Hacker News new | past | comments | ask | show | jobs | submit login

> They seem to have replaced TLS/SSL between client and server with "Noise Pipes".

WhatsApp was already using a custom protocol instead of TLS. We worked with them to transition over to Noise Pipes, which has some advantages over what they were doing before. Also, we've renamed Axolotl to Signal Protocol: https://whispersystems.org/blog/signal-inside-and-out/

It is killing me that you didn't rename Signal to Axolotl.

If user growth and mainstream adoption are your goals then calling the product 'Signal' is the better choice by leaps and bounds.

Axolotl is cool in a techy/underground sort of way (if your into that) but completely misses the boat on being 1) Easy to spell, 2) easy to pronounce, 3) easy to understand.

Mainstream users would just say "wtf" and move on to whatsapp/telegram/facebook messenger.


"Axolotl" at least has seriously pronunciation issues so I am glad it is not used "user-side".

For my part: because "Axolotl" is one of the most widely name-dropped terms in hipster cryptography, and because it's been adopted by other projects, and because it's distinctive, and because they basically own the term. In a stroke, everyone doing secure key ratchets would have been using their product.

It's also just a cool name.

I always liked "Axolotol" because axolotols are a type of salamander with the amazing ability to regenerate parts of their bodies (including their brains!), and the Axolotol protocol, like OTR, is "self-healing", meaning it's capable of recovering from a compromised session key (https://whispersystems.org/blog/advanced-ratcheting/).

And you're spelling it wrong which pretty much validates the renaming.

Axolotls are also cool because they're not really a species in their own right --- they're actually just the juvenile form of a salamander. But they can breed while in their juvenile form! It's as if tadpoles could lay eggs without having to turn into frogs first.

In fact, axolotls only metamorphose into salamanders if triggered by the external environment. If you don't stimulate them in the right way, they stay axolotls. For a long time they were thought of as two different types of creature completely.

There's a story of one of the very early researchers looking at his vivarium one day and discovering that it was now full of salamanders rather than the axolotls he was expecting. I would love to have heard the conversation...

Basically like a Pokemon.

I thought it was a misspelling of axlotl from dune, so I had to google it. Frank Herbert must have taken his inspiration from the salamander as well, given what the axlotl tanks were for.

Thanks and I agree about that!

Because words coming from Nahuatl are cool! (coyotl, mesquitl, tomatl, ahuacatl, etc.) See more from https://en.wikipedia.org/wiki/List_of_English_words_from_ind...

They’re distinctively spelled, don’t collide with existing search terms, often have available domains, etc. Most importantly, they anticipated the web 2.0 trend of ending words with two consonants in a row. ;)

Finally, just look at this guy: https://upload.wikimedia.org/wikipedia/commons/f/f6/AxolotlB...

Linguistic tangent: the common suffix on those words is interesting. Is it required for Nahuatl nouns, like the Latin -t suffix? I notice that not all the other example words on the linked page-section have it, but a large majority do.

t͡ɬ is a phoneme in Nahuatl [0] (Voiceless alveolar lateral affricate [1] if you care to hear it), which explains why many Nahuatl words have sequences of "tl". I don't know if there's a specific reason why these words end with that sound (it doesn't have to be a suffix).

Edit: yes, it's a suffix (for Classical Nahuatl): "Non-possessed nouns take a suffix called the absolutive. This suffix takes the form -tl after vowels (ā-tl, "water") and -tli after consonants [...]" ([2]).

0: https://en.wikipedia.org/wiki/Nahuatl#Phonology


2: https://en.wikipedia.org/wiki/Classical_Nahuatl_grammar

> Is it required for Nahuatl nouns, like the Latin -t suffix?

I don't understand what you're thinking of here? Here are some Latin nouns, all in nominative case:

    nauta   (first declension)
    puer    (second)
    gladius (second)
    malum   (second)
    lex     (third)
    limen   (third)
    tempus  (third)
    virtus  (third)
    civitas (third)
    cornu   (fourth)
    manus   (fourth)
    res     (fifth)
I gave the nominative case, but in fact none of those nouns has any form ending in -t. The only -t suffix I know of in Latin is for third-person singular verbs.

Ah, sorry, yes, I meant the verbs. Originally I was going to make a comparison to nouns—nouns in Lojban, which have a -j suffix.

I'm confused and am not sure if you're thinking of something else or if I'm quite misinformed about Lojban. I don't think lojban has suffixes at all (prefixes, on the other hand). For -j specifically, the only words in lojban which are permitted to end in j are names, but there it's not obligatory. Names are required to end in a consonant, but there are at least a few that are more common than j, I think.

FWIW `-j` is the plural suffix for all nouns and adjectives in Esperanto (not in accusative where the full generic form followed by an additional `-n`), but I don't know whether the OP had that in mind or something completely different.

> Because words coming from Nahuatl are cool! (coyotl, mesquitl, tomatl, ahuacatl, etc.)

> Most importantly, they anticipated the web 2.0 trend of ending words with two consonants in a row. ;)

But those words (coyote, mesquite, tomato, and avocado, unless I seriously miss my guess) all end in a vowel.

> But those words (coyote, mesquite, tomato, and avocado, unless I seriously miss my guess) all end in a vowel.

Because they were adopted by Spanish speakers. English products using these names could either adopt the Spanish form, or as the GP suggest follow the 2.0 trend and recover the original form, publishing their webpage in the East Timor .tl domain.

But it had a significantly better signal-to-noise (SCNR) ratio when looking for specifications, code and docs. The original "axolotl" term comes from a completely different domain, so it was easy to distinguish and filter for.

"Signal" in IT usually means UNIX inter-process communication.

Kids would love that name because they know it as that cool looking salamander with gills (or whatever they are).

Confirming this: my daughter was thrilled that there was something in my field actually called "axolotl".

This thread is making me want to reread Dune.

For me the biggest thing is - how do we have any idea that WhatsApp is actually using this wonderful crypto tech under the hood? For example my WhatsApp is claiming my messages to my friend are encrypted, whereas his phone is claiming they are not. This is not exactly conducive to trust!

Mine did that for a while, then it resolved itself. Maybe it takes some time for all instances in a group to agree they are encrypted; I also think at least one of my groups marked itself encrypted after everyone in it had posted at least one comment since yesterday.

What's the incentive of not using TLS?

It's easy to shoot yourself in the foot with TLS (see: OpenSSL). Also, TLS has roots in a time where we knew much less in terms of crypto; as time went on and flaws were discovered, SSL/TLS was patched all around, meaning it has become much harder to implement correctly.

Noise starts from a clean state with modern knowledge of cryptography and modern cryptography. Much easier to understand and replicate, much harder to shoot yourself in the foot with.

TLS brings modularity and evolutivity, much needed in a protocol the scale of HTTP. In Whatsapp's case, Whatsapp controls both the server and the client; it is much easier to transition between versions because all bricks are under control. When you don't need what TLS brings anymore it makes sense to discard it.

As another example: Tarsnap (https://www.tarsnap.com/) uses spiped (https://www.tarsnap.com/spiped.html), a very simple yet powerful mechanism to build an encrypted channel. Its protocol and proof fit in ~100 lines (https://github.com/Tarsnap/spiped/blob/master/README). When you don't need all the jazz provided by TLS (and when you're lucky enough to be able to pre-share keys, which helps a lot) then a simple protocol is good.

It looks like Noise leaves an implementer with more than enough rope to hang themselves with - for example, it allows unauthenticated Diffie-Hellman, it appears to permit user-selected handshake sequences, has 16(!) different official handshake sequences with subtly different properties, each of which allow payloads to be attached to any message in the handshake process that in turn have different levels of reduced security, etc.

You're describing Noise. WhatsApp uses Noise Pipes, which is one of many instances of the Noise framework.

You're right that it's not a good idea for generalists to pick up Noise and go to town with it. Noise isn't misuse-proof.

> You're right that it's not a good idea for generalists to pick up Noise and go to town with it. Noise isn't misuse-proof.

Nor is SSL. Couldn't an opinionated SSL library (supporting exactly one protocol version, one cipher only, etc) provide the same simplicity of use while remaining interoperable and reusing an already-validated protocol?

Simplicity of use isn't the only benefit they get from Noise Pipes; they also get increased security, in a couple of important ways.

It's not the choice I would have made, but I am not as good as Moxie or Trevor.

FYI there is an RFC (currently a draft) for a suite of parameters considered secure for some time, ie some kind of LTS: https://tools.ietf.org/html/draft-gutmann-tls-lts-02

The idea is more or less what you want, hardcode some known-good configuration for servers that can't or won't be upgraded every other month.

That appears to not fully interoperate with regular TLS implementations, and does not require the use of the most popular secure ciphersuite ECDHE_RSA_AESGCM. If they need to make changes to make it secure, define an extension and say this profile makes the extension mandatory (like MAC-then-encrypt), but don't just change the protocol.

This is less a practical draft and more a political statement about the author's dislike for TLS 1.3. In particular, it makes extensive modifications to the TLS protocol itself (it doesn't merely propose a limited set of safe parameters).

> It's easy to shoot yourself in the foot with TLS

I would argue it's easier to shoot yourself in the face trying to re-implement/re-design something like TLS.

The mind behind Noise (Trevor Perrin) is one of the minds behind Axolotl (actually Noise can be seen as a generalization of the Axolotl's cross-signing of DH keys, see this post: https://whispersystems.org/blog/simplifying-otr-deniability/) so I would likely be comfortable with it. Although it is completely true that it's been far less used and studied than TLS.

The OP's point is that it is like TLS, except with a novelty effect. Personally, I prefer that everyone standardize than use a hundred different crypto protocols, none of which receives adequate scrutiny. TLS1.3, with encrypt-then-MAC and zero-RTT setup, can't get here fast enough.

About 6 round trips, which gives you about a 30s latency on EDGE networks. Doing a key exchange once, retaining it and then doing future communications with just 1 round trip is significantly faster.

Isn't a full TLS handshake 6 messages (thus 3 round trips)? Also with false start and resumption, TLS can also typically achieve 1 roundtrip, right? (I'm also confused by 30s latency for 6 RTT, but maybe I"m too focused on US market, where EDGE latency would be more like 500ms each way.)

Maybe not all of WhatsApp's platforms support the latest TLS improvements though, thus it's easier to roll their own?

I'm curious about this too. Short of some rigid technical requirement, it's hard to imagine why you'd want to reinvent the wheel or forgo a protocl which is so widely available and studied. (Although I've not read the Noise whitepaper though, I'm sure it must have some benefits compared to TLS.)


As an aside, what's with Nietzsche? He seems to crop up in your screenshots quite frequently.

"The individual has always had to struggle to keep from being overwhelmed by the tribe. If you try it, you will be lonely often, and sometimes frightened. But no price is too high to pay for the privilege of owning yourself."

(just a guess)

Is there any documentation on the old custom protocol?

What exactly is wrong with TLS? Why the switch?

As a protocol, it's quite old, complex, and has a huge surface area for attacks. E.g., the Wikipedia page (https://en.wikipedia.org/wiki/Transport_Layer_Security#Attac...) lists over a dozen major attacks against TLS/SSL. Its only advantage is ubiquity; it's the standard in every browser and web server.

Moxie, what do you say to this?


Is that true? Are the messages decrypted server-side for iOS users?

This post illustrates how silly it is to link to a tweet, and not just paste the text of the message directly. This tweet has been deleted.

And for anyone else that hates visiting these social networks, Moxie's reply was, "I'm sure, but it'd be to everyone's benefit for you to verify."

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact