake cell tower.

WhatsApp is an unqualified success in this regard. That it makes trade-offs
unsuitable for dissidents of world governments does not diminish this.

~~~
lmm
To the extent that it's displacing SMS, great - anything with transport
encryption is better than SMS. To the extent that it's displacing
Skype/Facebook Messenger/..., meh - if it's not actually secure against a
hostile Facebook (and they have no intention of fixing the flaw) then it's not
really any better than anything that uses SSL. To the extent that people using
it assume it's secure against a hostile Facebook when it isn't, that is
terrible. Fake security is worse than no security.

~~~
stouset
> To the extent that it's displacing SMS, great

This is reassuringly the overwhelming majority of the market that WhatsApp is
eating into.

> To the extent that it's displacing Skype/Facebook Messenger/..., meh

And in this case, it's at least _not worse_. Although I will argue it's still
much better. As has been discussed elsewhere ad infinitum, this tradeoff in
WhatsApp still allows savvy users to enable notifications. And the fact that
_some_ people will do this (and it stands to reason, the people who do this
are precisely the ones who are likely to be targeted) is an effective
deterrent for doing it at all.

> To the extent that people using it assume it's secure against a hostile
> Facebook when it isn't, that is terrible. Fake security is worse than no
> security.

Security is not a boolean. It is unequivocally _more_ secure than Facebook
Messenger, which we can assume is not E2E encrypted. Facebook or governments
with appropriate authority can surveil this en masse. They _can not_ do this
for WhatsApp messages. Attempts to surveil these messages even at a small
scale carry a high risk of tipping their hand that they're doing this
surveillance at all.

1/7th of the world's population is now using E2E-encrypted messaging thanks to
collaboration between WhatsApp and OWS. The number of people who need to
consider Facebook or governments with control over it an active threat against
them perhaps number in the hundreds to low thousands, and this affords good
(if not perfect) protection even to them through a toggle, and _some_
protection even to those who don't enable the toggle.

Anyone who is in this last group is either aware of these limitations, or is
_completely fucked anyway_ because achieving practical security against a
determined, well-funded governmental adversary is frighteningly difficult and
requires ongoing effort and attention.

~~~
lmm
> 1/7th of the world's population is now using E2E-encrypted messaging thanks
> to collaboration between WhatsApp and OWS. The number of people who need to
> consider Facebook or governments with control over it an active threat
> against them perhaps number in the hundreds to low thousands

Agreed, but those few are the only people for whom E2E-encrypted is a
substantial advantage over transport-encrypted.

> Anyone who is in this last group is either aware of these limitations

Largely thanks to the good offices of the Guardian.

WhatsApp claimed to have true E2E security. And it doesn't. The public needed
to be told.

~~~
stouset
> Agreed, but those few are the only people for whom E2E-encrypted is a
> substantial advantage over transport-encrypted.

I could not disagree more.

This is the difference between _large-scale, passive, implicit_ surveillance
of an entire population and _small-scale, active, explicit_ interception of
handfuls of individuals at best.

> WhatsApp claimed to have true E2E security. And it doesn't. The public
> needed to be told.

You have to stop treating security like it's a binary thing. Threat models are
important. It _does_ have E2E security, it just has a tradeoff that allows for
the interception of a single message by a nation-state attacker, with the
probability of this event being detected increasing dramatically with the
number of users they do.

This is not even _close_ the same thing as not having true E2E security.

~~~
lmm
> This is the difference between large-scale, passive, implicit surveillance
> of an entire population and small-scale, active, explicit interception of
> handfuls of individuals at best.

The large-scale passive surveillance you're talking about in the transport-
encryption case could only be happening with the provider's cooperation. I can
maybe see Facebook/Microsoft/etc. cooperating with the NSA in that way, but
certainly not with the governments mentioned in the letter's rhetoric.

And note that a cooperating WhatsApp could do large-scale, passive, implicit
surveillance of WhatsApp metadata and use that for targeting active attacks.

> You have to stop treating security like it's a binary thing. Threat models
> are important. It does have E2E security, it just has a tradeoff that allows
> for the interception of a single message by a nation-state attacker, with
> the probability of this event being detected increasing dramatically with
> the number of users they do.

An attacker with control of WhatsApp could continue to MitM indefinitely, no?
They would be detected only when the users met up and compared security codes,
which I suspect even dissidents wouldn't be doing frequently.

I agree that WhatsApp is probably more secure, and certainly no less secure,
than apps with zero effort at E2E (I more-or-less endorse the preference order
given at
[https://copperhead.co/android/docs/usage_guide](https://copperhead.co/android/docs/usage_guide)
). But this is a real vulnerability that makes WhatsApp substantially less
secure than was previously thought and claimed, and substantially less secure
than what someone who just heard "end-to-end encrypted" would expect. It
needed to be publicised.

------
tlogan
First Question:

Lets suppose I'm human right activist in Egypt. If I enabled security
notification in WhatsApp and other person's phone is captured by authorities
but they cannot unlock it so they make it that user lost their phone. Now, if
I send the message to that user, is this message received by other party with
warning that is not encrypted or it is not delivered at all?

Second Question:

Is there any guarantee that server cannot change settings on the client?

~~~
lmm
> Now, if I send the message to that user, is this message received by other
> party with warning that is not encrypted or it is not delivered at all?

It's delivered and then you see the warning.

> Is there any guarantee that server cannot change settings on the client?

No. Prior to this story I would have assumed there would at least be some risk
of being caught by security professionals, but I guess the security community
would be falling over itself to explain how the backdoor was an accident or a
legitimate usability choice.

------
tgsovlerkhgsel
I'm not sure if I understood the issue fully: Assuming both parties have the
"show security warnings" setting enabled and take it seriously, but ignore the
lack of "message delivered" checkmarks, can the attacker snoop on one message
or multiple ones?

As soon as the message is delivered it cannot be resent anymore, but could the
attacker refuse to provide the delivery confirmations, then perform the attack
(getting all messages that weren't yet marked as delivered, potentially over a
large timeframe, while also showing the warning)? If so, I'd say it is a thing
to worry about.

A smart attacker could wait until one party is switching phones, so that the
warning is not considered suspicious, and since they could swap the new-
correct key in immediately afterwards, users would be likely to dismiss the
missing checkmarks and double key-change notification (at least before this
news was published).

Also, for phone calls, WhatsApp only shows the warning after the call.

I don't believe these are backdoors, but I'm surprised WhatsApp isn't taking
it more seriously and trying to address it.

------
Dan_JiuJitsu
The vulnerability in WhatsApp was correctly described by the Guardian. Signal
is more secure and does not have this vulnerability. How, exactly is
suggesting users migrate to a more secure messaging platform misleading in any
way?

~~~
tptacek
Because, once again, the billion-plus WhatsApp users don't use WhatsApp
because they care about cryptography; they use it because it's the most
dependable method they have to communicate with their peer group. If The
Guardian tells them to switch to Signal because WhatsApp is bad, they'll use
Signal for 4 minutes before switching to SMS --- which is what's actually
happening.

~~~
Dan_JiuJitsu
So, we agree that calling this a 'fake' article is itself misleading. We also
agree that Signal is a more secure alternative. Your position is essentially
'people cant be trusted with accurate information, you have to dumb it down so
they can make the "right" choice based on the limited information they can
absorb, so the Guardian should apologize and retract their accurate story.'

~~~
idlewords
Non-experts can't be expected to make an accurate evaluation of the UX trade-
offs in handling buffered message delivery after a key change.

They trust that the Guardian, a highly reputable newspaper, has spoken to
experts in the field, done the research, and made this evaluation, which it
accurately reflected in the headline.

That trust is misplaced. That's why this is a fake story.

~~~
Dan_JiuJitsu
It's not a fake story. Every piece of information they presented is accurate.
The Guardian did speak to experts in the field. I won't bore you with my
credentials, but I agree with their assessment as well. Taking issue with the
advice they give on UX grounds is one thing, but attacking the factual basis
of the article is misguided.

~~~
idlewords
I have to come back to the vaccine analogy. Running a story headlined "Common
Vaccine Can Kill Your Children" would be factually accurate, too. Experts in
the field would confirm that that can happen.

This is not a "well, actually" nerdfight. This is about putting real people in
danger through egregiously irresponsible reporting.

~~~
Dan_JiuJitsu
So, basically, your argument is that 'People can not be trusted with
information that may be nuanced, so instead news outlets should limit
themselves to headlines that minimize risk.' Comparing the use of an app to a
lifesaving medicine is, in my view, a gross mis-characterization. The article
suggested a more secure alternative that we all agree is more secure. What's
the issue?

~~~
scott_s
Nuanced information requires nuanced explanations. This coverage is not
nuanced:
[https://www.theguardian.com/technology/whatsapp](https://www.theguardian.com/technology/whatsapp)

------
WhitneyLand
The Guardian made a mistake. They mischaracterized the issue. Now they're
trying to correct it and offering a forum for rebuttal. The comparison with
vaccines is actually offensive to me as someone negatively affected by that
controversy.

In general I want potential issues like this to be noted (when properly
defined and characterized) and debated.

These experts are arguing that WhatsApp makes the best possible trade offs
given their user base. I don't agree and think it's worthy of discussion. The
tradeoff they refer to is really a UX/product design decision.

~~~
idlewords
Why is the vaccine comparison offensive to you?

~~~
scholia
Andrew Wakefield's autism claims were not based on honest scientific research.

Do you think that Tobias Boelter faked his research?

That's what your comparison implies....

~~~
idlewords
I'm not referring to autism, but rare fatalities from vaccination due to
things like anaphylactic shock. It is documented that they happen, and they
are also a terrible reason not to vaccinate.

~~~
scholia
Rather old story. It was the Wakefield saga that kicked off the anti-vaxxing
thing...

------
electic
back door

ˈˌbak ˈdô(ə)r/

noun

noun: backdoor

1\. the door or entrance at the back of a building.

2\. a feature or defect of a computer system that allows surreptitious
unauthorized access to data.

Seems like a backdoor to me. The reality is that the way it is implemented
allows a foreign government to see messages it is not supposed to see...and
that is a defect. I thank the Guardian for taking the lead on this and bring
this issue to light.

------
_Codemonkeyism
Reading this thread I want to be the Guardian, half of the comments assume >1
Billion of people are reading the Guardian and act on articles.

~~~
idlewords
Word gets around. People attending the Women's March in DC got an email
telling them not to use WhatsApp. We have evidence that people in
authoritarian countries outside the US are moving off WhatsApp based on this
article.

All it takes is a rumor.

------
bostik
I posted this in the other[tm] thread earlier today:
[https://news.ycombinator.com/item?id=13442653](https://news.ycombinator.com/item?id=13442653)

Basically everyone in this thread who are _NOT_ signatories to the open letter
could spend their time a lot worse than by listening to the segment with Alec
Muffatt.

I may disagree with some of his opinions on the desired UX, but the technical
details and threat model considerations are very thorough and thought out.

------
WillyOnWheels
The Whatsapp is backdoored people are mailing this story around

[https://rbth.com/news/2017/01/16/whatsapp-helps-chechen-
poli...](https://rbth.com/news/2017/01/16/whatsapp-helps-chechen-police-foil-
terror-attacks_682196)

------
robrenaud
How do you know what a closed source app is doing? How do you know that they
won't just go and change the code to send plain text messages to a log
somewhere?

~~~
CiPHPerCoder
[http://binary-auditing.com](http://binary-auditing.com)

Binaries aren't magic.

~~~
iwlbebnd
Binaries which have a client-server architecture certainly are.

Is the claim the full WhatsApp stack is open to regular indepedent third party
security audits from multiple firms?

~~~
CiPHPerCoder
You don't need to know what the server does with your data if the client is
encrypting it properly.

The client-server architecture is irrelevant here.

Read this, then flip the roles: [https://paragonie.com/blog/2016/03/client-
authenticity-is-no...](https://paragonie.com/blog/2016/03/client-authenticity-
is-not-server-s-problem)

Reverse engineer the client-side app. You now know what the client-side app
(the part that people want to be open source) is doing. You don't need to know
what the server's code is doing.

~~~
iwlbebnd
Which is exactly the issue? At any time the server can request a key reset and
have messages resent. I don't see how it is at all irrelevant since it is
exactly what the cause is here.

~~~
CiPHPerCoder
The issue is that the client software being open source (rather than closed
source) would do nothing to change the risk profile, so it's not worth
bringing up.

If the client is open source: What the server is doing is irrelevant as long
as the client is secure.

If the client is closed source: What the server is doing is irrelevant as long
as the client is secure.

If the server can compromise the client, whether or not the client is open
source does not matter.

People who believe that open source is a prerequisite for security are
disregarding _the entire discipline of reverse engineering_ which is a large
chunk of software security expertise.

------
stefantalpalaru
From the open letter on
[http://technosociology.org/?page_id=1687](http://technosociology.org/?page_id=1687)
:

> The behavior described in your article is not a backdoor in WhatsApp. This
> is the overwhelming consensus of the cryptography and security community. It
> is also the collective opinion of the cryptography professionals whose names
> appear below. The behavior you highlight is a measured tradeoff that poses a
> remote threat in return for real benefits that help keep users secure, as we
> will discuss in a moment.

What real benefits are gained from making it easy for ISP-level attackers to
mount man-in-the-middle attacks? Security from your spouse snooping on your
phone? What's the threat model here and why are these experts so adamant in
minimizing the security risks?

Moxie went as far as to ignore the opt-in aspect of the (very benign looking)
key change notification, but he's on the payroll. What's the motivation of the
other experts in this sudden "overwhelming consensus"?

~~~
tptacek
The open letter answers your question. I'll flip it around on you: what makes
you think you're seeing some important wrinkle of this problem that Matthew
Green, Bruce Schneier, Matt Blaze, Steve Checkoway, Chris Palmer, Dave Adrian,
Bart Preneel, Jonathan Zdziarski, Steve Bellovin, and Emin Gür Sirer aren't
seeing? Many of these people study backdoors, and crypto backdoors in
particular, practically full-time.

------
kahrkunne
The Guardian is a fake news website. Of course they won't pull it.

~~~
scholia
The Guardian has trained and experienced reporters, a code of conduct to keep
them honest, subeditors who are also fact checkers, and an ombudsman (Readers'
editor) with independent power to cross check and correct mistakes. It's also
owned by a charitable trust, and is under no obligation to publish the lies
preferred by its non-existent fat-cat proprietor.

Calling it a fake new site says more about you than it says about the
Guardian.

~~~
kahrkunne
None of that changes anything about the fact that they regularly publish half-
truths or outright lies, though. As is the case in this situation.

There's a big gap between theory and practice.

~~~
scholia
A small gap, which is hardly unusual given that humans are not perfect. It's
still not a fake news site. There are plenty of those, and telling lies about
the Guardian doesn't help anyone.

