WhatsApp Vulnerability

maqp • January 25, 2018 5:50 PM

@Afrin, (and Moxie)

“If someone hacks the WhatsApp server, they can obviously alter the group membership.”

This “duh, obviously the proprietary app using Signal protocol has a problem where Signal spec differs from the original open source library in a way that gives the server ability to add contacts that can eavesdrop on communication” is so obvious. How could I have assumed anything different after Moxie said WhatsApp uses same protocol as Signal.

“All group members will see that the attacker has joined. There is no way to suppress this message.”

Moxie misses the fact that some group chats consist of communities where not everyone knows each other. While such groups do have different expectation of privacy for messages, that’s no reason not to have security from nation states. And it’s not impossible to join it without anyone noticing, especially since attacker can forge to each user a message about who added them. Nobody’s going to tell everyone to be quiet and interrogate the new buddy of buddy. Very few actually care about what they share in group if they don’t know them IRL. It’s easy not to think about those contacts.

“I think it would be better if the server didn’t have metadata visibility into group membership, but that’s a largely unsolved problem”

Metadata about who’s in the group isn’t the problem here. Ability to add members to group is.

“In contrast, Telegram does no encryption at all for group messages”

True. But this is also whataboutism. We should not tolerate Durov’s “Signal is funded by US governemnt” accusations, and we shouldn’t accept pointing fingers from Moxie’s side when discussing this issue. This was a screw-up from WhatsApp developers, not Moxie, and I don’t understand why he would stand behind their backs.

“There’s no way to publish an academic paper about that, though, because there’s no attack to describe, because there’s no encryption to begin with.”

It was only this week Tinder made the headlines for not using any encryption at all. Also, there was no attack to describe in Signal yet somehow they managed to publish a formal Signal audit. It probably didn’t make the headlines back in 2016 but is even today extremely valuable proof of security. Audit that makes note of Telegram’s crappy TLS group messaging would not only convince some users, it could also be used as a source in debates, and there’s a chance it could make headlines. One big issue with Telegram currently is it’s outdated evaluations. It’s not clear to what protocol versions audits apply to or what attacks, like the infamous 64-bit precomputation MITM attack, still apply to the client.

“don’t build security into your products, because that makes you a target for researchers, even if you make the right decisions, and regardless of whether their research is practically important or not”

There’s nothing overly impractical about this attack. We consider Telegram’s encryption broken when all it lacks semantic security (IND-CCA). All this means is you can edit ciphertext without changing to what it decrypts into. That’s no different from messing with imaginary ECC bundled into ciphertext. So, why don’t we consider a protocol (implementation) broken when there’s a good chance several end-to-end encrypted messages might leak to adversary when they are able to join the conversation.

It’s true it’s hard to write stories about Telegram that raise eyebrows, especially with media fixated on Durov as a celebrity. But if enough experts agree on how Durov’s claims about distributed cross-jurisdictional encrypted cloud storage are full of shit, it might change things.

“It’s much more effective to be Telegram: just leave cryptography out of everything, except for your marketing.”

This sums my feelings about Telegram exactly. Everything they do could work on Signal protocol. But it’s too easy to beat the competition for ignorant user-base with invisible insecurity that enables much faster message delivery and feature development.