Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] Why the “WhatsApp-backdoor” is not a WhatsApp-backdoor (slashcrypto.org)
58 points by slashcrypto on Jan 13, 2017 | hide | past | web | favorite | 26 comments

It's a backdoor because it grants access (to new messages as well as any messages replayed) with explicit authorization by the application but without explicit authorization by the user.

That seems to fit the currently accepted understanding of the word: https://en.wikipedia.org/wiki/Backdoor_(computing)

I do not see this as an actual rebuttal to the idea of it being a backdoor. The article makes two points: 1. Ultimately, verification falls to the user, so even in a secure system, user error, misunderstanding, and/or laziness can result in becoming compromised 2. Clients can lie to us anyway

The point about this "backdoor" business is that the WhatsApp client does not even give the user the chance to even make a mistake of skipping or mis-executing validation. Instead, it will just make that mistake FOR you, every time, for your convenience!

That utter failure of design, and breach of trust, enables a remote actor (the WhatsApp servers) to access secure data. So yes, it is a "backdoor".

The 'remote actor' could always do this though, as there is another 'backdoor', that you and I call the App Store/Play Store, whereby Facebook can push whatever updates they please - including one that could send your decrypted messages back to Facebook - without you knowing as WhatsApp is closed source.

It is sad, and misinformative, that this article is currently #1 on HN, while the much more accurate and better-written Guardian piece "WhatsApp backdoor allows snooping on encrypted messages" is #2.

The linked piece is hard to critique because it's borderline incoherent. The "conclusion" is simply not a conclusion, particularly this passage:

> A provider always has the ability to intercept messages as long as the user does not verify fingerprints. With WhatsApp, it is even harder to make sure, no MitM takes or took place. WhatsApp is closed source, so who can tell, if WhatsApp just displays wrong identity keys and lets the user think that everything is perfectly OK ..?

It's actually very accurate technically. The Guardian article seems to miss the basic point.

The encryption in WhatsApp and Signal and Apple messaging all are all built to protect data from others in transit not necessarily from the service provider itself.

No system where a central service provider manages both key infrastructure and message delivery can ever be secure from MITM by the service provider unless you do manual key verification through a different channel. Signal does provide the means to doing so by physically meeting a person and verifying which is good. But are you truly going to be able to explain these concepts beyond techies?

But the actual point here is the retransmission vulnerability. That's what makes WhatsApp different. That's the backdoor.

Look if WhatsApp wants to read your messages without you detecting, there's nothing you can really do to prevent it apart from not using WhatsApp.

For instance if you're on some list for message interception, they can give you MITMed keys when you first login. Or they can insert some subtle signal that tells the app on your specific phone to ignore key changes and avoid showing notification in some way you would struggle to check (closed source and obfuscated code) etc etc. They could even show you the right key if you attempt verification but use a compromised one for communication. This particular vuln. would be a ridiculously crude way to intercept messages.

To repeat, in any system where key distribution and message distribution are centralized, there is no way to protect against the service provider - and anyone who co-opts the service provider (eg. with a court order). The objective of the encryption is to protect against other actors snooping on you

I edited the article because I really missed this point, you are right. I thought WhatsApp is not sending the message which got encrypted with the new key. But still, I would not say this is a backdoor, because the user has a relatively easy way to check the keys. If WhatsApp would like to implement a backdoor, they would have done it in a different way I think.

Apart from the horrifying punctuation, I can't see how the quoted paragraph is technically incorrect. Some kind of real-world validation is required before you can trust that a public key really represents a given entity (at least, that's how I'm interpreting "verify fingerprints") and so it follows that if users don't validate the public keys of their correspondents, they can't know for sure that their conversations haven't been MitM'd.

The paragraph is correct but misses the point.

Whatsapp will re-transmit messages with a key provided by whatsapp without ever giving the user the option to verify that key. Even with the opt-in, the message will be re-transmitted. All the opt-in ensures is that you are notified of the key change (a notification you receive after the message has already been re-transmitted under the new key)

I edited this part, you are definitely right.

Shame that we can only upvote articles, not downvote

If the title of the article is the conclusion, I really don't see how they arrive there based on the post.

If I read the post and came up with the thesis sentence myself, it would be "WhatsApp is vulnerable to MITM attacks because it tries to automate key changes by default"

Tech articles are the absolute worst at being click-baity.

So it's not a backdoor because theoretically they can already intercept the messages?

In other words, this is not a crack because the glass is already broken.

I'm so relieved.

> This is not a backdoor, this is a default setting of > WhatsApp and everybody is able to opt-in the feature > which blocks message sending when the key material changes.

This is flat-out wrong. There is no opt-in feature to block sending when the key material changes. There is only an option that notifies when the material changes.

And this is precisely the problem. On certain messages (those not yet delivered) whatsapp can force re-transmission encrypted with a key of their choosing. No options will block the re-transmission.

I agree with most comments on this thread -- This is indeed a back door and it is irresponsible for someone who works in Security to claim that it is not. If the key-verification functionality that you describe were "opt-out", then you might have a case on your hands, but because it's "opt-in", the user would not know when What's App is potentially spying on them.

This is a backdoor because it is used to fool people. In countries like Mexico, carriers do not charge your data use of fb and WhatsApp. They offer it as free social network. I am sure government is behind of such a good will to users from big companies. You get free communication in exchange from your privacy. What a nice deal!

No it is a backdoor. Becuase the app fucks you on purpose, even if you go to great lenghts to verify the keys.

Also the vulnerabilty matches perfectly one scenario - when a person is in custody, the LEO cannot open its phone, but they can create account on new device with his sim card and continue "trusted" chats.

I understand why that is a concern for the security conscious. But for the 90% use case, e.g.: I lost my phone and got a new one. Or my phone isn't turning on and I get a new one.

I install WhatsApp. How do I roll over my identity?

The way I see it is that WhatsApp is delegating the task of identity verification to the network provider (admittedly a weak link for the security conscious). But it _is_ the easiest way for the average user to continue chats on a new phone.

If the default setting were reversed, HN would stop complaining, but the 90% would.

The most 'secure' means of communication is probably a one-time pad communicated via paper on magic ink that you then burn, or something. There is a cost to ease of use in many cases. I wish the conversation was less about right v wrong, and more about what tradeoffs should be made and where to draw the line.

The nice solution here that would please security-conscious people with an opt-in would be for that opt-in to prevent automatic re-encryption and re-transmission under the new key.

To expand on the example given above, if the police get your phone, turn it off and wait for a while. You might have quite a few incoming unreceived messages. They can then simply take the sim, put it in a new phone, and register that with whatsapp. They can then read all messages sent to you since they turned of your phone.

I agree this isn't a backdoor. Facebook is already a Trusted Third Party with the responsibility to deliver an honest closed source client binary, as are Apple and Google for delivering the binary unaltered to the end users.

This backdoor cannot be exploited by third parties, only by Facebook themselves, who already have much easier ways to intercept or manipulate communication. So although I don't think Whatsapp makes the right trade-off here (people get a new phone only once every few years, so why optimize for that edge case?), I'm not concerned about the privacy implications either.

I suspect other commenters here are confused about the nature of the Signal protocol, and who you have to trust for the system to be secure. If you used to believe that Facebook is 100% unable to intercept or tamper with Whatsapp communication, then this would be upsetting. But since they're a trusted party already, this changes nothing.

This just goes to show the importance of picking sound defaults. WhatsApp gets this horribly wrong. Regardless of whether it's a backdoor, their default behaviour is dangerous because it leaves users vulnerable to MITM attacks.

Let's not get hung up on semantics, and focus on the HARM.

I should point out that even with the 'correct' setting (which isn't default) whatsapp will still re-encrypt and re-transmit any unsent messages under the new key. All the 'correct' setting does is notify you of the key change.

The article is factually wrong on this.

This is a confirmation of the backdoor and not a rebuttal.

Is this only saying it is a feature, not a bug?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact