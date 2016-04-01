Hacker News new | comments | show | ask | jobs | submit login
There is no WhatsApp 'backdoor' (whispersystems.org)
481 points by stablemap 5 hours ago | hide | past | web | 229 comments | favorite





Color me still-unconvinced.

This retort does not address the fundamental point made in the Guardian piece:

> “[Some] might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”

This allows WhatsApp to MITM. Whatapps can rekey both Alice and Bob, decrypt both their messages from that point onwards (incl unsent messages) and forward them re-encrypted with their real keys. The only notification might be that rekeying warning, if the users have turned it on. In this scenario even the double-checkmarks are present. This is contrary to WhatsApp's claim that even they cannot snoop.

PS: I just check on my phone if those notifications were turned on. There were not. And I'd never turn those off myself, which leads me to conclude that the rekeying notifications are off by default (in their android app)

> This allows WhatsApp to MITM. Whatapps can rekey both Alice and Bob, decrypt both their messages from that point onwards (incl unsent messages) and forward them re-encrypted with their real keys. The only notification might be that rekeying warning, if the users have turned it on. In this scenario even the double-checkmarks are present. This is contrary to WhatsApp's claim that even they cannot snoop.

You've just described a "man in the middle" attack. It is endemic to any public key cryptosystem, including Signal and PGP, not just WhatsApp. The notification that you see in WhatsApp, Signal, SSH, PGP, or whatever is the defense.

> PS: I just check on my phone if those notifications were turned on. There were not. And I'd never turn those off myself, which leads me to conclude that the rekeying notifications are off by default (in their android app)

Key change notifications are off by default in WhatsApp. That's probably going to be a fundamental limit of any application that serves billions of people from many different demographics all over the world.

Even if they were on by default, a fact of life is that the majority of users will probably not verify keys. That is our reality. Given that reality, the most important thing is to design your product so that the server has no knowledge of who has verified keys or who has enabled a setting to see key change notifications. That way the server has no knowledge of who it can MITM without getting caught. I've been impressed with the level of care that WhatsApp has given to that requirement.

I think we should all remain open to ideas about how we can improve this UX within the limits a mass market product has to operate within, but that's very different from labeling this a "backdoor."

Moxie,

I think it's fair to say that you are the world thought leader on these matters right now.

One thing that the rest of us are wondering right now is:

> I've been impressed with the level of care that WhatsApp has given to that requirement.

To what degree do you really know that? Is there a place where we can read about your interactions with Facebook, the level of access they've given you, and the degree to which they have allowed your recommendations to shape the contours of their implementation?

Nothing less than the strength of dissent lies in the balance of questions like these.

> I think we should all remain open to ideas about how we can improve this UX within the limits a mass market product has to operate within, but that's very different from labeling this a "backdoor."

I agree that the jump to scary terminology is dangerous.

I agree that the jump to scary terminology is dangerous.

However, at the end of the day, I think that many of us have been trying to make a simple point that shows that there is a sort of crossing of that line:

WhatsApp claimed that they were simply unable to intercept communications, and now we find out that, without any user interaction or approval, messages which haven't received the "double check" are re-transmitted when a new key is generated.

In some highly specific but easy-to-imagine scenarios (eg, a journalist on the ground in Tahrir Square using WhatsApp to report on conditions, receiving no replies), WhatsApp is hugely vulnerable in a way that most of us didn't think it was.

So look: nobody here is trying to diminish your tireless work and your accomplishments in bringing freedom into the information age.

But there are nuances here that are important, and fleshing them out is a big part of what this community is about.

> The notification that you see in WhatsApp, Signal, SSH, PGP, or whatever is the defense.

That defense, which happens to be the only defense, is turned off by default in WhatsApp.

You seem to argue they do so because it's bad UX to present such notification by default. That's - in my humble opinion - like suggesting browsers should turn off TLS chain errors by default because it's bad UX and just proceed with the connection as if nothing happened...

> That defense, which happens to be the only defense, is turned off by default in WhatsApp. > You seem to argue they do so because it's bad UX to present such notification by default. That's - in my humble opinion - like suggesting browsers should turn off TLS chain errors by default because it's bad UX and just proceed with the connection as if nothing happened...

One thing we've learned over the years is that security warnings should not be displayed to consumers under "normal" (eg. non-critical) circumstances, otherwise it creates a condition of "warning fatigue."

TLS certificate errors are not something that should happen under normal circumstances. When a TLS certificate fails to validate, something is really wrong. As we've gotten better about ensuring those conditions, browsers have made it harder and harder to get past the warnings, because they're not warnings anymore -- they're error conditions.

Key changes in a messenger are totally different. They happen under normal conditions, so putting them in people's faces by default has the potential to do more harm than good. If we can make them workable, systems like CONIKS or Key Transparency might be in our collective future, but if you don't like systems that are fundamentally "advisory" (don't tell you until after the fact), you're not going to like those new systems at all either.

For now, I think a fact of life is that most people will not verify keys whether the warnings are there or not, so I think what's most important is that the server can't tell who is and who isn't.

I'd love to hear other ideas about how to improve the UX of interactions like this, but I think they have to include a basis in the assumption that we can't fundamentally change human behavior and that we can't just teach everyone in the world to be like us.

Why are unsigned key changes a 'normal' thing? It'd be trivial to sign the new public key with the old private key, maintaining a chain of trust.

> Key changes in a messenger are totally different. They happen under normal conditions

This doesn't have to be the case. If you stop coupling a key to a device and instead couple a key to a person (generating a key deterministically from a password for example), they can be changed far more rarely.

Do browsers tell you about certificate reissues by default?

No, but they don't have to because (the vast majority of) users don't establish trust in website's TLS certificates themselves; instead, they use a trusted third party: the set of all trusted certificate authorities in their browser or operating system's root store. End-to-end encrypted messengers like Signal and WhatsApp don't rely on a trusted third party to establish trust, instead (rightly) leaving it up to users to establish trust between each other.

> That's probably going to be a fundamental limit of any application that serves billions of people from many different demographics all over the world.

Moxie, some of us are of the opinion that [that] (implied) goal is certainly noble but ill-considered.

Modern state surveillance has 2 general unstated goals:

1) Create an atmosphere of fear to affect self-censorship. Some states (such as China) announce this as a matter of state policy. Others (such as US) drop hints. UK is somewhere in between.

2) Identify emerging memes, clusters, and thought leaders. This information is then used to counter, disrupt, and discredit/isolate (respectively).

(And yes, the stated public goals are to prevent terrorism, child pornography, and crimes.)

From the political angle -- activist angle, if you will -- the goal of "serving billions of people from many different demographics all over the world" is minimally misguided, and counter productive, and maximally a hazard.

> Key change notifications are off by default in WhatsApp. That's probably going to be a fundamental limit of any application that serves billions of people from many different demographics all over the world.

I'm not sure what exactly is the reason for that, is it UX? like if someone get a new phone and creates a new key pair their friends will get scared because of the warnings?

> Even if they were on by default, a fact of life is that the majority of users will probably not verify keys. That is our reality.

Another fact of life are bad password choices, which is why gmail don't let you use "love", "sex" and "secret" as a password :)

Browsers, for instance, throw warnings when something is wrong with a cert. Even when 99% of the time it's some domain name issue or expiration date, I think it's a nice default. By letting Facebook rekey anytime you (fig) are making them kind of a CA. I don't think there is a good reason for that, specially not when Whatsapp claims that even they can't read your messages... it feels dishonest to me. But then again this is just a messaging app downloaded from Google Play running on Android, my expectations aren't too high...

What would prevent WhatsApp from shipping a client where they control the rekeying notification setting remotely?

I suppose there must ultimately be some level of trust in WhatsApp that the client is doing what it says it is? Unless we're willing to sniff every piece of network traffic from it.

> That way the server has no knowledge of who it can MITM without getting caught.

What exactly do you think is the worst thing that could happen if you "catch" them doing this?

Now what do you think is the worst thing that could happen if they receive a subpoena or NSL or whatever that tells them to do this regardless of whether the user finds out or not (because the government wants the message contents that badly)?

Which do you think will prevail?

> What exactly do you think is the worst thing that could happen if you "catch" them doing this?

[I'm not the OP, but my 0.02]: Hopefully there would be an outcry, initially started by technically sophisticated communities like this, and credible articles in the Guardian, eventually causing significant user anger, and letting competitors gain against them. People running social networks care about mass user anger.

Hopefully that possibility keeps them honest.

Hopefully people don't cry wolf too many times, like today - slowly poisoning the watchdog!

> Now what do you think is the worst thing that could happen if they receive a subpoena or NSL or whatever that tells them to do this regardless of whether the user finds out or not (because the government wants the message contents that badly)?

This has got to primarily be a defense against ongoing mass surveillance. If the government can compel them (via NSL or force or whatever) to change the service so that it just spies on a few targeted individuals, wouldn't it be easier to push these individual a malicious client update, rather than MITM the encryption and hope they have notifications off?

Does anyone know how to build a massively adopted network that resists targeted NSLs? I'm grateful we appear to have one that is resistant to pervasive monitoring.

> This allows WhatsApp to MITM.

If you're operating under the assumption that users aren't going to check their peers' key fingerprints, then you could just give compromised keys from the beginning -- no rekeying necessary. There's no way to protect against that scenario. That's not a fault of WhatsApp.

> This allows WhatsApp to MITM. Technically, yes.

Users could verify if they have been MITMed by verifying the Security Number (just tap on a contact, view contact details -> Encryption). This assumes the WhatsApp app doesn't just display the old safety number.

Indeed. I'm working under the assumption that the client itself is sound.

The question is: how many users will actually check the Security Number, and recheck all the security numbers now that they were made aware of having to turn on the notification.

What WhatsApp is doing here is like using a self signed certificate to do TLS (your own fault if you did not check the cert yourself using whatever out-of-bands method available) and on top of that the TLS client later by default will not tell you when that self-signed cert changes (and you therefore need to recheck it) and for added bonus routing all traffic through them.

In the world of security, technically means actually. Life or death situations require zero trust technologies.

Right, as the article says:

> The only question it might be reasonable to ask is whether these safety number change notifications should be "blocking" or "non-blocking." In other words, when a contact's key changes, should WhatsApp require the user to manually verify the new key before continuing, or should WhatsApp display an advisory notification and continue without blocking the user.

You seem to be arguing that they should be blocking. While I agree that's definitely the best choice from a security perspective, I kinda doubt most users would appreciate having to manually re-verify keys every time someone reinstalls WhatsApp or changes their phone. In this case, WhatsApp decided to prioritize usability over security. You and I are of course free to criticize that choice, but it's hardly a "backdoor".

I'd add to the author's statement above and say another question we might reasonably ask is whether the notification should be on or off by default. While my gut reaction to that "On, obviously!", upon giving it a bit more thought I think it's actually understandable why WhatsApp chose off instead.

They're not designing WhatsApp merely for security conscious people, but for the masses. The average user is unlikely to understand or care enough about this warning to manually re-verify keys every time they see it, especially when the vast majority of the time it's just going to turn out to be the result of something mundane, like one of their friends getting a new phone. Honestly, I could go either way on this one.

No, first and foremost, I argue the notifications should be ON by default and feature a lot more clear and understandable text than what is displayed now.

The auto-resending of unread messages is another issue next to the potential of MITM due to no or unclear notifications about key changes

I'm confused. The way I understand it is that once the double checkmark appears, those messages are locked in and never rekeyed. That means once you see those checkmarks, you're guaranteed no one can snoop on that message anymore.

Assuming you have the notification on (Which anyone who cares about security could and should turn on), once you see a warning, you could just delete all messages that don't have the double checkmark (if any) and not send new ones.

One checkmark = message delivered / Double checkmark = somebody read it. That somebody might as well be WhatApp doing a MITM

The double checkmark stuff the blog talks about just means you cannot retroactively rekey already sent (old) messages. WhatApp inserting itself as a MITM can however read (and double checkmark) and new messages after they did the MITM rekeying

reply


> This is contrary to WhatsApp's claim that even they cannot snoop.

They claimed that once a message has been delivered (double check mark),.

> The only notification might be that rekeying warning

The rekeying warning is a fundamental part of WhatsApp's security. If it's disabled, there are many possible attacks, not just this one. The blog entry explains it pretty well.

The double check mark might just mean WhatApp rekeyed both parties and have read the messages themselves.

And the "fundamental part" is disabled by default...

I can confirm that the rekeying notifications are off by default, also Android

He does address this: Once the sending client displays a "double check mark," it can no longer be asked to re-send that message.

That means a user is able to verify visually that the end-to-end is working. "users might not notice" doesn't seem to me as a strong argument to state this as a backdoor. This would imply not noticing that you don't have a green padlock on chrome is a backdoor too, and it clearly is not.

The "green padlock" was not considered enough because users would not be able to differentiate it from a big lock symbol within the page. Thus we got HSTS.

(There was a time when browsers would color the entire URL bar yellow to indicate https, but that went out of favor many years ago.)

Moxie deserves respect for the web vulnerabilities he discovered and raised awareness about years ago, and for his general competence at cryptography. But in recent years he's shown himself to be willing to make catastrophic sacrifices to make security applications popular and viable for the "lay person".

If the "lay person" ignores the non-obtrusive key changes, and difference between single and multiple checkmarks (and the timing of them, whether single changed to double after a key change), and just trusts that "I heard WhatsApp is secure, so I'm good to go", then so much is sacrificed that there wasn't any point in the exercise to begin with. Except that real solid systems, with direct user control over key continuity, and fully open-source, are undermined by the confusion with these "lay person" super-convenient closed-source systems.

> catastrophic sacrifices to make security applications popular and viable for the "lay person"

This isn't wrong, but it's unfair to bring it up without the most obvious counter-argument.

PGP provides absolutely zero security to the average person, because average people don't use it. HTTPS provides lots of security to the average person, whether or not they know what the green lock means, because lots of people use it. Adoption is a feature.

Of course both of these things are true. Security sacrifices for the sake of adoption suck. But let's not paint a picture of Signal as "desperate for popularity", as though that was a selfish and not security-minded goal. Be fair.

This is a definition of the word "catastrophic" I was previously unfamiliar with.

reply


I call those "completely reasonable compromises".

>just trusts that "I heard WhatsApp is secure, so I'm good to go", then so much is sacrificed that there wasn't any point in the exercise to begin with. Except that real solid systems, with direct user control over key continuity, and fully open-source, are undermined by the confusion with these "lay person" super-convenient closed-source systems.

I totally disagree with this.

I totally disagree with this.

Security isn't some absolute thing, which you either have or don't have. It's a series of threats, and counters, and usability tradeoffs you have to make so people still use your service.

You can always criticise someone selling a front-door lock - "what if the bad guy smashes the window"? But that doesn't mean front door locks are bad, or that we should all move into houses without windows.

I think tech folk treating security as a binary all-or-nothing thing, without thinking about the usability tradeoffs, are a big part of the problem, and why so much of what we have is so insecure. We have these "real solid systems, with direct user control over key continuity, and fully open-source" you mention which almost no one uses.

This makes them useless. Complaining that people should know better is also useless. Shipping software which dramatically increases security against a wide range of threats, on the other hand, because 1B people actually use it, is a positive contribution. Trying to blame that same software for the lack of adoption of "real solid systems" is lame. We've had the solid systems for years, but their lack of usability always sunk them.

Does WhatsApp encryption handle every threat? Of course not. There are always going to be unhandled threats. People could still come to your house and root your phone, or hit you with a wrench until you unlock it, for example.

But there's an apparently big threat (revealed in the Snowden leaks) of governments clandestinely, passively, mass-monitoring traffic on the wire, perhaps without the cooperation of the tech companies involved, which has compromised the privacy of vast numbers of entirely innocent people. WhatsApp's encryption seems to counter this.

Moxie et al's contribution thus deserves respect, in so far as it potentially protects a billion people from that class of threat.

It's possible that, due to the closed source nature of WhatsApp, they are actually snarfing everything. That would be big news, deserving of a mass outcry, or a leak. I'm hoping the potential commercial ramifications of them getting caught widely releasing a deliberately compromised client keeps them honest.

Its a risk, but security is always about risks and tradeoffs, not absolutes; and they have built a system that's actually usable enough that it has 1B users.

I agree, perhaps a further version of the signal protocol could implement a definitive solution that better addresses this kind of scenario the way HSTS did for ssl certs. And combined with a friendly UI solution (like the new padlock | Secure string in chrome) would lead to easier detection of possible eavesdroppers by the lay person.

This isn't a vulnerability in the signal protocol. More a vulnerability in a particular UX decision that WhatsApp made (consciously, even.)

I think this is good healthy criticism, but I think it's also difficult to strike the "right" balance.

I believe we got Signal end-to-end encryption in all of these messengers just barely, even as "compromised" as you may think it is. Google and Facebook (Messenger) didn't even enable it by default because they thought it was "too much" encryption.

So if it was even more difficult to use, it may have never been adopted by these services.

At the same time, I don't think we should allow all sorts of modifications to the protocol and to how this encryption system works just to cover a few niche use cases that would slightly increase those users' convenience.

Sending undelivered messages when the recipient is switching SIM cards instead of just telling the sender that those messages can't be sent then is one of those niche use cases and compromises that shouldn't happen, especially if enabling such features could be turned into defacto "legal intercept".

I guess Moxie is saying here that this wouldn't be a defacto legal intercept, but I'm not so sure that's true, and the researcher that found the bug doesn't seem to agree either. I think, unlike others here, it's very likely that people wouldn't notice that the messages don't have a double check mark anymore.

A little. Without reading the Guardian piece, I wouldn't even guess that delivery notifications have anything in common with security properties.

In other words, the messages are secure only when there is a double checkmark, not just a single checkmark. How am I supposed to know that?!? I am not even sure what do the checkmarks mean.

Frankly, that's not a "backdoor", that's just a poorly thought out GUI (in my opinion), that might eventually lead to backdoors with an evil server.

Absolutely. There is no evident connection that can be done from the double checkmark to a "secured communication".

But when you think about it, the double check is a read confirmation so if we are in an end-to-end encrypted scenario, and the message content was read, it means the recipient's device was able to decrypt it successfully.

This tells you that the recipient is still using the same set of keys that your device thought it had and used to encrypt the message.

The single/double checkmark is used with Signal's client as well. When you're sending unsecured texts, you get a single checkmark when you send it; when you are sending encrypted messages, a lock symbol and a single check when sent, and a double check when received.

Except that the obvious interpretation of the second checkmark not appearing is that the message was never received, not that it was decrypted by an attacker. Especially when there's a key change warning afterwards. I think this is still the correct interpretation in Signal proper, but who knows at this point?

Yes, but in Signal, it doesn't have bad security consequences when its meaning is misunderstood.

Couldn't the server change keys after every message? The delay would be fairly small. Hold the original, change key, retransmit, change key back? Guess that is easily enough mitigated if the client won't allow switching back to the same key.

It could.

I guess the point here is: Can there be a backdoor in whatsapp? Of course!

Is there a backdoor on Whatsapp as described on the guardian article? No.

Can the UX be improved to alert the smaller percentage of users that rely heavily on the encryption features when their communication is not being actively protected without disturbing the UX of the rest of the users? Probably yes,

No it's very different. Without further details, it sounds like it's possible for FB to switch keys and intercept all messages on everyone, all the time.

reply


reply


Hell yes! Imagine jusr changing background color and the banner "somebody spies on you." Now it's something like some checkmark somewhere looks a bit different or whatever.. I'm still not sure what when...

reply


reply


A double-tick will appear once everyone has received the message. You can view details on a single message to see who has received the message on an individual basis (and also who has read it).

Regardless of the merit of this specific accusational-and-denial cycle, the fact remains that Whatsapp is closed source crypto and there is no way in principle for the user to verify any security claims.

I happen to trust Moxie's principles, but not as much as I distrust the relationship-with-government imperatives implied by FB's vast business interests.

There's "no way in principle"? How is this whole story not evidence to the contrary? The person who found this didn't use WhatsApp source code.

Why do you feel that there's no way to verify closed-source software?

Why do you feel that there's no way to verify closed-source software?

reply


Whichever story you are talking about, this one or the guardian one, it doesn't address the closed-source point.

There is theoretically a way to verify WhatsApp even though it's closed source, but it's practically impossible. It's hard enough to verify software even when the source is open, you built it yourself and the whole platform and toolchain is trusted. A bunch of the potential NSA crypto backdoors were totally in the open.

The app could just be lying about resending old messages or even not encrypting them or any number of things much more subtle.

I'm sorry, but this simply isn't true. Software of far, far greater complexity than WhatsApp has been reverse engineered comprehensively by hobbyists and amateurs. Meanwhile, professionals have pretty sophisticated tools for doing this work at scale.

reply


This seems to be the same angle played every time the analysis of crypto tools comes up on HN.

(Almost always) when someone mentions the 'impossibility of analysis' of closed-source programs they are actually referring to the difficulty in doing so -- not actually stating that it's impossible.

It is easier to look through source code.

Now, if we're progressing through this conversation according to script, it will be mentioned that open source projects have had tremendous security problems, too. (OpenSSL comes to mind..)

But that's beside the point expressed.

The only point, and it's the point that was originally expressed, is that open source code is easier to look through than a closed code base.

The hurdles posed by closed source, although not impossible to jump, significantly hinder the progress of analysis.

Is this not true?

I'm sorry, but if you look upthread, the comment I responded to not only didn't say that verifying open source was easier, but actually made the extreme claim that there was in principle no way to verify closed source software at all.

Meanwhile, addressing your (different) argument directly: sure, reading C code is easier than reading assembly code, and reading Python is easier than reading C. The easier it is to read a program the easier it is to reason about it.

But:

* It's not terribly difficult to reason about the functionality of messaging software in any language.

* WhatsApp is an extremely high-profile target; it would be weird if people hadn't reversed it by now, since less well-known programs that are much harder to reverse have been productively (as in: findings uncovered) reversed.

* The particular things we're looking for in a program like WhatsApp fall into two classes: (1) basic functional stuff like data flow that is even more straightforward to discern from control flow graphs than the kinds of things we routinely use reversing to find (like memory corruption flaws), and (2) cryptographic vulnerabilities that are difficult to spot even in source code, because they're implemented in the mathematical domain of the crypto primitives regardless of the language used to express them to computers.

Sure, though. It is easier to spot backdoors in open source software. It's just not capital-H Hard to do it in closed-source software, so this open vs. closed debate about backdoors is usually a red herring.

Not necessarily. People who spend their days writing source code tend to think in terms of source code because that's what they know. People who spend their days analyzing binaries don't. Be mindful of the difference between difficult and unfamiliar.

Have you ever heard of the obfuscated C contest? Even with the code in front of your face and looking innocent it's hard to see what it does.

When you only have decompiled assembly, obfuscation is much easier.

At the binary level, obfuscation is powerful but obvious. Is iOS WhatsApp meaningfully obfuscated?

Considering iOS forbids self modifying code, lots of tricks aren't even available.

You can demonstrate the presence of a vulnerability in closed source software but there's no way to demonstrate (or even provide evidence of) the absence of any vulnerabilities.

> no way to demonstrate (or even provide evidence of) the absence of any vulnerabilities

I'd say that's hard for open source software to do as well.

reply


Sure, but so what? Hard != impossible.

reply


Votes aren't why that comment is dead --- note that it doesn't say "flagged". There is stuff that happens behind the scenes that [deads] users, especially new accounts; I think some of it might be voting ring related but not sure.

(That comment is incorrect but I agree with you that it's constructive).

(That comment is incorrect but I agree with you that it's constructive).

It seems to have come back from the dead too :-)

Reanimation powers are hidden behind the "vouch" link :)

Big Backdoor showing who's boss.

Yes but it is trivial to backdoor closed source software.

Introducing backdoors into open source source is also more difficult.

That's identically true of open-source software. To put it in the theoretical terms you're probably most comfortable with: the programming language used to represent a computer program has nothing fundamentally to do with whether it can be verified. Obviously some languages are easier to verify programs in than others, but the gap between assembly and C in ordinary compiled programs is surprisingly small.

Open vs. closed-source software is a concern orthogonal to verifiability.

I know this is a tough thing for people to get their heads around since it challenges a major open source orthodoxy. I like open source too. But the people who ratified it were not experts in this field, and this particular benefit of open source is overstated.

tptacek,

Over the years interacting with you here on HN, I think this basically sums up the worldview that puts you and I at odds:

> Open vs. closed-source software is a concern orthogonal to verifiability.

Is there a place where you have written at length, defending this assertion?

I am open to it. But it does not resonate with my understanding, nor my (substantial, I think) experience in deployments of open- and closed-source software with specific respect to verifiability.

> the programming language used to represent a computer program has nothing fundamentally to do with whether it can be verified

That's not true. The design of a language can make it easier to verify with respect to certain properties. For example, it is much easier to verify that a typical Python program does not dereference dangling pointers than a typical C program.

It is true that open source does not help as much as some of its adherents like to think. But that doesn't mean that it doesn't help at all, and it is certainly not true that it cannot help substantially in principle even if it does not help much in current practice.

You're using a word, "easier", that is keeping us off the same page. I agree that Haskell programs are easier in many senses to verify than PHP programs. But our field does formal methods verification of assembly programs, for instance by lifting them to an IR.

reply


That's news to me. At least it's news that this is actually practical for any interesting cases (i.e. real crypto code). Do you have a reference?

reply


The Skype client was obfuscated, encrypted, and riddled with anti debugging boobytraps, none of which prevented people from figuring out exactly what it did. (Not exactly a formal analysis, but probably news to the people who think messaging apps have never been reversed before.)

I'm in a cab typing on my phone but good Google searches are "llvm lifter" and "symbolic execution" or "SMT".

If you are concerned enough about the security and privacy of the app, then you should learn how to use the app. That includes learning about the indicators provided by the UI telling you about key changes, delivery notifications, and anything else the developers considered important enough to show the user.

reply


reply


It wouldn't be a conversation. The attacker would have to rely Alice's messages to Bob before switching the key. But then if the attacker let Alice (the target) receive Bob's messages they will learn theirs got delivered and the attack would fail.

So it only works once against a string of messages with no replies. That's not a conversation.

Here's my understanding of this attack vector:

* when the client is compromised, you're screwed anyways, so let's assume the client behaves as expected.

* now, with "proper" e2e, and Alice and Bob verifying key fingerprints, their messages can't be read even if the server gets compromised.

* as it stands now with WhatsApp, AFAI understand, the server could be compromised to take Alice's message, send it on to Bob, but withhold the "delivery receipt". It could also pass back Bob's answers, and so Alice could have what appears to be a normal conversation - except that Alice only sees single ticks, instead of double blue ticks.

* then, the server could send the "hey ho, new key" message, and Alice's client would re-encrypt and re-send all messages that it thinks haven't been delivered yet, the ones with a single tick. After that, it would display the "key changed" msg to Alice (if she had set that option).

> It could also pass back Bob's answers, and so Alice could have what appears to be a normal conversation - except that Alice only sees single ticks, instead of double blue ticks.

No, it can't do this, because Bob's answers contain the "delivery receipt".

No, it can't do this, because Bob's answers contain the "delivery receipt".

Hence, the attack doesn't work on conversations.

EDIT to reply: messages are sequential and "delivery receipts" are messages, so it would be visible if the attacker dropped some but not all messages. AFAICT.

> Bob's answers contain the "delivery receipt

I've not seen any specific claims about the mechanism for the delivery receipt - can you link me to this?

It's not even clear to me that the delivery receipt is signed.

It's also not clear that the server must forward all the delivery receipts before it forwards the later replies.

Could it just eat them all?

EDIT: after a quick look at the spec¹, it seems that it supports out-of-order messages, meaning the server could selectively eat receipts.

[1] https://whispersystems.org/docs/specifications/doubleratchet...

Ah. If that is so (and it's not obvious - clearly you can get delivery or even read receipts without Bob sending an answer), then it would seem that a bad server could only intercept a long monologue, indeed, but not a conversation.

(Greetings from HS F13 :)

Another thing that's not clear to me: Is the receipt confirmation from Bob (used as the basis for the double-check) signed by Bob?

Adding to this reply, here is the actual complaint that generated the guardian's article:

https://tobi.rocks/2016/04/whats-app-retransmission-vulnerab...

I think that just misconstrues how IM apps are used. You have conversations on IM apps: you send one line of text to a person, and then you don't send another until the person has at least seen the first one, if not yet responded. Otherwise you're being rude.

And, presuming you are seeing reply-messages from your peer and having a back-and-forth conversation, I don't think it's actually possible for those reply-messages to not implicitly also be ACKs of your own sent messages—the Axolotl ratchet underlying the protocol ensures that (I think. Crypto people chime in?)

So, yeah, you can probably get a retransmitted transcript of one person talking into a void without seeing any delivery ticks in response. You can't really get a conversation.

I think that, much of the time, in a journalistic setting, apps like WhatsApp are used to report. If WhatsApp is used to report conditions at an event of political upheaval in a totalitarian state - and the receiver isn't routinely and quickly replying, this is a damn serious problem.

WhatsApp seems to be built for a threat model where a single message (and you can think of a block of messages without reply as semantically equivalent to a single message, here) being compromised is no big deal; only a conversation being compromised is a problem.

If there are cases (like this) where a single-message compromise is a big deal, and WhatsApp cares about these cases, then the simplest solution would be for WhatsApp to add a preference in the client to switch on—as the article describes—a "blocking mode" for re-key notifications, where retransmissions aren't allowed by default.

And - as the article describes - such a blocking mode would immediately expose to WhatsApp which users had not enabled it, and who would therefore be safe(er) to MITM (because they probably don't verify key changes in any meaningful way).

Unconvinced of what exactly?

I remain unconvinced that people who build messaging apps used by billions of people know more about the problem space than I do.

reply


reply


I take this blog post as confirmation that:

1) ANY one message can be intercepted even if the sender exhibits ideal levels of alertness [Whatsapp server drops message to recipient; sends a rekey request with a fake key; message is intercepted since fake key was generated by server. Sender will see a warning if they turned on that setting (default is to show no warning), but it's too late].

2) Only Whatsapp has this vuln, not Signal app.

3) Depending on sloppiness of sender, more extensive interception is possible. [E.g., server not supplying delivery reports + sender doesn't have warning for key changes + sender sloppy about noticing lack of double check mark => full transcript can be generated]

Best summary I've seen. There are two significant facts here that surprised me: 1. The double checkmark has security implications. How would a typical user know that? 2. Even if you are completely vigilant, follow best practices, etc, Whatsapp messages can be intercepted. They claim this is a "wontfix" UX choice. I'm skeptical why the non-default feature cannot even provide the protection that almost everyone assumed it would.

It actually doesn't matter. They are talking about comprimising the servers. The government has the power to force a backdoor (remember Lavabit?). All Whatsapp has to do is update their client, and all the beautiful encryption schemes are ruined.

If you need a truly secure communication system, it has to be open source and self-hosted. You still have to trust the hardware though.

To expand on this argument a bit, if you think the Government/Whatsapp are specifically out to get you (eg. willing to mount an active attack against you specifically), then WhatsApp is propably the wrong messenger for you.

If on the other hand you want a reasonably secure Messenger that you can use to chat privately with everybody and their Grandma then maybe you should not expect that it does super complex security thingys that 99% of its users just don't care about and don't want to be bothered with..

At the end of the day, it comes down to trusting WhatsApp. Even without a backdoor in their protocol, they can easily do all kinds of things.

For instance, it could instruct specific clients to encrypt and send each message twice: one for the recipient, and one for the WhatsApp server. As long as this was off for 99.9% of users, it's unlikely that security researchers would ever detect this.

And anyone with sufficient access could push an update from the app store to a selected target that bypasses the normal security protocols of any given messaging app. Who checks their app store downloads against source code?

The joke is if this specific "Backdoor" would be used widespread it would generate a lot of noise (eg. random key changes, keys that don't match) and would cause massively bad PR for WhatsApp. No way are they doing that.

I mean, they're probably disassembling the app, so they'd definitely notice _that_, but there are some truly subtle problems that pop up in security, so your general point about trust seems reasonable enough (certainly for any closed-source remote-updating system).

Also it would be possible to put in subtle backdoors, which would be hard to see when it's disassembled and could even allow plausible deniability.

Trusting WhatsApp == trusting Facebook

I can't think of a company I trust less than Facebook.

reply


reply


reply


> Walmart

I can use cash at Walmart

And be sure to smile at the cameras watching you in the store, and the ones in the parking lot that recorded you driving in.

It's shared physical space. I'm OK if they video me. I'm OK if they share that video with law enforcement if there is a reason of substance to do so and as long as they make it publicly known they asked for it within a reasonable timeframe, say 45 days. I'm NOT OK with broad sweeping requests and would only allow them if circumstances required it and the request for the data was disclosed within 90 days.

Does Walmart actively deceive me? Not that I'm aware, but I don't shop there.

Never heard of Glencore or Phillip Morris.

As for Blackwater and Palantir, my impression from the media is they do exactly what they say. It's not like Palantir lies about harvesting data to give to government. I trust that they actually do do that.

None of those companies have posted fake news and altered the news algo with the express intent of manipulating users' mental states for reasons that basically boil down to "for the lols" and "let's see if we can make money from this".

>The WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered. Once the sending client displays a "double check mark," it can no longer be asked to re-send that message. This prevents anyone who compromises the server from being able to selectively target previously delivered messages for re-encryption.

Can this be verified? Can this be verified to be the case 100% of the time? Is there anything stopping the client from lying to a user [0] with this interface, saying one thing (i.e. "this will not be resent") and doing another (i.e. resending)?

[0] - Or being triggered to lie to a particular user at a particular time.

If your threat model includes using a malicious app to send messages then you lose anyway. Nothing can ever be done to send messages securely using whatsapp if the client is neither trusted nor verified. This is true for basically all software that you use.

> This is true for basically all software that you use.

And hardware too.

And that's why we have 2FA on separate devices or even hardware tokens. They allow some security even if the computer isn't trusted, like protection against replay attacks at a minimum.

If you do not trust your hardware, 2FA is of no use. All communication and display can be MITMed on the untrusted computer. It gives the appearance of a normal login, but the behavior of the trusted site or system is emulated. The real username, password and 2FA authentication token is only send to the target machine by the attacker.

That's not true. It prevents replay attacks, as I said.

More advanced tokens also do more. My bank uses a hardware token for signing transfers and other actions which can include a human readable message or part of the target account number, making MITM much harder.

reply


A definition issue with regard to "token": I sincerely do not think a device with display and keyboard used to sign transactions can be called "token". I'd say something like: trusted signing processor. But then again, I'm not a security specialist.

reply


https://en.wikipedia.org/wiki/Hardware_keylogger

reply


It doesn't of course - it protects your account from future access / replay attacks.

Open source software can be verified.

To do this you must not only verify the open source code, but that the binary was built from this code, and that your operating system and every layer below it is also trustworthy.

I stand by my claim that using software written by a malicious developer is game over in the vast majority of contexts.

reply


> verify the open source code

The argument here is that open source code can be verified where closed source is explicitly non-verifiable by nature.

> but that the binary was built from this code

Doesn't code signing address this? If not could you explain (for my own learning)?

https://en.wikipedia.org/wiki/Code_signing

> that your operating system and every layer below it is also trustworthy.

Yep, this is the last major piece for true security in my mind. Although there is some movement in the open hardware space as well as USB mounted OSs (http://gizmodo.com/try-the-super-secure-usb-drive-os-that-ed...).

> I stand by my claim that using software written by a malicious developer is game over in the vast majority of contexts.

Sure...perfectly accurate...but in the context you are implying that WhatsApp is malicious. To which I think "hackuser" was interpreting as "closed source is malicious" and therefore offering open source (and by implication Signal) as an alternative.

reply


> The argument here is that open source code can be verified where closed source is explicitly non-verifiable by nature.

This is not a belief that people who actually do software security audits hold. Verifying binary only software is table stakes to a security audit of a third party application as you cannot trust the source provided.

Having source is a bonus for security audits not a requirement.

Source code can be verified. Binaries distributed via app stores may or may not have behavior different from the published code.

Any open source project can allow you to verify binaries by making builds reproducible. The fact that most apps don't do this is indeed a security problem, but one that's far from unfixable.

Certainly it's possible to remedy this situation simply by having the app author sign a checksum of binaries in the app store. Why this is not currently an option (to my knowledge) is a mystery to me.

It kinda is - you could add it to the description.

App stores seem to be getting progressively more hostile to this kind of thing though - you can't just download an APK / iOS app, you have to do it through a device. This lets the stores do "app slimming" (and per-country / per-carrier customized apks) to remove resources you don't need (like binaries that don't match your architecture), which would change the checksum. Which is useful, but inconvenient for this goal.

Something like fdroid may be supportive of this, which would be cool. But I wouldn't expect the mainstream ones (or Apple) to ever embrace it - it'd be a bad user experience / wasted UI space in the vast majority of cases.

It's been a while (a couple of years) since I last tried this, but I remember it being reasonably straightforward to get APKs of apps that were on the Google marketplace. Not through official user interfaces, of course. I can't remember if I ended up using some Chrome extension or a third-party app that needed root.

Not a particularly useful comment sorry, just "it was possible two years ago if you jumped through some hoops."

You can probably still get the one that'll install on your device(s), but if there's customization for e.g. carrier X in country Y (or app slimming) you're unlikely to know or be able to find it from the infinite "download APKs free now!" sites.

And the last time I looked, all the apk-downloaders required your device ID, because Google's API does (for customization reasons) - it's much more of a "you can do this if you emulate a device" than "you can download it". I'm also not sure if the ID works unless you have gplay installed, which you may not have if you're being careful/paranoid enough about security to manually validate apps.

What would a checksum add over the app binary being signed by the author (which is currently the case for both stores)?

Ummm good question. I feel silly for making this point now.

That doesn't protect you against a malicious developer.

You mean someone publishing source code and then falsely verifying the binary checksum?

I mean, at the end of the day, it's very easy to verify - if the binary doesn't match what whomever gets when they compile, there better be a reason for it.

Regardless, I don't think this is the biggest problem facing open source.

>if the binary doesn't match what whomever gets when they compile, there better be a reason for it.

True, but deterministic compiles are stupendously difficult in most cases. Which is improving slowly, but still isn't usually an option.

> Source code can be verified

But how often is that really done? And to be honest, it can be quite hard to spot critical bugs or backdoors, just look at http://www.underhanded-c.org/

Reproducible builds will fix that, soon.

You can build and check against the binaries. What's your point?

This is true for basically all proprietary software that you use. FTFY

Isn't it possible (in fact trivial) to sniff the traffic generated by WhatsApp and verify that it is indeed the message transmitted, encrypted by the key on the device?

Has anyone performed such an audit?

This might be possible, but I don't think it addresses the issue that such an exploit could be turned on and off remotely. The only way to be sure would be to do such sniffing all the time.

Is an app like this enough for that purpose?

https://play.google.com/store/apps/details?id=com.googlecode...

No there's nothing stopping WhatsApp from lying to you, although if they are then the double checkmark seems like the least of your worries.

As far as I can tell this 'backdoor' is only relevant for the scenario where WhatsApp is not actively malicious, but gets taken over by a malicious entity, which wants to target someone who's disabled updates.

>Can this be verified? Can this be verified to be the case 100% of the time? Is there anything stopping the client from lying to a user

No.

OpenWhisper system otherwise GPLv3 auditable libraries are closed source for usage by WhatsApp and Facebook Messenger. Either OpenWhisper systems has elected not to enforce their copyright (in which case you could make a BSD/MIT/Apache fork of their software), OR they have consented to Facebook allowing them to circumvent the license.

Eitherway. The code in WhatsApp is off limits for anyone not working with Facebook so well never know. Closed source crypto is bad. We only have WhatsApp's word the Facebook libraries have no modifications.

This main flagrant or off-topic, but something that nags at me when thinking about truly secure messaging apps from the App Store:

Even with perfect e2e encryption protocol added, what's preventing WhatsApp developers (FB) from adding in a feature of the app:

if local.user is "TargetUser007" { takeDeviceSnap(); sendDeviceSnapshotToFBOverSameEncryption(); }

Wouldn't this not be ever verifiable unless you ARE that specific user and it's too late?

Yes. Richard Stallman calls these “Universal Back Doors”: https://www.gnu.org/proprietary/proprietary-back-doors.en.ht...

You'd also have to make sure they were the only user that received that binary.

Otherwise you'd have to hope that no one reverse engineered the binary and noticed the oddly specific comparison there.

You might be able to disguise it as debugging/development code that was mistakenly left in there. And instead of a hardcoded list of targets it could pull down the values in a more creative way. But at the end of the day that probably wouldn't stop a talented reverse engineer from figuring out what was going on.

Are reverse engineering techniques currently greater than known ability to obfuscate compiled iOS code?

reply


reply


And it'd have to work for other platforms, too. Android is Java right? Which is even easier to RE.

Android apps can also contain native code. Indeed, WhatsApp includes such libraries, to help with Curve25519 encryption, video encoding, voice over IP, and other functionality.

But it should be straightforward enough to see if text messages or UI elements (suppress key change notification) are being change depending on the output of those libraries.

I'm sure some security researcher somewhere has run the app through a debugger/disassembler to verify exactly this.

Has it happened before in a similar case?

who's doing that research?

reply


reply


The millions of eyeballs who would otherwise be meticulously studying the source code.

I think you mean the dozens of eyeballs.

Somebody, there's always somebody else.

Right?

As with all end-to-end encryption it stops at the "end". It is this unencrypted state, in which humans consume data, that can't be defended by crypto.

Therefore the only way to be completely safe, is to make sure both you and your conversation partner don't decrypt their message until it's on an offline device only you have access to.

But end-to-end encryption where the interface (mobile app/phone) is controlled by the parties you want to protect your data from is not possible. WhatsApp could send freaking screenshots back of the unencrypted data if they wanted. For nearly all other threat models whatsApp's encryption is a wonderful add-on.

'Given the size and scope of WhatsApp's user base, we feel that their choice to display a non-blocking notification is appropriate. It provides transparent and cryptographically guaranteed confidence in the privacy of a user's communication, along with a simple user experience. The choice to make these notifications "blocking" would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn't, effectively telling the server who it could MITM transparently and who it couldn't; something that WhatsApp considered very carefully.'

Why not have every client show up as having safety number change notifications on and just choose whether to display them client side depending on user settings? i.e. if you have them off, no message will display and the message will automatically be resent using the new key?

You quoted the answer to that already. If these change notices are "blocking", then the sending device won't re-send the message until the user has verified it. If the user hasn't enabled the notification, then the sending device will re-send immediately. This makes it trivial for the server to figure out who's actually enabled the notifications and who hasn't, which means the server can be confident about when it's actually safe to MITM.

reply


You could send a dummy message for those with blocking turned on and screen it out at the receiving client.

reply


reply


No, even if you have the notification turned on, the message is still resent without your consent.

There seems to be a pretty clear war going on between engineers and journalists lately.

- Chris Latter [1] vs Business Insider [2]

- Elon Musk vs (Bunch of outlets)

- Moxie vs The Guardian

I feel like journalists want to write a compelling story and engineers are on the other side like "No, those aren't facts!" I don't follow a lot of media outlets but it seems like journalists either lack the skills or don't care about doing any technical due diligence.

[1] - https://twitter.com/clattner_llvm/status/819974025371787264

[2] - http://www.businessinsider.com/how-apples-culture-of-secrecy...

I don't know what happened here, but ...

Let's avoid our own bias of automatically believing the engineers are in the right; they are fallible people, no more or less honest or prone to error than journalists.

Every news story that breaks, involving any person or industry, gets the same response: It's false, they didn't ask us, etc. etc. Therefore, that response is not an indication that something is wrong (or right); the response tells us nothing in itself.

You're right. Everyone is fallible and I'm all for mistakes being made — We are all human. I also agree that the immediate snap response tells us nothing.

Based on the BI story, I know a few people that have actually already uninstalled WhatApp for fear of a backdoor. What I wish is that there was a better way for these two entities to communicate rather than finger pointing and name calling so that we as consumers of both media and technology can read a better more comprehensive narrative.

Name calling results in reassigning fear. People are afraid of the unknown and so try to box it up in something digestible they can fear less. We tend to blame others because it's easy and cheap to do so. If you are wrong, that means I'm right and so then I wasn't wrong about it and don't have to think about it anymore. And you are wrong, so why would I think about it again?

I think it's interesting the entities are not two, but many and one at the same time. Elon Musk is an individual and he is also part of the press process. My rationale is that the press includes everyone in the press, including the people writing the stories and the people in the stories.

We know Musk. He doesn't know us.

> We know Musk

I know this isn't your point, but we don't know Musk; we know his (intentionally, carefully curated) public image

I don't think the Chris Lattner thing is a war at all. The journalist gave a reasonable effort to get a comment from Lattner, never got a response, so went with a story from a source they found trustworthy. Lattner issued a denial after the fact, and it's included near the top of the story.

I guess it's possible that the journalist completely fabricated the story, but I think it's a lot more likely that either someone at Apple overstated their relationship with Lattner to vent their own frustrations, or Lattner is trying not to burn bridges. At worst it's an avoidable inaccuracy, not a war.

"The journalist gave a reasonable effort to get a comment from Lattner, never got a response, so went with a story from a source they found trustworthy. "

Oh well, can't figure out the actual facts, better just publish whatever i do have?

Seriously. Also, the "i tried to contact you" is clearly a BS defense.

It wasn't a "reasonable effort".

This is a reporter. They know that people basically never respond to interview requests during what amounts to the busiest times in their lives, and so the reporter asked just so they could say they tried.

Otherwise, they would have held the story a week or whatever until they could get a comment. Because it would be just as interesting then if it was any good.

But nope, gotta try to get it out while anyone gives a crap about the story flavor of the week because it's not substantive enough for anyone to care otherwise.

Yes, if you make several requests for comment over several days and don't get a response, it is acceptable to run with what you have, as long as you note those facts in the article. Also, he's switching jobs, not landing on the moon. If he has time to tweet, he has time to check his email.

If you just assume that both players in this story are human beings trying to do their jobs, you'll understand that neither of them did anything wrong.

Several days? The news of his departure isn't even several days old. Even if he asked lattner to comment five minutes after his email to the swift list, that wasn't a reasonable time to wait before publishing.

The same author published an article about Lattner leaving Apple on the 10th, and I suspect she asked for a comment at that time. Not getting one from Lattner, she probably asked other contacts she had at Apple and found one that gave her the story about the "culture of secrecy". She then would have reached out to Lattner through whatever means she had, including Twitter (https://twitter.com/Julie188/status/819216603086733312). I guess maybe "several" was a slight exaggeration, but 2 days is plenty for a story like this.

The dispute is really Facebook vs Tobias Boelter (https://tobi.rocks/), with Manisha Ganguly (freelance, so not really The Guardian) putting pressure on Facebook.

reply


Yes, because Tobias Boelter, a PhD student in cryptography is totally a journalist...

It would be a war if all these people were allied together. Neither the engineers nor the outlets mentioned here are allied parties. They're disparate across the board.

Yeah war is probably the wrong word to use — my vocabulary isn't that great :).

Yeah. It's been like this since the beginning of free press. This isn't new.

WhatsApp should make three hanged:

1. handle new keys the same way Chrome handles expired SSL certs: a big warning with the option to continue anyway if you want

2. Don't automatically resend a message with a new key (require the user to manually resend, like when iMessage falls back on MMS)

3. enable the key change notifications and make disabling them an "advanced" setting

WhatsApp is making the right choice by designing for ease of use, I think they just landed a little too far away from a secure implementation.

> That would leak information to the server about who has enabled safety number change notifications and who hasn't, effectively telling the server who it could MITM transparently and who it couldn't; something that WhatsApp considered very carefully.

I am not convinced. Why should this option exist at all? Even worse, it is disabled by default. Just enable notifications for everyone and demand verification. If you don't want to verify, just ticking "veryfied" without actual verification is not that bad, it is just a trust-on-first-use principle in action. Actually it is how SSH works and nobody complains about SSH being backdoored.

reply


  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
  Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  It is also possible that a host key has just been changed.
  The fingerprint for the RSA key sent by the remote host is
  51:82:00:1c:7e:6f:ac:ac:de:f1:53:08:1c:7d:55:68.
  Please contact your system administrator.
  Add correct host key in /Users/user/.ssh/known_hosts to get rid of this message.
  Offending RSA key in /Users/user/.ssh/known_hosts:12
  RSA host key for 8.8.8.8 has changed and you have requested strict checking.
  Host key verification failed.

Yeah, SSH is at the complete opposite end of the scale in how it handles unexpected key changes - it won't even let you connect unless you manually edit known_hosts, whereas WhatsApp automatically uses the new key without any possible way for the user to stop it from doing so until it's too late.

reply


FYI: indent those lines a few spaces for proper formatting.

WhatsApp has a gazillion+ users, most of whom don't care about e2e security and definitely don't care enough to verify keys before they are allowed to chat with their friends again. The friction caused by a security popup that 90% of users simply ignore is real. It annoys users and causes fatigue that jeopardizes future security notifications.

reply


>>[The choice to make these notifications "blocking" (i.e. to require manual verification) would] leak information to the server, etc., etc.

>Why should this option exist at all?

The option does not exist, and should not exist. That's the author's point there. You agree with him and with WhatsApp on that.

All you disagree on is implementation:

Author: "[Non-blocking defaults] provide transparent and cryptographically guaranteed confidence in the privacy of a user's communication, along with a simple user experience."

You: "Enable notifications for everyone and demand verification; if you don't want to verify, just tick "verified" without actually verifying."

How are these two substantially different? They look the same to me in terms of security and WhatsApp's implementation doesn't make you click anything.

Difference is that the WhatsApp client re-encrypts the message with the new key from the server and re-sends it without user intervention ("non-blocking"), so even if you cared, you can't prevent it.

With the alternative, people that don't care could tick "verified" with or without verifying, but you could also click "cancel" (with or without verifying).

reply


The issue here is that:

1) the vast majority of users have those MITM notifications off by default (because WhatsApp decided it's best that way)

2) WhatsApp generates its own keys in some scenarios, like when people switch their SIM cards, so the "trust on first use" that worked on the original SIM is gone out of the window now, and the users won't even know it because the notification is off by default.

Actually now that I think about it, this is why WhatsApp must have let the notifications off by default, because they knew they would generate their own keys this way, which would generate a lot of those notifications all the time.

reply


reply


Moxie claimed: > "The choice to make these notifications "blocking" would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn't, effectively telling the server who it could MITM transparently and who it couldn't; something that WhatsApp considered very carefully."

Surely if WhatsApp cared about the server not being able to detect this, they could just get the client to "retransmit" an encrypted blank message in place of the original under these circumstances. Then the server wouldn't be able to tell who has enabled blocking mode and who hasn't.

reply


tl;dr to me seems: Since users can change devices, they'll need to reissue key material, this needs to be supported. WhatsApp reports key changing optionally, but doesn't tell the server that happened.

If WhatsApp tries to backdoor a channel and one of the users has key change notification, they'll find out about it, and WhatsApp has no idea whether the warning was shown.

> If WhatsApp tries to backdoor a channel and one of the users has key change notification, they'll find out about it

The problem is that the might not find about out retransmissions. You are trusting that the "double-tick" means that the message won't be resent, but presumably WhatsApp can indeed retransmit those messages with the new key under pressure from a state actor.

They need to specifically address this point; it's the only thing worth talking about. The rest is just a discussion of implementation of key exchanges generally.

reply


Now it's fair to question whether you can trust the client, but if you can't then there's no limit to what they could do.

reply


FTA:

"WhatsApp server has no knowledge of whether users have enabled the change notifications, or whether users have verified safety numbers."

If it's off by default, then the answer is likely to be near zero, as it often is with default options. This isn't an argument about the security of the app (which I have no background to know), more of a comment on relying on non-default behavior.

If I understand correctly, the default is no key change notification. So for the majority of users, MITM would go unnoticed here.

reply


I believe that you get a key change notification, but by default it doesn't require any sort of confirmation and will just continue to work with the new key.

GP is correct: no notification of key changes by default.

Even if you enable the key change notification, it is "non-blocking" in WhatsApp as outlined by the blog post: when you get the key change notification, the WhatsApp client will automatically without user intervention resend undelivered messages (unlike Signal, btw, from what I understand).

reply


reply


Of course there is a backdoor. Why not? Under what law whatsapp and whispersystems live? The one with secret courts and secret court orders?. How to trust someone under this umbrella?

We need to spread technology companies. Everything but a bunch of things comes from this law.

And what starts in another country, magicaly gets bought or dismissed. Take Symbian as an example...

What is the user supposed to do when they get notified of a "safety number changed" message? How do they verify they've not just been MITM? Honest question... I don't use whatsapp or signal at all.

reply


reply


You can aks the other party to resend you a message from before (one that doesn't matter). Ie. Can you confirm this is you: send me a message from 5 messages back using the quote function. (you know what is said 5 mssgs back so you can pick a non sensitive one, and they can do the same to you)

edit: nvm, if this is man in the middle then that doesn't matter because you still exchange with each other and its not a hijack. Sorry, I made a mistake.

I would simply ask if they got a new phone or re-installed WhatsApp.

A few would inquisitively ask "Yes, how did you know?", then I would explain them to them the notification I got.

This can be triggered by the other side changing phones/devices. How do you explain this to the stupids?

You have to physically compare the numbers on the two phones (in real life), or send the numbers through a different trusted channel (PGP, USPS, Carrier Pigeon, etc).

reply


(Re-)verify the safety number out-of-band, like you hopefully did initially.

The real "Whatsapp Backdoor" is that, by default, the app stores a backup of all your messages on "teh cloud". On android, that's google.

So google can play "eve", and every run of the mill script kiddie that can get your google credentials may "restore" your messages. How convenient.

And that's the default settings. So, even if you turn it off, "mallory" can steal the credentials of your contact and snoop into your conversation that way.

I don't user whatsapp, but a general question to these that do:

Can the server change keys twice?

Change once to server keys, ask for the entire history retransmission.

Change again to revert to original receipient keys.

Will the receipient be prompted in that case?

Change once to server keys, ask for the entire history retransmission.

No. the WhatsApp client will not retransmit messages that have already been acknowledged by the recipient device.

Of course, you'll have to trust that this is the case; but obviously you'd have to trust the the WhatsApp client app isn't backdoored in the first place, so there is no change in security posture.

"The WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered. Once the sending client displays a "double check mark," it can no longer be asked to re-send that message. This prevents anyone who compromises the server from being able to selectively target previously delivered messages for re-encryption."

reply


Ah, thanks

So full-on paranoia mode on: What would you do if you wanted to compare safety numbers? I'm guessing most people would call and read out the code.

How far are we from targeted interception of calls, with replacement of key phrases? Voice synthesis seems to be there more or less, if I understood Adobe's recent demo correctly, but real-time parsing of conversations to determine where to intervene is probably not close yet.

This kind of phrase replacement in calls was on the NSA's priority list years ago, according to the Snowden leaks.

Maybe I don't get exactly what this means, but isn't it true that if see a message that someone's signature changed and the other person sees this also and we both choose to ignore this message the man in the middle can read all our new conversations?

Ofcourse if then one of us checks the signature later and sees it is not correct this would be very harmfull for whatsapp.

But this indeed doesn't sound like a backdoor. It's just the way it works. Which seems good enough.

> The choice to make these notifications "blocking" would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn't, effectively telling the server who it could MITM transparently and who it couldn't; something that WhatsApp considered very carefully.

could not this be saved only localy ?

If resending undelivered messages to new keys waited for confirmation of the new key when safety number change notifications are enabled, then users without those notifications enabled would continue to immediately resend undelivered messages to new keys while users with the notifications enabled would not resend until the user manually OKed the change. The WhatsApp servers know (or can know) whether users have outstanding undelivered messages and can observe whether users resend them immediately after a key change. As a result, if resends after key changes waited for user confirmation with security notifications enabled, whenever a user changed keys, WhatsApp would be able to tell whether any of their contacts who had undelivered messages to that user had the notifications enabled by observing whether those contacts immediately resent the messages or not.

reply


reply


I think that could mostly work. The placeholder message would have to be of identical length to the original and the resent message would have to use later sequence numbers/message ids (or whatever is used to identify individual messages) so the server couldn't tell that the placeholders were placeholders.

One issue is that it would mean that, in the case of an active attack where the server substituted a key they knew in place of a legitimate new key from the user, the server would be able to decrypt the possibly-placeholder resent message and determine whether the user had notifications on. If the user didn't, they'd know that they were safe to continue to attack the user (this attack is more risky than the passive one on the blocking resend without placeholder messages protocol, of course). So, this does improve the security of the protocol for users with security notifications enabled, at the cost of making users without those notifications less safe. I'm not sure how the tradeoff should be balanced here (just as I'm unsure if the UX tradeoff of having the option of not receiving security notifications is worth it...).

to find out if the user has notification on would be the same as doing the attack, and to find that for all users is the same as mitm all users.

im not sure how is the security of those who dont have notifications on worse in this case then what they have now.

if i want to i should be able to say if somebody changes the key i want to first verify the key before i send the message to that person.

lets say you organise a big protest vs some regime. i know who you are and i know that you comunicate with the number xyz. i redirect that number to my. in the meantime you send me a list of names that are in our group and adresses. i reconect with a xyz number and get the list and everything. even if youbget the notification its to late.

They are trying to say that an intentionally placed backdoor is not a backdoor? ha ha

seems like the original thread has fallen off the front page https://news.ycombinator.com/item?id=13389935

What about https://web.whatsapp.com? It grants full access to the entire message archive on your phone

Only once you scan the barcode, which contains an encryption key to use for your phone to securely ship /its/ keys to the browser. Only encrypted messages are transmitted between phone and browser

We can learn one important thing here - it is not possible to trust closed source software. Enough said, next issue please.

It isn't possible, in most cases, to trust open source software either. Have you verified that the binaries on your phone were indeed built from the source you can read on github or wherever?

The problem is that we can't trust open source software either.

Software being closed source doesn't make it impervious to analysis. Software being open source does not mean it has been analyzed.

If your goal is to get the greatest number of people onto the greatest and most secure, private, free software, then pure ideology won't help.

What do you think Iran/the NSA/any TLA is more upset about, WhatsApp using the Signal protocol, or Matrix and Riot?

Why is moxie doing PR for WhatsApp?

WhatsApp uses the Signal Protocol, I'm not familiar with the details, but this post by OWS should[1].

[1] https://whispersystems.org/blog/whatsapp-complete/

>Even though we are the creators of the encryption protocol supposedly "backdoored" by WhatsApp, we were not asked for comment.

It's only a small step from criticism of WhatsApp crypto to criticism of Signal crypto. Why wouldn't moxie be interested?

He consulted on and helped them implement their E2E encryption.

thanks

The Guardian slipped up again, expect more BS from their incompetent journalists.

