
WhatsApp backdoor allows snooping on encrypted messages - katpas
https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages
======
sctb
Current thread on the response to this article:
[https://news.ycombinator.com/item?id=13394900](https://news.ycombinator.com/item?id=13394900)

------
niksakl
Well, I kind of feel that I have to repost my comment on this old thread[1]
with regards to the government of Egypt blocking Signal application:

"Isn't it "weird" that they chose to block Signal app and not the signal-
protocol based Whatsapp? If Whatsapp really implements the same kind of
security and privacy measures that Signal does, why is Whatsapp allowed to
continue operating? If signal is preventing them spy on users and they ban it,
is in't it safe to assume that Whatsapp is NOT preventing them spy on users,
so they let it operate? Wouldn't you expect Whatsapp to be also targeted,
especially considering the broad user-base it has compared to Signal? Yes, I
know they had blocked Whatsapp in the past, but they didn't block it now.
Which means that something has changed in the relationship of the Egyptian gov
and Whatsapp since 2015."

1\.
[https://news.ycombinator.com/item?id=13219304](https://news.ycombinator.com/item?id=13219304)

~~~
MrsPeaches
Simple explanation would be that activists use Signal. [1]

They don't trust WhatsApp and rely on Signal for secure messaging. Blocking
Signal means they are able to target activists without impacting much of the
rest of the population.

[1] Many of the people I know who are activists in countries where they need
to protect their identities use Signal

~~~
admax88q
I wouldn't trust whatsapp even before this revelation.

I would never trust a closed source messaging app if I was an activist,
regardless of what encryption they claim to implement.

~~~
afshinmeh
Good point. At least as a technical person, I would like to use an open-source
messaging application.

Of course I'm not going to read the source code but at least I'm sure
developers behind the app do not open a backdoor for someone else.

~~~
seangrogg
While I'm totally the same in this regard, this does feel a bit like an open-
source version of the bystander effect.

~~~
OJFord
I don't know what the bystander effect is, but I assume we're taking about the
same thing: I often feel that everyone is, along with myself, thinking "great
- open source! I'm sure someone's checking it."

Of course, the counter is that if you publish it you don't risk that someone
actually is checking.

Open beats closed, but we must be careful not to think it immediately makes
the code sound.

I've been thinking about this particularly recently in relation to Monzo, the
will-be bank. There's no web app and slow progress on the android front. Lots
of open source effort though, since they publish an API, but... That's my bank
account I'm (not) giving open source developers access to.

~~~
rhizome
_but we must be careful not to think it immediately makes the code sound_

nobody is saying it's automatically sound, but open is the only option that
makes any security analysis possible.

~~~
OJFord
> _open is the only option that makes any security analysis possible_

I'm not disputing that. Let me repeat myself:

> _Open beats closed_

All I'm saying is that it doesn't stop there. Too often there's this
complacent 'great, it's open source!' \- I'm as guilty of it as anyone.

~~~
rhizome
You're begging the question.

~~~
OJFord
Pardon?

------
geocar
I remember receiving the downvote brigade[1], when Moxie himself said that I
should trust WhatsApp without having the source code and the ability to put it
on my device.

We (even a "smart" community like HN) clearly do not have the ability to think
critically about security, and even when our leaders are sincere -- and I
really don't mean to suggest Moxie/Signal was complicit in this move -- we
still rush to defend our champions so quickly that we don't even think about
what's going on.

However something really important is that this might be mere incompetence:
FaceBook might not have any mechanism for launching this attack, they just
thought the notification message was annoying so they didn't display it. To
that end we need to be vigilant about stupidity as well.

Where does it end? Will we actually stop being okay with buffer overflows and
sloppy programming? Or are we going to continue trying to "be safer" and use
"safe languages" and continuing to try to solve the problem of too much code
to read clearly with more code.

[1]:
[https://news.ycombinator.com/item?id=11669395](https://news.ycombinator.com/item?id=11669395)

~~~
svkkfnisgkcn3ta
I'd go further and say Moxie is complicit by way of negligence. It's unethical
to assist in the implementation of your protocol when you can't guarantee its
privacy protections will actually stand. Otherwise it's free PR for Facebook
to tout "Snowden-approved crypto".

I have no doubt Moxie acted in good faith and wanted to expand encryption to a
large number of users, but this is just another example of why proprietary
software cannot be trusted.

Any and all proprietary implementations of the Signal protocol are now
suspect. OWS should denounce these implementations as least as firmly as they
do interoperable open source Signal client forks.

~~~
unfortunateface
On a completely unconnected note, what was the name of that technique that
GCHQ uses to disrupt online forums and subtly undermine peoples reputations?

~~~
svkkfnisgkcn3ta
[https://theintercept.com/2014/02/24/jtrig-
manipulation/](https://theintercept.com/2014/02/24/jtrig-manipulation/)

------
hannob
Some more background:

This was presented in the lightning talks at 33c3, starting around minute 48:
[https://media.ccc.de/v/33c3-8089-lightning_talks_day_4](https://media.ccc.de/v/33c3-8089-lightning_talks_day_4)

Here's the congress wiki with some more links:
[https://events.ccc.de/congress/2016/wiki/Lightning:A_Backdoo...](https://events.ccc.de/congress/2016/wiki/Lightning:A_Backdoor_\(/Bug%3F\)_in_WhatsApp)

And a blogpost: [https://tobi.rocks/2016/04/whats-app-retransmission-
vulnerab...](https://tobi.rocks/2016/04/whats-app-retransmission-
vulnerability/)

~~~
ComodoHacker
Thank you. The last link should be the source (a note to moderator).

~~~
mtgx
It's news that Facebook still hasn't fixed it (and they're saying they won't
fix it).

What do you call a known vulnerability that can be used for eavesdropping that
a company refuses to fix ?

1) A mistake

2) A bug

3) A backdoor

~~~
Niten
4) A deliberate UX trade-off that, while clearly suboptimal for the kind of
people who read HN, still leaves WhatsApp's massive base of everyday users in
a much better position than they were prior to integrating the Signal
protocol: immune to the more mundane threats of passive mass surveillance and
the exfiltration of message history from Facebook's servers.

~~~
FabHK
Nicely put. Anyone that is so shocked, shocked about this is well advised to
install Signal, Threema, Wire, and furthermore employ defence in depth.

------
jaymzcampbell
The key part is this, and it was apparently reported back in April 2016 with
Facebook replying it's "expected behavior", it's not something a general
attacker can do but it would enable WhatsApp/Facebook to read conversations:

> WhatsApp has the ability to force the generation of new encryption keys for
> offline users, unbeknown to the sender and recipient of the messages, and to
> make the sender re-encrypt messages with new keys and send them again for
> any messages that have not been marked as delivered.

It's worth noting as the article says, that this is built _on top_ of the
Signal protocol. In Signal, a similar situation with a user changing key
offline will result in failure of delivery. Within WhatsApp under
Settings>Account>Security there is an option to _Show Security Notifications_
which will notify you if a users key has changed.

~~~
samsonradu
I happened to have the Security Notifications on for a while now. I see the
message: "X's security code has changed." pretty often. Under what
circumstances does a new pair of encryption keys get generated?

~~~
joopxiv
One circumstance is when you put your sim card in a different phone. The new
phone recognises that you already have a WhatsApp account, as it's tied to
your phone number, but it doesn't have your private key, so it will generate a
new pair and start exchanging the public part.

------
frabbit
Nothing to worry about according to Gizmodo:

    
    
      > The supposed “backdoor” the Guardian is describing is
      > actually a feature working as intended, and it would
      > require significant collaboration with Facebook to be 
      > able to snoop on and intercept someone’s encrypted
      > messages, something the company is extremely unlikely
      > to do.
    

[http://gizmodo.com/theres-no-security-backdoor-in-
whatsapp-d...](http://gizmodo.com/theres-no-security-backdoor-in-whatsapp-
despite-report-1791158247)

I, for one, certainly cannot imagine Facebook collaborating to such an extent
with the government.

~~~
mentat
There's a </sarcasm> there right?

~~~
frabbit
What? You must be some sort of conspiracy theorist. Just be rational and
extrapolate from your beliefs: if you admit that Facebook might do this, then
why not Google, AT&T, Microsoft? There would be no end to it. Basically it
would mean that all businesses are spying on you and handing the information
over to the government.

I have complete faith that that is untrue based upon just the history of the
last 5 years.

~~~
evv
Sarcasm usually plays out very poorly on written mediums like this, but you
nailed it.

~~~
mentat
Yes, well done.

~~~
frabbit
I feel bad now. I'm just highly frustrated that everyone is not actuated by
the idea "if they _can_ spy on you, then they _will_".

Any appeal to morals/integrity/laws are essentially moot in this area. We have
the ability to protect ourselves and we should be using it.

[https://www.eff.org/deeplinks/2017/01/obama-expands-
surveill...](https://www.eff.org/deeplinks/2017/01/obama-expands-surveillance-
powers-his-way-out)

~~~
hughes
"They have no reason to look" is to me equivalent to "I have nothing to hide".

Both may be true, but both willfully surrender control of the situation.

------
Arathorn
At the risk of stating the obvious: there is real benefit to using an entirely
decentralised open source comms system like Riot.im (Matrix) or Conversations
(XMPP), where you can pick precisely which app to run, who to trust to build
that app, who to trust to advertise your public keys, and who to host your
server.

It's inevitable that big centralised services like WhatsApp or even Signal are
going to be under pressure from governments to support lawful intercept; in
many countries it's essentially illegal to run a communication service that
can't be snooped under a court order. Multinationals like Facebook are neither
going to want to break the law (as it ends up with their senior management
getting arrested: [https://www.theguardian.com/technology/2016/mar/01/brazil-
po...](https://www.theguardian.com/technology/2016/mar/01/brazil-police-
arrest-facebook-latin-america-vice-president-diego-dzodan)) - nor pull out of
those territories (given WhatsApp market penetration in Brazil is 98.5% or
similar).

~~~
Arathorn
oh, and one other thing - there's also real value to independently published
public security audits of the crypto to pick up on things like WhatsApp's
retransmission 'bug', at least as of a given snapshot of the codebase. E.g.
[https://www.nccgroup.trust/us/our-research/matrix-olm-
crypto...](https://www.nccgroup.trust/us/our-research/matrix-olm-
cryptographic-review) for Matrix or
[https://conversations.im/omemo/audit.pdf](https://conversations.im/omemo/audit.pdf)
for OMEMO & Conversations.

~~~
FabHK
Off topic, but I like how their URL spells _nccgroup trust us_

------
pilif
No matter what IM service you use: As long as they manage the public keys for
their users, they will be vulnerable to exactly this problem. This isn't just
WhatsApp. This applies to iMessage and Signal too.

In all cases, we rely on the word of the service provider that they don't
sneak additional public keys to encrypt for into the clients and in all cases
we hear that doing so would cause a message dialog to appear, but we have zero
control over that as this is just an additional software functionality (yes.
Signal is Open Source, but do you know whether the software you got from the
App Store is the software that's on Github?)

Also imagine the confusion and warning-blindness it would cause if every time
one of my friends gets a new device I'd get huge warnings telling me that
public keys have changed.

This is a hard problem to solve in a user-friendly way and none of the current
IM providers really solve it. Maybe Threema does it best with their multiple
levels of authenticity.

As such I think it's unfair to just complain about WhatsApp here.

~~~
agd
'As such I think it's unfair to just complain about WhatsApp here.'

I disagree. WhatsApp have a known vulnerability which they won't fix (indeed
they deliberately added this vuln on top of the Signal protocol), and no
denial that they have used this vulnerability in the past.

They made a big PR song and dance about this feature only to backdoor it. That
deserves criticism.

~~~
pilif
_> I disagree. WhatsApp have a known vulnerability which they won't fix
(indeed they deliberately added this vuln on top of the Signal protocol)_

how would you fix it without causing notification-blindness?

~~~
agd
There's no notification blindness. If a key was changed after a message was
sent, then the sender would simply be notified and they could choose to resend
using the new key. This is how Signal works.

------
guidovranken
From the outset I've always expected that a backdoor was present in Whatsapp.
In fact, I'd be surprised if they hadn't granted themselves some special
capabilities with regards to the content of the communications. Touting their
end-to-end encryption has enticed many people to trust the product, sometimes
with strong conviction, while giving themselves a monopoly on access to
communication perceived as secure by the end users. It stands to reason that
claims about security and privacy of an end product (the Whatsapp app), no
matter how lofty the goals that its creator (especially a murky company like
Facebook) has purportedly set out to realize, can be verified without being
completely open. There is software out there like OpenSSL that is developed by
PhD's, and is completely open and available to anyone who wishes to validate
its security, yet vulnerabilities are found years after they've been
introduced into the code. Claims to Whatsapp's security/privacy are
preposterous a priori.

~~~
d33
The fact that you have a PhD in cryptography doesn't necessarily mean you know
how to write secure code. Especially C code. Lot of people hated OpenSSL
quality long before Heartbleed, but it took that vuln for people to actually
realize how bad it is. I can imagine a good, secure SSL library being written
by somebody without a PhD, in a safer language.

~~~
hellofunk
> Especially C code

Isn't WhatsApp an Erlang app?

~~~
rakoo
Whatsapp is both a server and a client. The server might be written in Erlang,
but the client (where all the end-to-end encryption happens) is written in
whatever the device can run.

~~~
fnj
The device runs machine code. Client code can be written in any language which
can be either compiled or interpreted to machine code.

~~~
SAI_Peregrinus
Android devices run Java, with an option for machine code for some
functionality.

------
agd
"Asked to comment specifically on whether Facebook/WhatApp had accessed users’
messages and whether it had done so at the request of government agencies or
other third parties, it directed the Guardian to its site that details
aggregate data on government requests by country."

This is why people should try and use Signal instead of WhatsApp. You can't
trust Facebook to care about your privacy.

~~~
antocv
Signal is bad as explained previously, it requires Google on your phone to
even work.

If you think Google is more trustworthy than Facebook, sure go ahead and just
use Hangouts or whatever.

We cant have nice good encryption and safe communication when geeks push this
Signal onto unsuspecting users, when the real option is to keep improving
Tox.Chat and bitmessage.

~~~
speakr
I guess it's worth mentioning that people are currently working on removing
the Google services dependency in Signal:
[https://github.com/WhisperSystems/Signal-
Android/pull/5962](https://github.com/WhisperSystems/Signal-Android/pull/5962)

~~~
lucb1e
That is good to know, thank you for sharing that! I'll be following this and
try Signal again when it should finally work on my phone :)

------
andyjohnson0
More details in "WhatsApp Retransmission Vulnerability" [1] from April last
year.

[1] [https://tobi.rocks/2016/04/whats-app-retransmission-
vulnerab...](https://tobi.rocks/2016/04/whats-app-retransmission-
vulnerability/)

~~~
FabHK
_This_ should be the top post - exactly this vulnerability was announced last
year April; it's just that the Guardian picked it up now (with a somewhat
clickbait-y headline, to boot).

~~~
andyjohnson0
I'm going to have to come to the Guardian's defence here. We may take issue
with the term "backdoor" but, for a general readership, their headline is a
good summary of the issue using appropriate language.

~~~
FabHK
Doesn't backdoor imply malicious intent? (Of course you could argue that a
good backdoor looks like a innocuous bug or even a feature...)

Also, if I have notification of key changes enabled and verify key
fingerprints, at most one exchange could be snooped without me noticing. (If
notification of key changes is not enabled and key fingerprints not verified,
all bets are off anyways.)

------
leecarraher
C'mon we know this already, it's not a backdoor.

This has been known and is discussed in the protocol and forums as the trade
off in ease-of-use versus validation. For people wanting security, they simply
check the verify keys, warn on key change. For people who don't care as much
about verifying the recipient, they don't know about the feature, and don't
use it, but they still get pretty good security, can upgrade to verifying if
the choose, all without having to re-key or change protocols/messenger apps.

~~~
jdjb
They should also add a toggle that prevents the client from retransmission to
unknown keys without human approval.

------
cm2187
But if whatsapp owns the code, they don't need a backdoor. They can simply
push an update that sends a copy of the msg to whatever server they may like.

~~~
antocv
Which is the case with Signal as well, and this "security" feature of "google
play services" is why the developer of Sigal does not want Signal to be in
f-droid.org's repositories. He wants to be able to push "updates" for any
future "vulnerability" onto the users of Signal.

~~~
retox
A big reason I dont trust signal. Every single that app has some bad side,
signals is the reliance on Google.

~~~
Angostura
Using Signal on iOS here - what is the reliance on Google?

~~~
lucb1e
Nothing since you don't have Google Cloud Messaging on iOS, but it's a
different situation. IOS is not open source software like Android (AOSP) is.
If you want, you can have all the software on your phone be open source (save
perhaps for drivers), even though most people will opt to install at least the
Google Play Store, which requires you to install the whole google suite (or at
least it used to when I flashed Cyanogenmod).

So anyone wanting to have a phone with open source products on it for security
reasons, they totally can on Android, but it's impossible with iPhones. Signal
probably relies on Apple's variant of Google Cloud Messaging, but since you'll
always have that on your phone anyway, it makes no difference.

------
lvh
This is not a backdoor. It is a vuln, and it'd be nice if it wasn't there, but
this is not a backdoor.

There is no reason to assume this was "snuck in" with an intent to deceive
users. Retransmission has been known and discussed repeatedly, months ago, and
Facebook acknowledged it. What happened here is a choice of UX over security,
specifically, choosing not to break existing WA users as they move them over
to the otherwise great Signal protocol.

When a key changes, you can just keep trying, notify the user, or drop
everything on the floor. If you want the latter, use Signal.

It would be nice if WhatsApp made 2 the default, and 3 optional. Right now 1
is the default and 2 is the option. The trick is to get the UX somewhere where
normal people can do something useful with that information.

If you are at all upset about this, you are not a target WhatsApp user. It'd
be nice if they changed this, but for the love of all that is good and holy,
stop calling it a backdoor, because it isn't. Words mean things.

------
gourou
> The desire to protect people's private communication is one of the core
> beliefs we have at WhatsApp, and for me, it's personal. I grew up in the
> USSR during communist rule, and the fact that people couldn't speak freely
> is one of the reasons my family moved to the United States

Jan Koum and Brian Acton, founders of Whatsapp

------
jgaa
I think it's pretty obvious that we cannot trust any messenger app that is
closed source or relies on some company's service infrastructure. If it's
closed source, you cannot possible know what it does. If it's relying on a
company's infrastructure, it's likely to be banned by oppressive governments
(and that includes most of the so called "free world"). In frustration over my
own Government (Norway), I started last year a project to launch a new IM
client based on the legacy TorChat protocol
([https://github.com/jgaa/darkspeak](https://github.com/jgaa/darkspeak)). It
turned out to be way more work than I expected - so it's been on hold for a
few months while I spend time on some more urgent projects. However, I think
p2p IM software, based on open source, over Tor (or similar technologies) is
the only way to preserve privacy and confidentiality in the future.

~~~
dr_zoidberg
> If it's closed source, you cannot possible know what it does.

You can set up a wifi and try to MitM yourself and see what packets WhatsApp
is sending/receiving. Then you can try to snoop on them and test. The fact
that it is closed source doesn't mean you can't analyze it, it just means it's
a black box that you have to carefully dissect.

~~~
jgaa
You can get some idea by looking at where the packages are going - but in
todays ipv4 space, most p2p packages have to transit trough some public IP
addresses. That means that, unless you are able to decrypt the traffic, it
will be difficult to know if someone is listening in on the conversation.
Also, just by looking at the packages, you will not have any means to detect
back-doors, unless they are accessed while you are looking. Back-doors
potentially requested by intelligence agencies for snooping on high value
targets are likely to go undetected.

~~~
MichaelGG
So just look at the actual code executing. Should be fairly easy to tell if
there's some huge secret function in the binary.

~~~
jgaa
Well - you know, when you strip the symbols from the optimized binaries, the
"huge_exploit_nsa_hook()" function kind of morphs into 0x66666666 or some
other seemingly random number. Besides, I knew only one programmer who could
read binary dumps of a program and instantly tell what id did. That was 30
years ago, when executables were measured in kilobytes.

~~~
MichaelGG
Fortunately there are useful tools that'll help navigate binaries, like IDA
Pro. They'll produce control flow graphs in addition to letting you annotate
things. I've done this in a professional capacity a few times, though I'm not
remotely an expert and barely know what I'm doing.

In Java, it's even easier due to JVM restrictions. I wrote an obfuscator for
.Net, but Java offers less capabilities in it's bytecode. I even used a
commercial product that had been obfuscated. The obfuscator broke something on
Mono. It took about an hour to write a small script to go through the binary
and fixup the broken bits so other tools would work on it.

~~~
dr_zoidberg
Good call on reversing, I'd written about it in a first draft but then
scratched everything and started over again. Indeed, there are some good
reversing tools. Still, his call on packet analysis being incomplete (unless
you happen to see an interesting event) is right. I was thinking of a more
simple test to see if things are effectively encrypted, and how resistant to
cryptoanalysis is the protocol.

------
jmlr
Has anyone heard anything from Moxie Marlinspike on this? Would be interesting
to hear his perspective - Open Whisper Systems helped out with the encryption.

~~~
junto
Well there are two possible scenarios I can envisage.

    
    
      a) The issue was an oversight and simply a bug that needs
         to be fixed. The question is why FB doesn't want it 
         fixed?
      b) Moxie knew that this issue existed but was NDA'ed into
         leaving it there for nefarious purposes. Now it's public 
         knowledge, where do we go from here?

~~~
mysticmarvel
This exploit is not in the original Signal protocol, and was introduced by
WhatsApp. Signal discards undelivered messages when the encryption key
changes, WhatsApp implemented re-transmission because they think it improves
usability. It does do that, and it also introduces this security risk.

It says so right in the article. Stop spreading FUD.

~~~
antihero
Moxie endorsed Whatsapp, though. We view Moxie as a trusted actor, so either
he is untrustworthy which would SUCK or he didn't know that they did this.

------
blorgle
It doesn't matter whether you use WhatsApp, Facebook Messenger "Secret
Conversations" or even Signal app (or PGP or any public key based
communications system)!.

If you are not verifying key fingerprints out of band, then you are
potentially vulnerable to a malicious server MITMing new sessions.

If you want secure end-to-end messaging, verify keys out of band, do not
solely trust a 3rd party for key exchange!

~~~
ec109685
And you have to verify the software is using those verified keys for every
message you send.

------
zzzzz99997
Is anyone surprised? Facebook owns them, and Facebook has been in the back
pocket of the intelligence agencies for at least half a decade.

~~~
codezero
Are there some landmark issues around this assertion? We know Yahoo backdoored
email, and their head of security resigned as it happened behind his back.
This doesn't mean agencies are successful at coercing every company by
default.

------
benevol
Does anybody seriously still doubt that all the main US tech/communication
products all have backdoors?

~~~
codezero
I think the shock here is that FB considers this a usability feature rather
than a vuln. I can see both sides. If you want real security use something
else. If you want privacy but not from state actors or companies, use
WhatsApp.

------
therealmarv
The biggest security issue on WhatsApp are the backups, especially the cloud
backups not the protocol and this so called "backdoor" itself. Pictures not
encrypted on backups, encryption keys of backups stored on WhatsApp side which
might or might not (???) have access to your cloud backups on Google Drive and
iCloud. If a government (USA?) gets access to one of your or your friends
backups and the encryption key it can see all of the conversation. This is for
me the weakest point of WhatsApp.

~~~
Moyamo
I've noticed this as well, do they even encrypt the backups the upload to
google drive and if so with what key? If they use one key then the advantages
of perfect forward and perfect future secrecy that the double-ratchet protocol
provides is lost.

~~~
Sgt_Apone
Messages and media backed up to Google Drive are "not protected by WhatsApp
end-to-end encryption while in Google Drive" according the app.

~~~
arghIdontwantto
Hey

You replied to me about a month ago concerned about my health when I was
dealing with issues with my wife:
[https://news.ycombinator.com/item?id=13039203](https://news.ycombinator.com/item?id=13039203)

I couldn't reply to that as it is too old, but wanted to tell you that we
talked and we ended up parting ways. While things are still in a turmoil, it
seems like some kind of window opened and hope is out there again.

Just wanted to thank you for the concern showed then.

Happy new year!!

------
burnbabyburn
"why don't you use whatsapp now that it has built in encryption like your
Signal?"

meh.

------
Tepix
I've used signal for quite a while but went back to Threema because the
messages were delayed too often.

What are opinions about Matrix (matrix.org) used with the Riot client?

This combo checks all the boxes that Signal checks (including the Olm ratchet,
a close relative of the Signal ratchet), and adds :

\- decentralization (run your own server)

\- no need to disclose your phone number

------
ycmbntrthrwaway
> Boelter said: “[Some] might say that this vulnerability could only be abused
> to snoop on ‘single’ targeted messages, not entire conversations. This is
> not true if you consider that the WhatsApp server can just forward messages
> without sending the ‘message was received by recipient’ notification (or the
> double tick), which users might not notice. Using the retransmission
> vulnerability, the WhatsApp server can then later get a transcript of the
> whole conversation, not just a single message.”

Actually it is not that easy. Signal protocol [0] does not have any inherent
delivery notification, but it is implemented in the application [1]. If
attacker wants to deliver messages two-way without delivering receipts, it has
to recognize them somehow. Of course you can try to guess by not delivering
the first message after each delivery, but it seems too unreliable for a
backdoor.

[0]
[https://whispersystems.org/docs/specifications/doubleratchet...](https://whispersystems.org/docs/specifications/doubleratchet/)

[1] [https://support.whispersystems.org/hc/en-
us/articles/2125355...](https://support.whispersystems.org/hc/en-
us/articles/212535538-How-do-I-know-if-a-message-has-been-delivered-)

------
bartl
> in many parts of the world, people frequently change devices and Sim cards.
> In these situations, we want to make sure people’s messages are delivered,
> not lost in transit.

That quote sounds even more alarming to me than the description of the
backdoor. Because, as I read it: the unencrypted message is not stored on the
device, but somewhere else. How else would they be able to still deliver a
message, using a new encryption key, even after the sender switched to a new
phone?

------
newscracker
> Boelter reported the backdoor vulnerability to Facebook in April 2016, but
> was told that Facebook was aware of the issue, that it was “expected
> behaviour” and wasn’t being actively worked on. The Guardian has verified
> the backdoor still exists.

This is really damning on the part of Facebook and WhatsApp! How could they
just brush this off as "expected behavior" and wasn't being actively worked
on? I guess their priorities are where a social media company like Facebook
would have them be - make more avenues to monetize the usage.

The initial response from the WhatsApp spokesperson is just PR speak, and
really terrible for a response (until the direct question came up and another
statement was issued).

It's sad that Signal and Open Whisper Systems are being dragged in here,
because many people may just look at the headline, probably skim the beginning
of the article a little bit and assume that the OWS implementation is the
culprit or that OWS is somehow complicit in this.

------
niyalmo
Use Signal. Get everyone around you to use it. Seriously. Facebook is a for-
profit that gets all of its money from ads (just like Google), would you
seriously expect them to protect your privacy?

------
jgowdy
Why do we sit here and argue about whether people should use WhatsApp or
Signal? It's Facebook. How can we talk about Facebook as a serious candidate
for private end to end messaging when they're one of the world's biggest data
brokers? Why wouldn't you just use Signal and recommend it to everyone?

------
kriive
I'm not a crypto guy, but I'm trying to understand how this backdoor could be
used by governments or WhatsApp/Facebook itself. I'm not entirely sure how
such an attack based on this backdoor would work.

The article says that WhatsApp servers have the ability to trigger the clients
to generate new keys, but even with new keys how can the server read the
messages at all? Has the server got a copy of the new generated keys?

Probably there is something big I'm missing.

~~~
TwoBit
I'm trying to understand this same thing. I don't see why triggering a client
to generate new keys is a problem. Giving the client keys to use is a problem,
but that's not what it's saying.

Edit: it is described much better here: [https://tobi.rocks/2016/04/whats-app-
retransmission-vulnerab...](https://tobi.rocks/2016/04/whats-app-
retransmission-vulnerability/)

The idea is that in addition to the keys being regenerated, the recipient
phone is spoofed (a key point not mentioned). So the FBI could tell the
Whatsapp company to generate a fake recipient phone and connect the sender
phone to that phone instead.

~~~
kriive
Thank you, now I understand.

------
mistermcg
I had a conversation about whatsapp capabilities recently with an assistant
state AG. This person debunked the notion that whatsapp is secure from
government snooping and further intoned that you don't even need a FISA court
to provide a warrant to get to the target's information. Any judge can issue
the warrant for a line tap and the target would never be the wiser as they are
sealed in secrecy.

------
andrepd
For everyone who is (rightfully) upset about this: turn your anger into
action, donate to people who are actually concerned about your privacy and who
are taking action to defend it. I suggest OpenWhisperSystems:

[https://freedom.press/crowdfunding/signal/](https://freedom.press/crowdfunding/signal/)

------
stefek99
It's a typical example to CONVENIENCE.

It's convenient to re-send the message.

No one serious of privacy would ever use Facebook / WhatsApp.

So the title is a click-bait. The decision behind re-sending is based purely
on convenience and cost-benefit analysis.

Actually I think they should display a notification / popup / warning
whatever.

------
woliveirajr
Without being open-source, who can assure that there isn't always encryption
with a second backdoor key ?

I can't easily even see a hash of my key, how do I know it has or hasn't
changed? It's pretty easy to have a feature that only shows some of the keys
changes and not all of them.

~~~
Ajedi32
Even if it is open-source you still can't be sure unless you build the app
yourself. Otherwise there's no way to know whether the source code you're
reading is really the same code that's running on your phone.

------
aembleton
How do I know that my Android phone doesn't have a backdoor keylogging
everything that I type and uploading it to Google/NSA each night?

I haven't rooted and installed wireshark on this device, but even if I did it
could just not send it whilst that is logging. Or, it could be that wireshark
doesn't see everything. Or I just wouldn't notice as there are many packets
going back and forth between my phone and Google.

I suppose I could install Cyanogen and not install Gapps. But then, how do you
know that Cyanogen isn't compromised?

Life's too short. Facebook messenger is convenient and most of my friends use
it so I go for it. I just assume that all of my communication and more
seriously location data for the last few years are logged with the
intelligence agencies.

~~~
bansheehash
"Life's too short to worry about privacy" is precisely the kind of attitude
that normalizes increasingly invasive surveillance and inadvertently feeds
into the desire of companies to glean as much information as they can from
their users' data. Why does the convenience of Facebook messenger have to come
at the cost of privacy?

I think it's an appropriate response to criticise a company for implementing
what can only be generously interpreted as a bug, if not a backdoor, and
dismissing concerns when it was pointed out to them, all the while making
specious claims about being secure and lulling its users into a false sense of
security. Public outrage is a powerful tool in ensuring that companies don't
get too adventurous in spying on their users for fear of getting caught and
called out on it.

At the risk of raising the spectre of authoritarianism, I think the folks who
held on to their religious beliefs in countries that enforce/d a particular
religion (or no religion), or secretly organised protests against communist
regimes would gape in disbelief at the choices of the current generation to
use always-on digital assistant devices, communication tools and social media
platforms that have been shown to be linked with government surveillance
programs. Sure, your government may be democratic and benevolent at present,
but what would stop an authoritarian President from using troves of already
collected data to purge the country of its "dissidents"? It's not a far-
fetched concept - Why do the UK fire and rescue authorities need access to the
browsing history of citizens [1]? It will be all too easy for a government
with all kinds of data on its citizens to establish a "citizen value" score
[2] and optimize access to healthcare and other services based on it. Just the
possibility of such a dystopian future should be a cause for concern on our
willingness to exchange privacy for convenience.

[1] - [http://www.ibtimes.co.uk/big-brother-watching-you-every-
orga...](http://www.ibtimes.co.uk/big-brother-watching-you-every-organisation-
allowed-snoop-your-internet-history-revealed-1593830)

[2] - [http://www.independent.co.uk/news/world/asia/china-
surveilla...](http://www.independent.co.uk/news/world/asia/china-surveillance-
big-data-score-censorship-a7375221.html)

------
unicornporn
> […] In the WhatsApp case, chat data is end-to-end encrypted, and there is
> nothing the company can do to assist the FBI in reading already encrypted
> messages. This case would be about forcing WhatsApp to make an engineering
> change in the security of its software to create a new vulnerability -- one
> that they would be forced to push onto the user's device to allow the FBI to
> eavesdrop on future communications. This is a much further reach for the
> FBI, but potentially a reasonable additional step if they win the Apple
> case.

[1]
[https://www.schneier.com/blog/archives/2016/03/possible_gove...](https://www.schneier.com/blog/archives/2016/03/possible_govern.html)

------
rodrigo-mx
In countries like Mexico, carriers do not charge your data use of fb and
WhatsApp. They offer it as free social network. I am sure government is behind
of such a good will to users from big companies. You get free communication in
exchange from your privacy.

------
patmcguire
This headline is not the article headline. It's not a small change either.
There is a huge difference between:

"WhatsApp _vulnerability_ allows snooping on encrypted messages"

and

"WhatsApp _backdoor_ allows snooping on encrypted messages"

------
bossx
Facebook 100% reads your "encrypted" WhatsApp messages. I had a conversation
with someone about a very unique topic on WhatsApp, 5 minutes later I see
remarketing ads on Facebook about the same topic.

------
the_duke
Well, if anyone is surprised by this... you really should'nt have been.

I still use it. Lock in effect. But I never would have trusted their
encryption nearly enough to send anything sensitive.

~~~
lucb1e
If only sensitive stuff is encrypted, encryption becomes suspicious.

Add "you don't have something to hide, right?" to using encryption for
sensitive stuff and you got a 1984 sequel where encryption is banned or must
contain backdoors.

------
philliphaydon
Some of my friends refuse to use LINE, claiming WhatsApp is totally secure and
LINE is really insecure.

If my messages are going to be read I would rather they be full of stickers.

I love LINE.

------
sfifs
Look there's no defense against the company WhatsApp itself. They are managing
the public key infrastructure AND the message forwarding infrastructure.

The clients are not verifying the keys independent of WhatsApp. If WhatsApp
have to (pushed by governments) or want to (FB advertising enrichment) they
can always MITM conversations.

The question is whether others can read the data in transit - and the answer
is still no.

------
nmgsd
This is why you should never trust proprietary secure messaging solutions that
offer you both the client and the channel.

The future of trusted secure messaging will be open source, auditable,
independent non-native clients that connect and send over third party message
channels independently.

See [https://www.seecret.io](https://www.seecret.io)

------
tristor
I feel like this shouldn't surprise me, but I had a lot more faith than was
probably warranted in the guys behind WhatsApp. Part of it was I was so
impressed with their backend tech, I just felt these were people like me that
had similar cares and concerns that I do, including security, privacy, and
performance. So when they implemented the Signal protocol, it was like a sign
that I really had been right to trust them.

This is a sad day, because BILLIONS of people use WhatsApp. I wish I could get
everyone to convert to Signal, but as I travel around the world WhatsApp is
the most used way to communicate with people. Just today I added two
additional local contacts to my WhatsApp so I could communicate here with
them.

I wish I had a clearer understanding of the incentives here. Is this pure
government strong-arm style coercion with NSLs, or is this intentional
malfeasance on the part of executive management hoping to data mine for their
own profits? Is it an innocent mistake? The technical talent was there to do
this right, and they flubbed it anyway. WhatsApp implementing the Signal
protocol was one of our great hopes for having legitimate worldwide secure
communications in the hands of everyone in the coming decade. Now it's all
lost...

:*(

~~~
nickpsecurity
"Is this pure government strong-arm style coercion with NSLs, or is this
intentional malfeasance on the part of executive management hoping to data
mine for their own profits?"

Facebook is a surveillance company that sells profiles and/or data to 3rd
parties for money. They own WhatsApp. That gives us a probable answer. Far as
general case, the Core Secrets leaks indicate they both bribe companies & the
FBI "compels" those that resist to "SIGINT-enable" the systems under "FISA"
authority. The Yahoo case also indicated they fine companies enough to put
them out of business. So, they can fine companies or possibly jail their
executives if they don't put the backdoor in. It's also always secret with
likely excuses that it's classified matter of national security, part of
ongoing investigations, etc.

------
feral
I am flagging this article, as the headline and first few paragraphs are very
misleading, based on my understanding from: [https://tobi.rocks/2016/04/whats-
app-retransmission-vulnerab...](https://tobi.rocks/2016/04/whats-app-
retransmission-vulnerability/)

They make it sound like an intentional backdoor has been introduced to
WhatsApp to facilitate monitoring.

Rather, it seems like there's a weakness in the implementation, where if a
message is undelivered, an attacker could trick the sender's client into
sending the undelivered message to a new key they control.

That does seem like a weakness, but not an intentional backdoor as the article
initially lead me to believe. I could see how someone would trade off ease of
use and message delivery with security and make that call.

Yes, it could be a subtle backdoor (with limited exploitation), and yes, open
source clients would be great. But real end users use WhatsApp to encrypt
their private messages on a scale never before achieved, because of the
usability tradeoffs they've made. I think we should bear that in mind before
describing any implementation tradeoff as a 'backdoor'.

~~~
discordianfish
Agree, also think it's likely this is an intentional trade off: Alice sends
Bob a message but Bob's phone is broken, so he gets a new one. The message is
marked as not delivered. Since Bob's old keys are lost, WhatsApp needs to
generate new ones. The trade off here allows in this scenario to accept new
keys transparently.

Not ideal from a security perspective but what would be the alternative? Bob
meeting Alice so they can compare fingerprints? Bob sending Alice a PGP signed
message?

~~~
MagnumOpus
>what would be the alternative

Alice getting a warning about key mismatch and a prompt for redelivery (or
not) of the pending message. Bob-with-new-phone does not get to read Alice's
messages to Bob without Alice at least having the ability to verify that Bob
indeed changed phones. Yes, 99% of users will click "redeliver" without
checking, but the ones for whom secrecy matters won't.

I think this is how Signal does it, and it is the only security conscious way
to do it.

~~~
discordianfish
Yes, I personally prefer that too. But I understand if facebook decided this
is too much to ask for their users.

------
anoother
> The recipient is not made aware of this change in encryption, while the
> sender is only notified if they have opted-in to encryption warnings in
> settings, and only after the messages have been re-sent.

Surely this is backwards. It's the _recipient_ who is notified about key
changes when the relevant setting is enabled.

------
tinus_hn
The complaint here seems similar to complaining ssl is insecure because the
certificate authorities can create certificates at will.

Whatsapp can't do this without leaving traces and if they did this on a larger
scale without only doing it with people that don't care to look for the signs,
someone is bound to find out.

------
rethab
Who would have guessed..

------
breatheoften
I think it is worth changing the behavior of the client to fix this. At time
of sending the recipient's key is known -- there should be no circumstances
where the message is re-encrypted for a different recipient without the
sender's explicit involvement...

------
frabbit
Seeing as we're on the topic of encrypted comms, anyone have an
analysis/critique of SpiderOak's "Semaphor"?

[https://spideroak.com/solutions/semaphor](https://spideroak.com/solutions/semaphor)

------
mtgx
Does the safety numbers verification do anything against this, or can they
bypass that as well?

------
barbs
So this was on the front page with 1302 points at time of writing, and now
it's nowhere to be found...

Is there a quirk with HN's algorithm that I'm not aware of, or is there
something else afoot? A mass-flagging? A manual take-down of sorts?

------
rahilb
Doesn't this mean that only subsequent messages can be decrypted? i.e.
Whatsapp has provided forward secrecy (as long as they haven't been using this
trick from the initial secrets that were set up)?

~~~
vorticalbox
Pretty sure that is the case. the key is changed while you're offline making
any unsent messages use the new key that they know.

But if they can change the key while you're offline that means they can change
the key and know everything from that point on.

~~~
FabHK
Though you would get the key-change-notification (if you had enabled it,
overriding the default), and could then verify fingerprints via some other
channel.

------
paradite
The moral of the story is, don't exchange messages electronically if you are
expecting privacy.

The only real private way of exchanging information is face-to-face in a
private place.

------
sidcool
How does one protect oneself for this?

------
bandrami
Wait... you mean key management is hard to get right with a large and
distributed userbase? Who knew?

------
vorticalbox
Doesn't this mean that only unsent messages are vulnerable, as they are sent
with the new key?

------
vonklaus
Yeah, really pretty much confirms what everyone already believed.

------
torrent-of-ions
I can't believe that so many apparently security conscious people accepted
WhatsApp as being OK. For years we've known and been told that any security
software must have publicly available algorithms and source code. And then all
of a sudden WhatsApp was lauded for protecting users' privacy when it is
itself proprietary, closed-source program, owned by a company notorious for
not not respecting user privacy.

------
kutkloon7
I find this hardly surprising. Somehow the USA government is very, very good
at convincing companies to spy on their users.

~~~
codezero
Many governments are good at spying on their citizens, but are you implying
the USG forced/compelled/convinced WhatsApp to intentionally weaken their
security?

------
pokemongoaway
Are there are recommendations for video chat / conference calling yet?
Googling around leads one to believe that WhatsApp's is the most security-
minded video calling available that's widely available...

------
known
If You're Not Paying for It; You're the Product;

------
tuyguntn
I am not a security expert, but for me Moxie lost his credibility, even though
he maybe one of the best crypto experts out there

