Originally published at: http://boingboing.net/2017/01/13/a-critical-flaw-possibly-a-de.html
…
has been characterized in the press as a “backdoor,” though it does not appear that Boetler believes that this is a deliberate backdoor, as opposed to an error in judgment that could be exploited for use as a backdoor
Intent seems besides the point.
Well, not really. Intent makes the difference between believing them when they say, “We fixed it!” or not.
Doesn’t really inform the current situation either way. There’s still a backdoor.
I hope they can address this, but I also hope it doesn’t turn into “Don’t use whatsapp, they give the government all your stuff!.” It is still probably the most secure widely available messaging protocol. Signal is great, and I recommend anyone to use it if practical, but for many people it won’t be. Switching from whatsapp to facebook messenger or any number of other messaging systems would be a security downgrade.
Re-keying is an unfortunately necessary part of end-to-end encryption that must be done whenever a user changes devices, and it has to be possible when the original device is offline. Sure, you can prompt for it, but most users are just going to be annoyed and click “OK”, providing little additional security for the average user – as opposed to say a journalist or civil rights activist that has specific, credible threats against them. While the latter group is important, and need software that provides them a high degree of security, we shouldn’t let that stop us from also making more usable software that gives the majority of users better security than they have now. Merely publicizing this option for users that want/need it would probably be a good improvement that allows people to balance their security expectations with user experience.
A more interesting approach would be to focus on detecting malicious rekeying, and to provide additional security against retransmission of old messages. Distinguishing malicious rekeying from harmless is going to be difficult as long as there is a single central router and no peer-to-peer communication. For instance, if you get a message with a new sender key, but then get a later message with the old key, you should be suspicious. This is really hard to detect when a single agency that might be malicious/compromised controls the connection, but you could imagine using a federation of relays run by different groups. Then an attacker would have to get all of them to cooperate to block your old key and avoid detection. Getting facebook, google, and twitter (or whoever) to cooperate and rely on each other in this way seems difficult, but a more worthwhile endeavor than simply scolding facebook for whatsapp being imperfect.
The thing about resending old messages is somewhat confusingly described in the article. As near as I can tell, whatsapp will not retransmit messages with a new key after they have received an acknowledgement. It would be possible for facebook to delay or drop these acknowledgements without the user noticing, and then trigger a rekey event to colelct all of the unacknowledged messages. However, if your working assumption is that facebook is not currently trying to maliciously defeat your security, but that they might be compromised or compelled in the future, this means that messages you send today are still secure against future actions by facebook, since they will be properly acknowledged and not subject to this attack. At whatever point facebook’s servers begin to actively attack your connection, you will be vulnerable. This is not what is promised by Signal – that assuming nobody tampers with your first message, subsequent messages will be secure, but the article makes it sound like future attacks against facebook can retreive your entire communication history – as far as I can tell, this is not true.
Uhm, don’t use Whatsapp. Seriously.
Use Signal. Full stop.
Why? Because it isn’t integrated with Facebook? If so, that’s a feature, not a bug.
Which of course, like WhatsApp, is only available through the app store.
and?
So?
What threat model are you fighting against there?
You think Moxy and crew don’t watch what app Google or Apple pushes to users for interference?
What’s your solution then?
I know you think you are being helpful, but you are not, and this is exactly the attitude that has kept many many people from using any sort of secure communication.
[quote]Why?
[/quote]
Because they want to talk to people other than Edward Snowden?
OK, I get it. You hate facebook. Good for you.
This one is easy.
You couldn’t trust Zuckerberg (for the reasons your picture emphasizes), we can’t trust Facebook (remember the What’s app-your-data-is-safe-after- acquisition switcheroo), we can’t trust any US tech company after PRISM, and we certainly can’t trust the US government any longer to protect human/civil rights including privacy.
Intent or not - this bug or feature was/is used siphon off data from users for sure.
Strangely, at least 30% of my phone contacts list is on Signal.
Aren’t anecdotes great?
No. I simply don’t expect Facebook to not gather all information it can on its users and their use of the “free” services Facebook offers. If you think Facebook isn’t spying on you…
Facebook doesn’t offer services to people like you because they love you. They do it to monetize you to third parties. Why are you surprised that “secure” comms that they own are not actually secure from them?
How would they know if one push was different from the others?
IIRC, each package on the marketplace is signed, and I don’t think Google gets that private key to spoof. Packages won’t update/install over themselves if the signature is incorrect.
Again, what threat model are you concerned about?
You think Google is secretly altering the apps it pushes for specific users? Why would it do that? What’s their motivation? What would the fallout for them as a company, legally and monetarily, be if they ever got caught doing this?
I assume you’re thinking of government targeting, in actuality?
News flash for you: if your “enemy” that you’re concerned about is a nation state or a department of one, you aren’t going to win. If they want you, they have unlimited resources to get you. Go back to note paper and dead drops.
Very likely not, and I strongly suspect you have no idea of the technical details, and are just bitching because “facebook bad”.
The reason this has likely not been used for the sort of user data collection you are suggesting is that it would almost certainly be detected quickly if done on any sort of scale. Assuming some small fraction people do check the “notify on security events” box checked and verify keys via side channels, if facebook tried to do this on any sort of large scale they would quickly be found be people who noticed unexpected key changes. So it might have been used very occasionally in a targeted fashion, but then the people who are likely to be targeted are most likely to be more careful with their security. The idea that this vulnerability has been used for mass data collection for advertising or surveillance purposes is absurd.
One word: Threema
How is this better than Signal, which has a publicly reviewed protocol and has had security reviews of its code?
Where did I say it was better than Signal?
Then why suggest it when Signal has already been suggested?
One word: Signal