It's what the other article says, for in flight message (single tick), if the key changes it might be reencrypted with a new key if the recipient key changes.
If there's a double-tick it's too late, and it won't reencrypt. In practice, unless you have a very long monologue, only one message would "leak", not the full discussion.
(after the key changes you'll get a warning if you have the settings to show cryptographic details enabled).
People have "monologues" on IM all the time. I'm sure FB has the data from Messenger and WhatsApp, what the aggregate exposure in message volume is at any time. I do not have that data but I suspect it's "a lot".
"[...] We were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing.[...]"
Most knowledgeable advice only recommends Signal, and possibly Threema or Wire, for communication that needs to be secure, see e.g.
https://www.securemessagingapps.com
Basically, disagreement over the term "backdoor", which sounds like it was put there intentionally.
WhatsApp/Moxie: we made a security/usability trade-off.
The video's author/The Guardian: this trade-off allows an attacker to intercept messages (undetected, as long as he permanently cuts off the recipient's phone), which is bad.
It's an "intentional vulnerability". It's there to prevent users from being annoyed. Which is a bit of a lame excuse, because users would only be "annoyed" in very rare cases and special circumstances, namely: A sends a message to B while B is offline AND then B gets a new phone before coming back online.
Even if you disagree with me that it's a very rare case, WhatsApp could still give us an option to show a confirmation before automatically re-sending messages to a new device.
It's not that rare. It happens anytime the other user gets a new phone, or re-installs WhatsApp.
> WhatsApp could still give us an option to show a confirmation before automatically re-sending messages to a new device.
Just to clarify: they do optionally notify you (off by default), but after having re-sent the re-keyed messages.
It would be nice if they (optionally) offered you a choice to re-send the message, or discard it. (You could then verify key fingerprints out of band before making that choice.)
Doing that (making it "blocking") would leak information, OpenWhisperSystems argues, correctly.
>It's not that rare. It happens anytime the other user gets a new phone, or re-installs WhatsApp.
That, and the messages also have to be sent while the user is offline, otherwise there is no vulnerability--assuming you enabled the currently available notifications. So I still believe it's a very rare circumstance and very few people would get "annoyed" by a notification/confirmation for that specific circumstance.
>It would be nice if they (optionally) offered you a choice to re-send the message, or discard it.
That is a very loaded question. It may be easier to understand "what is going on" broadly if you try to frame it in terms of actions: What can you do about this? What do you want to do about this?
The "backdoor" (insecurity) is that Facebook can read and spoof your WhatsApp messages, and can be compelled to by any government of a country in which they operate, or by any determined attacker.
This surprises people because they believe WhatsApp is secure, since Facebook said so, and because it ostensibly obtains that security from someone who is endorsed by someone else who is considered knowledgable about security.
However it is (in this case) insecure because of a "user-interface issue" (whatever Moxie means by that). Basically, the key and software can be changed at any time, and if it is changed (because of a cloned phone, or with FaceBook's help, or with Google/Apple's help, or because someone hacks some FaceBook/Apple/Google servers, or for other reasons).
Moxie intimates that this shouldn't be called a "backdoor" because it wasn't put in with malice, even if it was put in intentionally. Do you agree with that?
Now what do you want to do? Do you want to get some pitchforks and find someone to stab? Do you want to stop using WhatsApp and convince other people to do so as well? Do you want to learn more about security and how cryptography works?
Right now, we are looking some kind of campaign- perhaps it is organised and malicious, or perhaps we are seeing multiple actors who have multiple ways of benefitting so they only appear coordinated.
That is, are you making this decision yourself? Or are you being encouraged down a path that supports someone elses' goals?
Do these actors want to impeach FaceBook/Whatsapp/Signal because they like chaos and carnage and hope that by being doomsayers they will get you to watch their video/read their blog and earn money from advertising?
Do these actors want to impeach FaceBook/Whatsapp/Signal because they think we (society) need to actually demand real security and privacy? Should we ask a private company to respect our security and privacy wishes? Or should we ask our government (which is us)?
Do these actors want to impeach FaceBook/Whatsapp/Signal because they have a competitors' product? Is there another popular "secure messaging" product for mobile devices that does not have these problems?
Do these actors want to impeach FaceBook/Whatsapp/Signal because these tools are actually quite secure and problematic, and it would be more convenient if people who wanted privacy and security could be more easily investigated covertly? Is this a "false flag" on privacy launched perhaps by a state actor?
Are there other reasons actors would want to impeach FaceBook/Whatsapp/Signal?
What is going on "exactly" has questions and answers on so many levels it is difficult to know where to begin, but I have popcorn.
If the client gets compromised, you're screwed anyway.
e2e encryption's goal is that the communication between A and B is secure even if the server gets compromised.
Here, by design choice, the server could be compromised such that messages that (A thinks) B hasn't received yet can be triggered (by the server) to be re-keyed and re-sent from A.
I don't think this is what most people think of when they think of "e2e encryption".
If "A" is FaceBook software (client) and the communication to FaceBook's servers is encrypted, that should be standard, but it's not "e2e encryption". That's what TLS/SSL does. Why do we need another protocol when we already have TLS/SSL? Those are hugely deployed protocols whose implementations still have bugs.
I think "A" is me. I think that's what most people think, that we're talking about keeping the communication private between them and their partner. "A" is not the software that FaceBook controls: If FaceBook cannot decrypt my messages, then nobody can hack FaceBook to decrypt my messages, and FaceBook cannot be compelled to provide my messages to someone else. That's something that is actually valuable, and befitting a special label of "e2e encryption".
FaceBook can update that software (so can Google, Apple, or potentially Amazon or any other "app store" in the ideal scenario, hackers in the less ideal, and an oppressive government in the dire) at any time, so you simply do not know what it does, did, or will do, but at least you can keep it honest if you can supply and verify the keys yourself.
It does [if you enable it], but in special circumstances (as described in the video/article) the warning is only displayed AFTER your messages have already been delivered to a new phone.
I could be wrong, but he just puts the sender phone in Airplane mode and then sends a few messages. Then he swaps the sim card from the receivers "Laura's" phone to the government's phone. Then the government's phone is able to view the messages sent while the sender's phone was in Airplane mode. Is that really the vulnerability?
The governments phone doesn't have Laura's private key on it. It is not transferred when the SIM is transferred. So even without the private key, they can intercept the messages.
[edit] Also, even if Lauras phone wasn't in airplane mode, all they need to do is prevent the delivery reports, then they can repeat the trick. And of course, they don't need the SIM in order to take over the phone number.
I get that the Government's phone does not have Laura's private key. What does Airplane mode have to do with it though? Does this exploit only work when messages are sent unconfirmed/no-network from the sender's phone?
Yes it's a real vulnerability. Edward's phone is reencrypting the message with a new (malicious) public key without Edward's permission. It's not clear this would be a very practical attack, but it's definitely something that Whatsapp should stop if the extra security mode is enabled.
I get it, but let's stop calling it a backdoor conspiracy theorists. It is really a UX decision. WhatsApp decided they'd rather not have the possibility of losing messages when you switch phones.
I see the fix as being as easy as a new security preference that by default behaves the same way, but you have the option to prevent sending messages that are not reported as delivered to a new device/key. Essentially those messages get lost.
You can't prove whether or not it was intentional. Marketing speak can spin this as a convenience for the user. It's still a backdoor until they fix this.
I don't believe Moxie has the actual insight into Facebook's true intentions with the Whatsapp platform. He may believe their intentions are honest, but he's just a cog in their wheel.
If he honestly believed Whatsapp was sufficiently secure why would he bother with Signal?
Yes, of course it is clearly less secure than Signal. It's an UI tradeoff given the reality that the vast majority of the billion+ WhatsApp users will not verify key fingerprints ("security number", I believe, in Signal speak) out of band.
Again, let me quote Moxie from the other thread:
"Given that reality, the most important thing is to design your product so that the server has no knowledge of who has verified keys or who has enabled a setting to see key change notifications. That way the server has no knowledge of who it can MITM without getting caught. I've been impressed with the level of care that WhatsApp has given to that requirement."
The point is, if you need the extra security, use Signal, Threema. But if you want to get good crypto in the hands of billions, make it simple and invisible. That's what they've aimed for, and achieved.
Well perhaps it was just a bug or edge-case, and WhatsApp is just "spinning" it as convenience. We could go back and forth all day.
Immediately jumping to backdoor and malicious intent for use by the Government is disingenuous and we don't know that to be factual. Yet the media and this YouTuber seems to be distributing that very message.
You would only lose messages if both people switched phones at the same time, and then probably only a single message. That tiny chance of losing a message does not warrant allowing adversaries to read a message when the user has explicitley marked themself high risk.
And even with the current implementation there is still the chance to lose messages.
That would indeed be enough. The other conceivable scenario is that the server gets compromised (and suppresses the "delivery receipts", then sends a spurious "rekeying" message).
It now is a lot more clear what's going on here. The discoverer of this issue is basing his argument on the fact that when you verify a fingerprint, you are now confident that your end-to-end encryption won't transparently send your encrypted data to someone with a different keypair. The other side of the argument is that if WhatsApp actually did what you expect, data would be lost when a person switched phones in the middle of someone sending them a message. As a person who doesn't switch phones very often, I would prefer an end-to-end encryption to never send data to a different public key than the one I've used before. I would rather lose data than divulge it to a third party who has the ability to spoof the recipient's phone. This would only come up whenever someone switched their phone when I was sending them a message, so it's pretty rare.
To me the trade off is a no brainer, and apparently to Facebook and Whisper Systems the trade off is a no brainer in the opposite direction.
>if WhatsApp actually did what you expect, data would be lost when a person switched phones in the middle of someone sending them a message
Only temporarily lost. WhatsApp could ask you: "do you want to resend the message(s) to the contact's new phone?".
An easy solution and it could be optional, even off by default.
OpenWhisperSystem's response was that due to the delay involved the (potentially compromised) server would know who has enabled notifications/blocking and who hasn't.
[...] a fact of life is that the majority of users will probably not verify keys. That is our reality. Given that reality, the most important thing is to design your product so that the server has no knowledge of who has verified keys or who has enabled a setting to see key change notifications. That way the server has no knowledge of who it can MITM without getting caught. I've been impressed with the level of care that WhatsApp has given to that requirement.
I think we should all remain open to ideas about how we can improve this UX within the limits a mass market product has to operate within, but that's very different from labeling this a "backdoor."
As a counterpoint, though, see the discoverer of the vulnerability:
"As Eike Kühl pretty well describes, this functionality only increases usability in a rare corner case: When you dump your phone in the ocean and you need a month to get a new one. Then everyone who has sent you a message during this period will not need to press an additional "OK" button."
>> Those "blocking" clients could instead retransmit a message of the same length that just contains garbage, i.e. instead of "Login with the password d98y289whcma0", they'd send "0000000000000000000000000000000000000" and this message would just not be displayed by the receiver's phone. By the guarantees of encryption, those two messages are indistinguishable in the encrypted form. Hence, this technique would make identifying users with the additional security enabled on a large scale impossible. <<
I think the past few days of back-and-forth about this issue have made a few things clear:
1) The double-check was not widely understood as an indicator of any particular security state prior to the attention this has gotten.
2) Is it fairly easy to imagine a scenario in which the behavior of WhatsApp can be readily exploited - think of a journalist on the ground in Tahrir Square using WhatsApp to report on conditions, neither expecting nor receiving replies or confirmations, perhaps for hours at a time.
3) The matter of whether this is a "backdoor" or not is contentious, but also not terribly important to the stakeholders.
4) Moxie wholesale approves of the WhatsApp implementation.
5) WhatsApp does in fact provide substantial security for a common and important use case.
So, where do we go from here?
I think that those of us that care about freedom in the information age well-advised to remember that Moxie has done incredible, substantial, and landscape-shifting work in this space.
Nevertheless, I also think that Moxie can provide a few more details and thoughts that will be hugely helpful to the community in thinking through the coming years of IM security.
Specifically, I will quote the comment I made in the other article, addressing Moxie directly:
Moxie,
I think it's fair to say that you are the world thought leader on these matters right now.
One thing that the rest of us are wondering right now is:
> (Quoting Moxie, in response to my comment) I've been impressed with the level of care that WhatsApp has given to that requirement.
To what degree do you really know that? Is there a place where we can read about your interactions with Facebook, the level of access they've given you, and the degree to which they have allowed your recommendations to shape the contours of their implementation?
Nothing less than the strength of dissent lies in the balance of questions like these.
> I think we should all remain open to ideas about how we can improve this UX within the limits a mass market product has to operate within, but that's very different from labeling this a "backdoor."
I agree that the jump to scary terminology is dangerous.
However, at the end of the day, I think that many of us have been trying to make a simple point that shows that there is a sort of crossing of that line:
WhatsApp claimed that they were simply unable to intercept communications, and now we find out that, without any user interaction or approval, messages which haven't received the "double check" are re-transmitted when a new key is generated.
So look: nobody here is trying to diminish your tireless work and your accomplishments in bringing freedom into the information age.
But there are nuances here that are important, and fleshing them out is a big part of what this community is about.
52 comments
[ 2.5 ms ] story [ 113 ms ] threadAnybody with any ideas what is happening exactly?
If there's a double-tick it's too late, and it won't reencrypt. In practice, unless you have a very long monologue, only one message would "leak", not the full discussion.
(after the key changes you'll get a warning if you have the settings to show cryptographic details enabled).
Facebook responded to my white-hat report
"[...] We were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing.[...]"
Your link is to an article explaining the design decisions that lead to the weakness that is being taken advantage of.
A purpiseful & public design trade off is not a backdoor.
1) Signal protocol doesn't have this issue, it was introduced by Whatsup.
2) It wasn't public until now.
3) The security notification is turned off by default in android and ios apps.
Huge issue especially since Whatsup is recommended for activists and whistle-blowers.
https://www.youtube.com/watch?v=we-pJE5JjAs
Most knowledgeable advice only recommends Signal, and possibly Threema or Wire, for communication that needs to be secure, see e.g. https://www.securemessagingapps.com
WhatsApp/Moxie: we made a security/usability trade-off.
The video's author/The Guardian: this trade-off allows an attacker to intercept messages (undetected, as long as he permanently cuts off the recipient's phone), which is bad.
No,
a) not if user has enabled security notifications (disabled by default)
b) not across a back-and-forth conversation, provided user checks for blue double ticks
Even if you disagree with me that it's a very rare case, WhatsApp could still give us an option to show a confirmation before automatically re-sending messages to a new device.
> WhatsApp could still give us an option to show a confirmation before automatically re-sending messages to a new device.
Just to clarify: they do optionally notify you (off by default), but after having re-sent the re-keyed messages.
It would be nice if they (optionally) offered you a choice to re-send the message, or discard it. (You could then verify key fingerprints out of band before making that choice.)
Doing that (making it "blocking") would leak information, OpenWhisperSystems argues, correctly.
That, and the messages also have to be sent while the user is offline, otherwise there is no vulnerability--assuming you enabled the currently available notifications. So I still believe it's a very rare circumstance and very few people would get "annoyed" by a notification/confirmation for that specific circumstance.
>It would be nice if they (optionally) offered you a choice to re-send the message, or discard it.
That's exactly what I had in mind.
a) the notification and concomitant irritation to non-technical users is there when the other user switches phone, whether they were online or not
b) the vulnerability is there when the server is compromised, whether the other user is online or not (can just filter out "delivery receipts")
The "backdoor" (insecurity) is that Facebook can read and spoof your WhatsApp messages, and can be compelled to by any government of a country in which they operate, or by any determined attacker.
This surprises people because they believe WhatsApp is secure, since Facebook said so, and because it ostensibly obtains that security from someone who is endorsed by someone else who is considered knowledgable about security.
https://news.ycombinator.com/item?id=11431728
However it is (in this case) insecure because of a "user-interface issue" (whatever Moxie means by that). Basically, the key and software can be changed at any time, and if it is changed (because of a cloned phone, or with FaceBook's help, or with Google/Apple's help, or because someone hacks some FaceBook/Apple/Google servers, or for other reasons).
Moxie intimates that this shouldn't be called a "backdoor" because it wasn't put in with malice, even if it was put in intentionally. Do you agree with that?
https://news.ycombinator.com/item?id=13396129
Now what do you want to do? Do you want to get some pitchforks and find someone to stab? Do you want to stop using WhatsApp and convince other people to do so as well? Do you want to learn more about security and how cryptography works?
Right now, we are looking some kind of campaign- perhaps it is organised and malicious, or perhaps we are seeing multiple actors who have multiple ways of benefitting so they only appear coordinated.
That is, are you making this decision yourself? Or are you being encouraged down a path that supports someone elses' goals?
Do these actors want to impeach FaceBook/Whatsapp/Signal because they like chaos and carnage and hope that by being doomsayers they will get you to watch their video/read their blog and earn money from advertising?
Do these actors want to impeach FaceBook/Whatsapp/Signal because they think we (society) need to actually demand real security and privacy? Should we ask a private company to respect our security and privacy wishes? Or should we ask our government (which is us)?
Do these actors want to impeach FaceBook/Whatsapp/Signal because they have a competitors' product? Is there another popular "secure messaging" product for mobile devices that does not have these problems?
Do these actors want to impeach FaceBook/Whatsapp/Signal because these tools are actually quite secure and problematic, and it would be more convenient if people who wanted privacy and security could be more easily investigated covertly? Is this a "false flag" on privacy launched perhaps by a state actor?
Are there other reasons actors would want to impeach FaceBook/Whatsapp/Signal?
What is going on "exactly" has questions and answers on so many levels it is difficult to know where to begin, but I have popcorn.
a) only those that have not been delivered yet
b) you can notice, having enabled the security notifications in the app, by noticing the notice and then verifying key fingerprints again
e2e encryption's goal is that the communication between A and B is secure even if the server gets compromised.
Here, by design choice, the server could be compromised such that messages that (A thinks) B hasn't received yet can be triggered (by the server) to be re-keyed and re-sent from A.
If "A" is FaceBook software (client) and the communication to FaceBook's servers is encrypted, that should be standard, but it's not "e2e encryption". That's what TLS/SSL does. Why do we need another protocol when we already have TLS/SSL? Those are hugely deployed protocols whose implementations still have bugs.
I think "A" is me. I think that's what most people think, that we're talking about keeping the communication private between them and their partner. "A" is not the software that FaceBook controls: If FaceBook cannot decrypt my messages, then nobody can hack FaceBook to decrypt my messages, and FaceBook cannot be compelled to provide my messages to someone else. That's something that is actually valuable, and befitting a special label of "e2e encryption".
FaceBook can update that software (so can Google, Apple, or potentially Amazon or any other "app store" in the ideal scenario, hackers in the less ideal, and an oppressive government in the dire) at any time, so you simply do not know what it does, did, or will do, but at least you can keep it honest if you can supply and verify the keys yourself.
When I talked to my gf the other day noticed it when she switched her work phone.
[edit] Also, even if Lauras phone wasn't in airplane mode, all they need to do is prevent the delivery reports, then they can repeat the trick. And of course, they don't need the SIM in order to take over the phone number.
I see the fix as being as easy as a new security preference that by default behaves the same way, but you have the option to prevent sending messages that are not reported as delivered to a new device/key. Essentially those messages get lost.
I don't believe Moxie has the actual insight into Facebook's true intentions with the Whatsapp platform. He may believe their intentions are honest, but he's just a cog in their wheel.
If he honestly believed Whatsapp was sufficiently secure why would he bother with Signal?
Yes, of course it is clearly less secure than Signal. It's an UI tradeoff given the reality that the vast majority of the billion+ WhatsApp users will not verify key fingerprints ("security number", I believe, in Signal speak) out of band.
Again, let me quote Moxie from the other thread: "Given that reality, the most important thing is to design your product so that the server has no knowledge of who has verified keys or who has enabled a setting to see key change notifications. That way the server has no knowledge of who it can MITM without getting caught. I've been impressed with the level of care that WhatsApp has given to that requirement."
https://news.ycombinator.com/item?id=13394900
The point is, if you need the extra security, use Signal, Threema. But if you want to get good crypto in the hands of billions, make it simple and invisible. That's what they've aimed for, and achieved.
Immediately jumping to backdoor and malicious intent for use by the Government is disingenuous and we don't know that to be factual. Yet the media and this YouTuber seems to be distributing that very message.
And even with the current implementation there is still the chance to lose messages.
...since that part isn't directly stated, and might not be obvious to everyone.
To me the trade off is a no brainer, and apparently to Facebook and Whisper Systems the trade off is a no brainer in the opposite direction.
Only temporarily lost. WhatsApp could ask you: "do you want to resend the message(s) to the contact's new phone?". An easy solution and it could be optional, even off by default.
OpenWhisperSystem's response was that due to the delay involved the (potentially compromised) server would know who has enabled notifications/blocking and who hasn't.
How would that be worse than the current situation, where everyone is vulnerable and we all know it?
[...] a fact of life is that the majority of users will probably not verify keys. That is our reality. Given that reality, the most important thing is to design your product so that the server has no knowledge of who has verified keys or who has enabled a setting to see key change notifications. That way the server has no knowledge of who it can MITM without getting caught. I've been impressed with the level of care that WhatsApp has given to that requirement. I think we should all remain open to ideas about how we can improve this UX within the limits a mass market product has to operate within, but that's very different from labeling this a "backdoor."
https://news.ycombinator.com/item?id=13394900
"As Eike Kühl pretty well describes, this functionality only increases usability in a rare corner case: When you dump your phone in the ocean and you need a month to get a new one. Then everyone who has sent you a message during this period will not need to press an additional "OK" button."
https://tobi.rocks/2017/01/what-is-facebook-going-to-do-a-su...
>> Those "blocking" clients could instead retransmit a message of the same length that just contains garbage, i.e. instead of "Login with the password d98y289whcma0", they'd send "0000000000000000000000000000000000000" and this message would just not be displayed by the receiver's phone. By the guarantees of encryption, those two messages are indistinguishable in the encrypted form. Hence, this technique would make identifying users with the additional security enabled on a large scale impossible. <<
WhatsApp: decent security for non-techies, making routine mass surveillance much harder
Signal: even better security for techies
1) The double-check was not widely understood as an indicator of any particular security state prior to the attention this has gotten.
2) Is it fairly easy to imagine a scenario in which the behavior of WhatsApp can be readily exploited - think of a journalist on the ground in Tahrir Square using WhatsApp to report on conditions, neither expecting nor receiving replies or confirmations, perhaps for hours at a time.
3) The matter of whether this is a "backdoor" or not is contentious, but also not terribly important to the stakeholders.
4) Moxie wholesale approves of the WhatsApp implementation.
5) WhatsApp does in fact provide substantial security for a common and important use case.
So, where do we go from here?
I think that those of us that care about freedom in the information age well-advised to remember that Moxie has done incredible, substantial, and landscape-shifting work in this space.
Nevertheless, I also think that Moxie can provide a few more details and thoughts that will be hugely helpful to the community in thinking through the coming years of IM security.
Specifically, I will quote the comment I made in the other article, addressing Moxie directly:
Moxie,
I think it's fair to say that you are the world thought leader on these matters right now.
One thing that the rest of us are wondering right now is:
> (Quoting Moxie, in response to my comment) I've been impressed with the level of care that WhatsApp has given to that requirement.
To what degree do you really know that? Is there a place where we can read about your interactions with Facebook, the level of access they've given you, and the degree to which they have allowed your recommendations to shape the contours of their implementation?
Nothing less than the strength of dissent lies in the balance of questions like these.
> I think we should all remain open to ideas about how we can improve this UX within the limits a mass market product has to operate within, but that's very different from labeling this a "backdoor."
I agree that the jump to scary terminology is dangerous.
However, at the end of the day, I think that many of us have been trying to make a simple point that shows that there is a sort of crossing of that line:
WhatsApp claimed that they were simply unable to intercept communications, and now we find out that, without any user interaction or approval, messages which haven't received the "double check" are re-transmitted when a new key is generated.
So look: nobody here is trying to diminish your tireless work and your accomplishments in bringing freedom into the information age.
But there are nuances here that are important, and fleshing them out is a big part of what this community is about.