207 comments

[ 4.8 ms ] story [ 121 ms ] thread
Note that the Guardian has published multiple stories about this fake issue, and seems to be doubling down on its coverage: https://www.theguardian.com/technology/whatsapp

The list of names at the end of Zeynep's article is pretty much a who's who of people you don't want to be publicly called wrong by when reporting on security.

This is not a fake issue.
Neither was the Johnny Can't Encrypt issue. Now 1/7th of humanity is using E2E encryption. Making that happen involved some "security" vs usability tradeoffs

(see my response here for the explanation of the scare quotes on security: https://news.ycombinator.com/item?id=13445337)

(comment deleted)
Neither is the fact that vaccines can sometimes make you sick or kill you.

But putting "VACCINES CAN KILL" as a headline in a mass-circulation paper would be just as wrong, and for the same reasons.

>But putting "VACCINES CAN KILL" as a headline in a mass-circulation paper would be just as wrong

So you admit it's true, but it's wrong to write it as a headline?

It's interesting to see people put their head in the sand regarding the Signal/Whatsapp security flaws.

The people who signed this letter are the who's who of the study of cryptographic backdoors. What makes you believe you understand this subject better than they do?
You've repeated this sentiment several times (and I believe you are right), but isn't it an appeal to authority?
There's nothing wrong with citing topical experts.

The "appeal to authority" fallacy occurs when someone is cited outside their area of expertise or is not an expert.

Yep, this exactly. Most books dealing with logic and fallacies now list it as "Appeal to unqualified authority" or similar.
I don't think the word "qualified" to qualify the word "authority" makes the appeal to auhority fallacy any truer. Most appeals to authority are actually to qualified authorities - the fallacy is neglecting to provide any reasoning behind the decision. In fact the authority may not have even intended their statement to indicate great certainty, or they may have been influenced by sociological phenomena.

Qualified authorities in one century may be shown to be completely wrong. For example bloodletting, phlogiston, or even the age of the earth before radioactivity was discovered. Feynman talks about this... how the number stays close to the others until finally they jump to the right one.

"A new scientific truth does not triumph by convincing its opponents and making them see the light, but rather because its opponents eventually die, and a new generation grows up that is familiar with it." - Max Planck

(delete)
I would say it's not that he's incorrect more that he's off-topic. The changing of truth doesn't really have anything at all to do with an appeal to authority fallacy because said fallacy is based on the thoughts of the time. We can't possibly know how scientists are going to think 150 years from now, so we can't appeal to their authority.

So while, yes, he is accurate that our knowledge of the world around us and of Science changes over time, that has nothing to do with the fallacies we're discussing.

Looks like you got downvoted also. I wonder if downvoters run in packs. I expect them to downvote this and not reply with any reason to either post.

EDIT: I was right :)

I downvoted this one just to push your buttons (it's a pune!). I didn't vote either way on the other comments.
Nobody owes you a reason for disagreeing with you and simply downvoting. The site guidelines do ask you not to go on about downvoting, though.
Because once you defunct the bad argument, and concisely prove that arguments from authorizity are illegitimate the next step is to silence the person with force. His comments are dead and they are entirely reasonable.

Look up the history of the argument from authority, it is explicitly used by those in power to reject those not in power. It has nothing to do with whoever claims whether an expertise is legitimate or not.

Edit:

You're right, only one dead comment, the substantive one is just whited out to illegitibility because he dare has the teremity to challenge the crypto experts.

Look, the people who signed the statement make up like 30% of this thread, it's completely rediculous, they are here to control dissent and flag and down vote those who challenge their authority.HN certainly isn't a place to have an open and free discussion when there's such an obvious gap in power and equality between users.

He has one dead comment which just complains about downvoting and contains no argument. I'm not sure what you mean by 'defunct'.
(comment deleted)
Yeah, but for every Einstein there are 10^8 cranks.
Situations where you are right and the top experts in a field are wrong are rare, and should make you take pause. Moreover, these people are not arguing "because I said so", but giving a very long list of falsifiable reasons to back their claims.
Appeal to authority is not nothing. If there is a complicated issue and a majority of credible authorities on the subject agree on some conclusion, I should accept it unless I have studied it enough (advanced degree in the right field + study up on all recent publications/results) to be sure I know everything they know and fully understand their reasoning.

"use whatsapp" is the correct recommendation for everyone who is not ready to use opsec recommendations from grugq, same as "TLS everywhere" is a very good recommendation regardless of all the issues we know about TLS.

Let's make pervasive passive collection impossible. Then we can work on stuff like endpoint security for everyone.

Note that the grugq signed the letter as well.
I'll point out none of the security researchers in the article dispute the vulnerability is as described. They simply took issue with the appeal to leave WhatsApp as a result of the presence of the vuln. They essentially said, Yes, it's less secure to do it this way, but we think it's more important to make sure messages get delivered than to ensure absolute security.
> I'll point out none of the security researchers in the article dispute the vulnerability is as described.

Just so you know, tptacek signed this letter. I did as well.

Calling it a backdoor was outright dishonest. I've written backdoors. I even won a cryptography backdoor contest at DEFCON with one of my designs.

https://underhandedcrypto.com/2015/08/08/crypto-privacy-vill...

https://paragonie.com/blog/2016/01/on-design-and-implementat...

If it's to be said that there is a vulnerability, then it is simply, "If there are any messages that haven't been delivered yet, and the recipient changes keys, the client will re-encrypt to the new public key before alerting."

Okay, a lot of security experts wouldn't make that trade-off, especially if they were trying to compete with Signal. But WhatsApp isn't a Signal competitor. The alternative means of contacting someone you'd normally use WhatsApp for is SMS, because that's what people are using today.

Most WhatsApp users aren't interested in encryption. It just works for them. They may still need it, but they don't care about it.

Even if you could exploit this, you get:

  - Any undelivered messages (if any)
  - No past messages
  - No stealth either; the user does get alerted
So, yes, we do dispute the vulnerability is as described, especially when it was called a backdoor.
I stand by my assertion that the vulnerability exists exactly as described. You have said nothing that disputes that. If I understand you correctly, you take issue specifically with the characterization of the vulnerability as a 'backdoor', which suggests intent. I don't know the dev's intent, so I'm unable to speak to the validity of that characterization in that context. That said, the Guardian corrected the story in this regard, and the text now reads 'vulnerability', which I think we all can agree on.

WhatsApp is not a secure communications platform. Claiming otherwise is disingenuous.

- No stealth either; the user does get alerted

IF the user opts in, they have the option of being notified. Most users do not know this option exists or care to enable it, so I'm not sure the above is strictly true.

It's a vulnerability. The article says only that it "could be used by government agencies as a backdoor", which is true of almost any vulnerability. If a vulnerability exists in a given cryptosystem then to a large extent it doesn't matter whether it's there by accident or design. At least, that's been the security community's line for decades prior to this particular incident.
It still feels weird to have security experts characterize WhatsApp's choice as acceptable; it feels off to attribute its success around the rare occurence that a message could need to be resent.

I think the over-reaction to the stance of the security community is that it gives the vibe that the flaw is minimized. For the layman, every security flaw, every vulnerability is a totally obscure, incomprehensible jargon-filled techno mumbo-jumbo. Now we have the case that sometimes the experts go wild over the dangers of a flaw, sometimes they say "Ah, better than nothing". It gives the impression that WhatsApp is been let off the hook.

I think the argument would have been better framed by stating simply that WhatsApp's decision is a security flaw, that it should be fixed from a security POV, but it's still better than most alternatives and leave it at that.

That whole dance about it being an acceptable compromise would have been better off omitted. The letter commits the same error as the Guardian: in trying to be too comprehensive and precise, it muddies its point.

> It still feels weird to have security experts characterize WhatsApp's choice as acceptable;

They're not acceptable in general.

They're acceptable within the context of the problem they are trying to solve, which isn't "make crypto nerds happy". Their users, by and large, know absolutely nothing about cryptography. Any attempt to add key verification will either:

  - Spook them
  - Intimidate them
  - Confuse them
  - Make them move to an insecure platform that their contacts
    already use; i.e. SMS
  - All of the above
You're saying the entire security community has put its head in the sand. Why do you think the top people in the field have signed this letter? I'm asking sincerely. What do you think you understand that they're missing?
I haven't heard or investigated much about this issue. But I want to ask about the general question.

If something is actually true, then why is it preferable not to say it publicly (including in a headline)? As long as the qualifying statements are made alongside it (eg probabilities)?

Why should governments have so much classified information and secrets? What if they just operated entirely transparently? (Except for short term tactics for raids and investigations of suspected criminals and terrorists.)

> If something is actually true, then why is it preferable not to say it publicly

Heavily de-contextualised true information can be just as misleading as actual lies. Hence the vaccine example.

What context needs to be given except for probability for which the statement "can" becomes "does"?

The probability can be conditioned on some relevant assumption to make the story sensationalized. But as long as the probability and assumption is clearly spelled out, I don't see what other context should be required for PUBLIC disclosure. Maybe also the total incidence number.

For example: Jihadist terrorists can kill you! With a 0.001% probability for every hour you spend in a large crowd. It has happened in two crowds so far.

Or: 97% of climate scientists agree the rise in greenhouse gases is mostly attributable to human activities. That is 97% of 35 PEOPLE in the world.

Some people are allergic to vaccines. That's a real story, too. But none of us have any trouble seeing the problem if The Guardian runs an RFK Jr. story saying "Vaccines Might Kill You".
Since when have you ever seen a probability in a newspaper?

(the climate scientist number is probably closer to 35,000; and when talking of surveys and samples, reporting the sample size causes everyone not professionally trained in statistics - that is, almost everyone - to underestimate the "power" of the survey.)

> Heavily de-contextualised true information can be just as misleading as actual lies.

Don't they end up being lies of omission at that point?

I think the vaccine analogy is really helpful here. You can make true statements, like "vaccines can kill you", that cause massive public harm if they're not correctly contextualized.

People come away thinking "vaccines are bad". In this case, the Guardian put the tech equivalent of "vaccines can kill you" in a headline.

A conspiracy theorist would say that it sounds like a hit piece, as if the Guardian has been nudged by some higher power to slander WhatsApp in an attempt to push their general readership to drop E2E encrypted messaging altogether, because the "more secure" options are too difficult or less popular. The Guardian in particular would be chosen because of its normally accurate and privacy-conscious coverage in the past; i.e. it has street cred among activists and others who wish to communicate securely and privately.

A realist would, however, see this as a news outlet unable to own their mistake and instead doubling down as you said, in a failed attempt to save face. A journalist wrote this story seemingly by the seat of her pants, and her employer is on a noble if misguided campaign to defend her article.

I'm taking the realist path on this one; I don't think there's any grand conspiracy behind their baffling decision to stand behind obviously shoddy reporting. The fact that so many top security researchers -- who certainly aren't going to be influenced by any particular government or corporate interest -- are calling for a retraction is all the assurance I need that the story is baseless and the Guardian is inexplicably enjoying the taste of shoe leather.

I take the realist path too, but if this kind of negligent disinformation succeeds, people who do want to discredit secure apps will notice and remember.
Maciej, I have tremendous respect for you. What follows is a long post, so please don't feel like I am beating up on you - I am responding to a few things in this thread.

---

This wasn't negligent disinformation (post-revision of the usage of 'backdoor') on the part of the Guardian. The reaction to the information presented on the part of the public - to switch to SMS in significant numbers - was irrational.

That said, there is a productive issue raised by the Guardian that has been smoked out into the open, namely the revelation of two contradictory assumptions underlying the decision, as discussed by Moxie in the previous HN thread, to defend against state level snooping.

The rationale goes a bit like this: 1 - People change keys in the regular course of using Whatsapp. It therefore needs to accept that without impeding usability.

2 - Most users do not care about security enough to prefer one service to another for the Whatsapp market segment - Those users use Signal or other offerings.

3 - Whatsapp's lack of 'post consent' resending is intentional, and designed to prevent the server from knowing who is monitoring the status of their keys.

4 - As such, Whatsapp effectively defends against dragnet surveillance! As security minded individuals will note inappropriate key changes once a MITM attack begins, confer, and determine they have been compromised at scale.

The key flaw here is that 2 and 3 mean that for targeted surveillance, powerful attackers are unlikely to be uncovered while exfiltrating specific communications, and likely don't see very much reputational or legal risk to potentially triggering a key change event.

So people are vulnerable to feasible, targeted message exfiltration, contrary to what they may have believed when E2E was rolled out. That's newsworthy.

The fact that the security community is striking back makes me feel like they are circling the wagons now that the Guardian has caught them with their pants down - They should have been the ones raising these issues and providing the appropriate framing to protect the public.

The thing the Guardian did that was really unforgivably bad is not canvass expert opinion. They didn't even care that 'backdoor' has a specific technical meaning, they just stuck it in the headline and then edited it out after getting called out.
I think this is a valid concern, but one that applies to most media. In my field, I often see pieces circulated which are incorrect with facts sourced from less precise colleagues of mine.

I don't believe the piece was not 'newsworthy', though, and I believe the security industry's response should have been one of collaboration rather than admonition - it leaves a bad taste in my mouth to see an industry with a clear communication problem striking at their best potential ally. The Guardian are not the 'bad guys' for trying to inform us of a vulnerability.

> The Guardian are not the 'bad guys' for trying to inform us of a vulnerability.

This is my ultimate takeaway as well; their intent was good, it was their implementation that fell short. I'm just really bothered that they are unwilling to own their mistake and retract the article, or at the very least allow a counter-editorial to be written and published by them.

They've offered to publish a counter-editorial. But that would just lead to a headline like "Experts Divided Over Critical WhatsApp Vulnerability".

They need to retract.

Doesn't help that editorial standards in general have taken a nose dive lately, with people spreading random anonymous rumors as "news." The first thing I do when I read a story any more is look for what sources of information they draw upon and whether or not they can be corroborated by any means.

If your list of sources is full of anonymous rumors and things that can't be fact checked, or other stories with poor sourcing, I ignore the entire article and its conclusions. It's an interesting exercise for how you consume news (and especially "news") and I recommend it to everyone.

That's part of what makes reading purely technical discussions so much more enjoyable. We're not talking about random internet rumors, we talk about code and anyone with a compiler, debugger, etc. can verify things directly. There's much less room for BS, because someone can call you on it and prove you wrong in ways that everyone can verify independently.

But if you were such a person, would you really think "oh, well, then I'm better off using nothing at all because what I was using has a potential exploit"?
Are you one of the 80% who don't want to eat food containing DNA?
> so many top security researchers -- who certainly aren't going to be influenced by any particular government or corporate interest

What makes you so sure? The Guardian is fundamentally devoted to reporting the truth even - especially - when it's hostile to the government - the organisation is structured deliberately to ensure its independence. Can the quoted experts say the same about their payroll?

Just live in the UK a while, and you'll see it's completely normal. The Guardian has link-baity headlines all the time, that grossly exaggerate stories. Pretty much all newspapers in the U.K. do this, save for the BBC. If it wasn't for the Snowden reveals, I'd consider the Guardian just another junk partisan newspaper.
> The design decision referenced in the Guardian story prevents millions of messages from being lost

So it's a classic tradeoff - convenience vs. security, and the Guardian story correctly reported it.

> and WhatsApp offers people security notifications to alert them to potential security risks.

which is not enabled by default.

Sounds to me like apart from the hyperbolic use of the word "backdoor" (which apparently has now been removed), The Guardian is in the clear here.

The Guardian headlines (which are still up right now, see https://www.theguardian.com/technology/whatsapp) refer to an "encryption vulnerability" and "security flaw". These are demonstrably false statements, as the letter explains in detail.

The Guardian needs to retract and sanction its editor. The story is journalistic malpractice and puts people at risk.

This is not about word use, but about publishing stories that are already causing people in high-risk places to move off of a secure messenger to SMS.

SMS isn't the only alternative. People who are worried about encryption also won't use SMS.

Signal doesn't make that bad trade-off, for example. There are viable alternatives.

Read the letter in full (I'm not being flippant, I mean it sincerely), as it addresses this exact issue.

There's empirical evidence that people switch off to SMS. In places like Egypt, people share phones, swap SIM cards routinely, and Signal's nondelivery behavior is a non-starter. Zeynep does research on this and has written a lot about it; it's fascinating (and depressing) reading.

The point is that these are not hypothetical scare scenarios. We have the data and that's why it's so urgent to chastise this kind of reckless coverage.

You don't understand the concern. People who are worried about encryption by and large weren't using WhatsApp to begin with. The problem is people who aren't worried about encryption, but should be, and were being silently and effectively helped by WhatsApp's Signal Protocol feature.

The only message those people are getting is "WHATSAPP BAD, SWITCH". And switch they are, but not to Signal (none of their friends on are on Signal). Nope, they're adopting insecure alternatives, where they can actually talk to their peers.

If people aren't worried about encryption why are they switching?
Because people are telling them that WhatsApp is backdoored and that they should switch. They don't know anything about cryptography, but they're not idiots: they know what "bad" means.
(comment deleted)
It is a security flaw; it's probably not a backdoor.

The flaw is as follows: I'm trying to send you a message, but your phone is offline and lost. When you get a new phone, your key has changed, but WhatsApp will deliver my message before informing me of the key change. This applies also to calls and such (which shouldn't be "delivered" if the other person is offline).

Why could this be bad? WhatsApp could exploit it as follows (maybe under orders from the govt.):

1) Make it seem like a user lost their phone.

2) Wait for a message to be delivered to the user's account.

3) Bring the user back online with a new key (generated by WhatsApp themselves).

4) Read the "encrypted" message.

It's a real vulnerability in the protocol, but the severity depends on your threat model. As I said above, this might be an acceptable trade off for messaging, but not for things like calls, where if the user is offline you don't want the call to go through anyway. All this has been pointed out clearly by the student who discovered it.

It's a security/usability trade-off, not a flaw.

Making Signal show white-on-white text would make it more secure against attackers reading over your shoulder. So why doesn't Signal do that?

These are legitimate trade-offs that the Guardian is portraying as vulnerabilities.

You're being facetious here with the strawman; this is clearly a choice in the protocol that exposes something that is not exposed by, say, Signal. Even if it is a deliberate choice, it doesn't necessarily make it not a flaw; as I said, it depends on your threat model.

Anyway, I don't think it's a reasonable choice. How any times do people change phones?!? Even if you're rich you don't do that more than once a year. It doesn't happen often enough for the user to become "accustomed" to warnings and simply click through them.

I'm not joking here, or making a strawman argument. You could make Signal show white-on-white, so the recipient had to select text to see it.

But you don't, because shoulder surfing is not the threat model for Signal. And individually targeted MITM attacks by governments that can take over a server are not the threat model for WhatsApp.

What's the point of E2E encryption if MITM attacks are not in the threat model?
The point of WhatsApp isn't E2E Encryption. The point of WhatsApp is reliability. The E2EE was an extra.

If it even works to enhance the privacy of 0.1% of users, it's helped a million people in ways that SMS has not.

Adding E2E encryption and advertising based upon that if you're not taking it seriously is a disservice to the users.
You know, I've always liked your writing a whole lot. However your behavior in reaction to this story seems bizarre to me.

I see all these people come in defense of WhatsApp using bizarre statistics about domestic violence (big correlation with hacking?). Then someone (tptacek?) was going around saying not a single crypto expert disagrees with their consensus (trucking all over the original source, Tobias Boelter). Then there are all these jokey "Is WhatsApp Backdoored Yet?" expressions. It's a frenzy.

There seem to be a whole bunch of people who take The Guardian article as "omg, after this article, people will drop WhatsApp and use something like Messenger instead!". Which, sure enough, maybe a common scenario, and worse. However, the article was obviously meant to push people outside of Facebook gardens, and into a more secure alternative. It's supposed to make you go "WhatsApp is unsafe, I will use Signal instead". One of those "trade-offs" you're talking about in the first place, just like the security vs. purity one. In this case, erring on the side of activism.

As a sideline observer with very little crypto knowledge, I think Boelter presented an interesting case, while the anti-Guardian crowd reacted like crazy people, pulling fire alarms, hurling insults, and Streisand-effect-ing the story into a huge controversy.

I mean, the EFF article itself, in defense of WhatsApp and against The Guardian, says:

https://www.eff.org/deeplinks/2017/01/google-launches-key-tr...

> If you are a high-risk user whose safety might be compromised by a single revealed message, you may want to consider alternative applications. As we mention in our Surveillance Self-Defense guides for Android and iOS, we don't currently recommend WhatsApp for secure communications.

It goes on to qualify this statement by saying that's a rare threat model. However, that right there, is enough to justify the original piece. The idea, I think, is that everyone should be on something like Signal, so that merely using Signal wouldn't be taken as a reason for suspicion. If you disagree, your argument could surely be better than jokes about white text.

Just my two cents as a nobody.

I'm not sure why you're taking the white text example as a joke.
Weird to have such a bad interaction with one of my minor personal heroes. Shucks I guess!
How unethical is this, for this group of so-so around sensationalist bloggers led by Zeynep Tufekci (tptacek?) whom I would not dare to call real cryptography specialists (and this is whom they are in my eyes, none of them is a person with a worthy math/crypto research background) to solicit opinions of reputable bodies on this crypto hole, and then twist and editorialize all of that to suit their message that this crypto hole is not a crypto hole
How far does one push that, though? Shouldn't a secure mode go pretty far into the secure side of the security/usability balance?

Honestly, would a 'recipient key changed; resend message?' be the worst prompt in the world?

It does not depends on a threat model. It works like that: a company sysadmins's being given a rubberhose cryptoanalysis until he compromises company's server. Than, all of that 1bn user r pwned.

No company is immune from that: google lost data to a sysadmin who was blackmailed in 2012, facebook regularly fires staff for snooping on users, etc

It does not depends on a threat model. It works like that: a company sysadmins's being given a rubberhose cryptoanalysis until he compromises company's server. Than, all of that 1bn user r pwned.

No company is immune from that: google lost data to a sysadmin who was blackmailed in 2012, facebook regularly fires staff for snooping on users, etc

It is a vulnerability and it is a flaw. Do you think this is the first time a group of authoritative experts have tried to claim to the Guardian that their truth-telling is not in the public interest?
When has this particular group of experts previously claimed that the Guardian's "truth-telling" is not in the public interest?
I'm not saying it's the same group of experts. I'm saying think how it looks from the Guardian's side.
>refer to an "encryption vulnerability" and "security flaw". These are s, as the letter explains in detail.

Referrence to a clear demonstration of a security vulburability in the protocol as a lie, is a demonstrably false statement

Most key change events are innocuous, so a key change in and of itself carries much more noise than signal, in the same way most HTTPS errors are not MitM attacks but misconfigurations.

Asking the proverbial Johnny to make a security decision each time happens will result in alert fatigue. The overwhelming majority of users will always accept the new key because they just want the app to work.

They are not a magical panacea that makes MitM attacks go away. There are two good solutions to this for users who care, however:

  - Verify keys with each other in person
  - Move to Key Transparency / CONIKS-like systems for auditing key servers
>in the same way most HTTPS errors are not MitM attacks but misconfigurations.

It's interesting that you make this comparison. For a while now I've been of the position that web browsers should scrap all TLS user interface stuff (padlocks, green bars, invalid cert warnings, self signed cert warnings etc), because it doesn't communicate any information that the average user can make any use of.

It's only one aspect of what makes a site 'secure' for users, and probably one of the far less important ones. The vast majority of attacks on users (info being stolen, malware being served etc) come from the site itself being compromised, not from MitM attacks by their ISP. The vast majority of warnings about bad certs are due to somebody forgetting to update it or config issues, not because of real MitM attacks. The vast majority of people just click through cert warnings. The padlock icon in the browser doesn't even do the one thing it promises since it's no guarantee that TLS is being applied all the way to the actual web server. XSS is a bigger threat to the average user but browsers don't warn about sites that aren't using CSP.

My theory is that browser devs always knew the padlock icon was bullshit snake oil, but they implemented it at the demand of the e-commerce industry. At the time it was difficult to get people to trust the web enough to enter their credit card details. Providing a meaningless 'security' icon was needed to bootstrap consumer trust in the industry.

The padlock isn't meaningless. It means you can submit passwords and credit card details without someone else in the internet cafe sniffing your traffic. The only thing it doesn't do is it doesn't protect you from MitM (or verify the legal identity of the entity you're talking to).

The green EV certificate stuff is what's supposed to tell you that you're safe from MitM and phishing, because you can verify the legal identity of the entity you're talking to.

Really the biggest problem is browsers like Chrome that use green padlock/text for DV certs, because that's misleading and either makes people trust the DV certs more than they should, or distrust EV certs. Safari does this much better, using a grey padlock (and no other text) for DV certs, and showing Green padlock + green text for EV certs.

I think you're mistaking the success of TLS for inefficacy.
The problem that the Guardian is complaining about is that, even if you enable the security notifications, they only appear after some of your messages have potentially been sent to the attacker. In the case of voice calls, the warning apparently only appears after the call ends!
This is how companies have learned to act.

Implement something for their benefit and the masses who don't care. When called out point to an a setting somewhere and call it a non-issue, "you can turn this on if you care". So they do what they want and can easily deflect all criticism. Facebook is not the first here and certainly not the last.

(comment deleted)
From the open letter on http://technosociology.org/?page_id=1687 :

> The behavior described in your article is not a backdoor in WhatsApp. This is the overwhelming consensus of the cryptography and security community. It is also the collective opinion of the cryptography professionals whose names appear below. The behavior you highlight is a measured tradeoff that poses a remote threat in return for real benefits that help keep users secure, as we will discuss in a moment.

What real benefits are gained from making it easy for ISP-level attackers to mount man-in-the-middle attacks? Security from your spouse snooping on your phone? What's the threat model here and why are these experts so adamant in minimizing the security risks?

Moxie went as far as to ignore the opt-in aspect of the (very benign looking) key change notification, but he's on the payroll. What's the motivation of the other experts in this sudden "overwhelming consensus"?

Some of the motivation is that users who need security tend to switch sims fairly often. If the messaging system doesn't deliver messages when that happens, they will stop using it.
Switching SIMs means switching accounts, because phone numbers are usernames, right? Why would the application hide this by default?

Also, why would the key change be hidden by default when the phone number doesn't change? This is the actual mechanism described by Tobias Boelter in his report: https://tobi.rocks/2016/04/whats-app-retransmission-vulnerab...

Is this done to facilitate the "same SIM, lost local storage" scenario? Then the phone number is not only username but also a password and anybody able to steal the phone (or just the number) can impersonate a WhatsApp user. Is this the level of security these experts are protecting?

The open letter answers your question. I'll flip it around on you: what makes you think you're seeing some important wrinkle of this problem that Matthew Green, Bruce Schneier, Matt Blaze, Steve Checkoway, Chris Palmer, Dave Adrian, Bart Preneel, Jonathan Zdziarski, Steve Bellovin, and Emin Gür Sirer aren't seeing? Many of these people study backdoors, and crypto backdoors in particular, practically full-time.
>Matthew Green, Bruce Schneier, Matt Blaze, Steve Checkoway, Chris Palmer, Dave Adrian, Bart Preneel, Jonathan Zdziarski, Steve Bellovin, and Emin Gür Sirer.

Some assorted bloggers and amateur cryptographers with big mouths and no serious crypto/math background like whom probably you are.

Their opinion worth not.

You have no idea what you're talking about.
The weird thing is that these days it's impossible to tell whether that was an ironic post or not.
> what makes you think you're seeing some important wrinkle of this problem that Matthew Green, Bruce Schneier, Matt Blaze, Steve Checkoway, Chris Palmer, Dave Adrian, Bart Preneel, Jonathan Zdziarski, Steve Bellovin, and Emin Gür Sirer aren't seeing?

The fact that you sound like activists instead of experts. I get it, Zeynep Tufekci convinced all of you that "freedom fighters" within the Gülen movement are in danger of switching to SMS and getting imprisoned, tortured and killed so you're panicking and asking for The Guardian to make an article disappear.

This attitude is not professional, though. I don't care that you all think that only the "good guys" have the capacity to pull off the man-in-the-middle attack using the exposed vulnerability. Sooner or later, the Turkish government (that controls ISPs) will figure out how to do it too and even the well-meaning armchair activist will get a few drops of blood on their hands.

You failed when you gave up everything you knew about security through obscurity and threat modelling just because you were startled by the plural of anecdote (how did you call it? empirical evidence?).

You failed when you started to say that a backdoor is not a backdoor because you wanted so bad for mainstream end-to-end encryption to make everybody secure by default. Even if it's just security theatre right now.

You failed, Ptacek, just like Schneier failed when he started to support the "Russia hacked the DNC" story when there was no evidence for it. Maybe in time you'll learn to practice what you preach and develop some sort of professional ethics.

Don't you just hate it when everybody else is wrong and you're the only person who's right?
Bruce Schneier:

"How serious this is depends on your threat model. If you are worried about the US government -- or any other government that can pressure Facebook -- snooping on your messages, then this is a small vulnerability. If not, then it's nothing to worry about."

https://www.schneier.com/blog/archives/2017/01/whatsapp_secu...

You don't have to wonder whether Schneier believes The Guardian should retract; he signed Zeynep's open letter.
"then this is a small vulnerability"

And then we were freaking out last week when a KCI was found in an open source project :)

(comment deleted)
A reminder, for people scratching their heads over how any legitimate-seeming criticism of the trade-off WhatsApp took could generate this much ire from this many experts:

WhatsApp has something like a billion users. Virtually none of them asked for end-to-end encryption. They don't know that they want it, but they got it anyways when Whisper worked with WhatsApp to add Signal Protocol to WhatsApp.

But just because they don't want it doesn't mean they don't need it. Many WhatsApp users badly need messaging security that works better than their alternatives. They don't know it, but with the flip of a switch, they got that security. More than anything else, this is why Dan Boneh and the RealWorldCrypto steering committee awarded Moxie Marlinspike and Trevor Perrin the Levchin crypto prize this year.

Comes now The Guardian with a story saying "WHATSAPP BACKDOORED, BAD, SWITCH". None of WhatsApp's users are close to being able to evaluate what that means. But they know what "bad" and "switch" means. And in the global-scale game of telephone we're all playing now, that's what they're doing. You don't have to wonder: Zeynep will tell you it's happening.

Nerds on Twitter are puzzled. Isn't this a good thing? Signal is even stricter about security than WhatsApp. Wouldn't it be better for all these people to be on Signal? WhatsApp users will in fact probably try installing Signal. They'll even use it for a couple minutes. But their peers aren't on Signal, and they're switching immediately to messengers where they can find their friends. Not WhatsApp, though: The Guardian (or their shrill uncle on Facebook) told them not to. Nope, they're switching to SMS.

State security services could not be happier about this. You can't buy this kind of PR for money; you have to spend security researcher vanity to get it. Zeynep will tell you about this too: there are state telecom and security apparatuses right now signal-boosting The Guardian's irresponsible report. And there are activists circulating warnings to switch from WhatsApp to other messengers. It's a disaster: the lie is outrunning us.

The Guardian must retract this story, clearly and loudly. There's a way to report on the tradeoffs WhatsApp made, but this wasn't it; this was "VACCINES MAY CAUSE AUTISM". Don't take my word for it: look at who signed the letter, including Matthew Green, Bruce Schneier, Matt Blaze, Steve Checkoway, Chris Palmer, Dave Adrian, Bart Preneel, Jonathan Zdziarski, Steve Bellovin, and Emin Gür Sirer.

> WhatsApp has something like a billion users. Virtually none of them asked for end-to-end encryption. They don't know that they want it, but they got it anyways when Whisper worked with WhatsApp to add Signal Protocol to WhatsApp.

> But just because they don't want it doesn't mean they don't need it. Many WhatsApp users badly need messaging security that works better than their alternatives. They don't know it, but with the flip of a switch, they got that security.

Most of them probably don't know they have it, either. This is a good thing: People can be safe without knowing how safe they are. The industry should be moving more people towards secure defaults.

Yes, security nerds will want something harder to attack in the middle. That's fine: They can build their own perfect security tools, and nobody will use them.

> There's a way to report on the tradeoffs WhatsApp made, but this wasn't it; this was "VACCINES MAY CAUSE AUTISM".

Let's look at what the Guardian actually wrote:

> A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

> Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

This is an accurate summary of the facts, expressed reasonably. The Guardian was right to report it. If people are really switching to even less secure services then I share your concern (though arguably people are safer using a known-insecure service than a service which claims more security than it actually has). But lying to the public or concealing research from them cannot possibly be the correct way to handle this and I will not endorse it. I guess I know who not to take any more security advice from.

How many people who actually work in this field can you find that agree with you that this was a reasonable way to write the story? Because there is an avalanche of expertise signing on to an open letter that specifically states the opposite. Who are your best authorities to cite?

But it gets worse for your argument.

First, the story The Guardian originally wrote is still there in the slug: "WhatsApp backdoor allows snooping on encrypted messages". That headline was the top story on HN for most of a day.

WhatsApp ran this story with a single technical source, and then peripheral color-commenting sources that weren't technical and were commenting based on the premise that the "backdoor" story had been vetted. As you can see, virtually all the expertise in the field disagrees with that premise.

How many authorities would it take you to convince you that up is down and white is black?

What I quoted from the Guardian article is true on its face, none of the experts denies that much. I don't know what has caused this bizarre departure from how researchers have responded to 20+ years of crypto flaws, because this time isn't any different. A crypto flaw is still a crypto flaw, and reporting the truth to the public is still the right thing. This is a "there are four lights" situation for me at this point.

> How many authorities would it take you to convince you that up is down and white is black?

One linguist armed with a very strong argument rooted in verifiable facts.

> WhatsApp ran this story with a single technical source, and then peripheral color-commenting sources that weren't technical and were commenting based on the premise that the "backdoor" story had been vetted. As you can see, virtually all the expertise in the field disagrees with that premise.

But this open letter doesn't disagree with any of the technical claims! The letter disputes a) the interpretation of Facebook's motives behind their technical decision b) the judgement regarding informing the public - both subjects on which the Guardian has far more expertise and reputation than any of the letter's signatories.

> WhatsApp has something like a billion users. Virtually none of them asked for end-to-end encryption.

As someone who uses PGP, but doesn't use WhatsApp this is the key piece of context that makes this a questionable trade-off instead of a crazy one. It would be better if the default was for there to be a notification and for there to be an option to disable resending messages on key change, but I can at least understand why they would sacrifice some security in order to make E2E encryption transparent to users who don't know they need it.

This is exactly right.

It is a good thing that there is both a messenger like Signal that tries to be ultra-strict about key changes and a messenger like WhatsApp that tries to be transparent about it. Signal's smaller user base of people interested in cryptography functions as a laboratory for crypto UX. WhatsApp, over the long term, can adopt the innovations that make sense, while Signal remains free to experiment.

That's why there's both Signal and WhatsApp, and why they don't directly interoperate.

exact. Now can we have this fixed as an opt-in option?
I can't believe how all these security experts are suggesting the Guardian retract a factually correct article because stupid users might switch from Whats App to SMS. Do you really think the average user is that stupid?

Maybe the Guardian article prompted thousands of people to learn more about cryptography? This is probably the first time many people have learned that a security protocol can have flaws.

To me it sounds like a bunch of security experts are angry that they weren't quoted in the most prominent security story of the year.

Maybe if you can't believe it, there's something about the situation that you haven't grasped. Consider the possibility that practically every expert in the field isn't wrong about this, and that you haven't come to some surprising new insight in the time you've given to thinking about that.
The average user does not know anything about encryption! But they have heard about hacking, so they know that if a popular paper is reporting something as insecure, they shouldn't use it. What will they use instead? Whatever is available, and the next most available messenger is SMS.

There are users who could literally (yes, literally) have their lives saved by using whatsapp rather than SMS. But because of this article, they won't. You don't have to take my word for that. Zeynep works with those people, and will tell you the same thing.

> Whatever is available, and the next most available messenger is SMS

I would argue that at this point it is either Messenger (facebook) or Snapchat.

> can't believe how all these security experts are suggesting the Guardian retract a factually correct article because stupid users might switch from Whats App to SMS. Do you really think the average user is that stupid?

The security experts you're complaining about are citing empirical evidence that people mostly switch back to SMS if they stop using WhatsApp. They are right, and you are wrong.

> Maybe the Guardian article prompted thousands of people to learn more about cryptography? This is probably the first time many people have learned that a security protocol can have flaws.

Everyone in this discussion agrees that there is no 100% correct answer here, and that this is all a question of tradeoffs. The security community wants the option that minimizes harm to the most people, and the Guardian's reporting is doing the opposite of that. Yes, a few people may have been more informed about cryptography. The overwhelming evidence is that many more people instead are switching to a less-secure alternative because they didn't understand what they were reading.

> To me it sounds like a bunch of security experts are angry that they weren't quoted in the most prominent security story of the year.

I don't know where to begin with this. You just told us not to assume the worst of ordinary people but seem happy to do that with domain experts.

Did you actually read the open letter?

There is no actual empirical evidence presented in the letter, just a paragraph with anecdotal evidence that people are unsure what to do, and assertions that the author's years of experience show that the Guardian's article has bad effects.

The letter complains that the journalist did not ask any established security researchers, and discredits the source as a 'single well meaning graduate student'.

I honestly don't understand why all these domain experts are getting so riled up over a single story; instead of welcoming the attention it brings, they are asking a paper to retract a factually correct article, because the presented flaw should be described as a sensible tradeoff, instead of as a back door.

> this was "VACCINES MAY CAUSE AUTISM"

No, this was "Oscillococcinum inefficient against influenza virus".

> Don't take my word for it: look at who signed the letter

You can do better than an appeal to authority. Talk about the threat model. Since the open letter's author is Turkish (but lives in USA), talk about an authoritarian Turkish government hunting down dissenters for serious repercussions. Is WhatsApp safe enough there?

Sorry lad, but most people I know of (and basically all use WA, are not privacy fanatics, or IT experts) saw the article, shrugged, and happily kept messaging (over WA). And even itsec guys I know did as much, after switching the notification option on (including me).

The only ones "too" excited about this article seem to be the guys who signed the letter (and you, if you are not part of that letter ;-))

According to an update to the Techcrunch article, The Guardian has offered Zeynep a chance to write a rebuttal.

> State security services could not be happier about this. You can't buy this kind of PR for money; you have to spend security researcher vanity to get it. Zeynep will tell you about this too: there are state telecom and security apparatuses right now signal-boosting The Guardian's irresponsible report. And there are activists circulating warnings to switch from WhatsApp to other messengers. It's a disaster: the lie is outrunning us.

Whoa, you are starting to sound like a wacky conspiracy theorist. It's not the first time media got a technologically difficult matter wrong. We just have to make sure a story getting it right dominates in the end.

The Guardian needs to make a full retraction, not publish additional articles.
I'm very surprised about the vigor. I can't remember any other time a group that I had mostly put down as levelheaded has been so on the barricades about one article. Even demanding a takedown. Because of what? Sensationalism over what is obviously a compromise, a blemish in the scheme. They did not fabricate it but blew it out of proportion. This entire brouhaha is more about ideology and politics than it is about technological facts. At least admit that part to yourself.
The funny thing is that they are now advocating for security through obscurity.
The logic behind this seems off?

Signal and whastapp have different behaviors regarding this. (Signal does not have the issue of re-sending messages as was previously reported here).

This letter signed by a lot of very serious security cryptographers means that there is a consensus among the community about the "best" behavior in terms of security, trade-offs, etc.

If there is indeed a consensus about what the "best" behavior is, then both Whatsapp and Signal should adopt this "best" behavior.

However Whatsapp and Signal do not have adopted the same behavior. So the consensus does not seem to be there, otherwise both Whatsap and Signal would have adopted the "best" consensual behavior.

So by first order logic... There is no consensus on this?

No, that's not what the consensus is about. Many of the people who signed this letter disagree about what the ideal UX of a secure messenger is.

It's not about ideal UX. Nobody knows what that UX is yet. WhatsApp is the first messenger with a world-scale userbase to tackle this problem; they're on the vanguard of work on this problem. Signal has a much smaller userbase and, importantly, that userbase adopts Signal specifically to get cryptographic security. Signal can innovate in different directions than WhatsApp, and WhatsApp can in the long term adopt the techniques Signal comes up with that actually work out.

It's a good thing that there is both a messenger that protects a billion people without them having to understand public key crypto and another messenger that protects a much smaller number of people but that also serves as a laboratory for crypto UX.

If you understand just one thing about the WhatsApp/Guardian dilemma, understand this: 99.99% of WhatsApp's users don't care about cryptographic security. They don't even know what that means. But that doesn't mean they don't need cryptographic security. Many of them need it badly whether they know it or not. But they're only going to use messengers that will allow them to talk to their peers, and none of their peers are on Signal. If you tell them WhatsApp is bad, they move to SMS.

The letter addresses this. The behavior is a trade-off, and you have to decide how to handle it.

For a product with a billion users, where the threat model is mass surveillance, it is a good trade-off to never drop messages.

For a product with more specialized users, who may be individually targeted, it is a good trade-off to not deliver buffered messages after a key change, and warn instead.

There is no "best" behavior in the abstract, you have to take into account the setting.

How do you know what a closed source app is doing? How do you know that they won't just go and change the code to send plain text messages to a log somewhere?
The same way you know whether any other app on your phone is doing that, regardless of whether its codebase is proprietary or GPL: you analyze the binary. Up-and-coming security researchers do this for sport in their spare time.
http://binary-auditing.com

Binaries aren't magic.

Binaries which have a client-server architecture certainly are.

Is the claim the full WhatsApp stack is open to regular indepedent third party security audits from multiple firms?

You don't need to know what the server does with your data if the client is encrypting it properly.

The client-server architecture is irrelevant here.

Read this, then flip the roles: https://paragonie.com/blog/2016/03/client-authenticity-is-no...

Reverse engineer the client-side app. You now know what the client-side app (the part that people want to be open source) is doing. You don't need to know what the server's code is doing.

Which is exactly the issue? At any time the server can request a key reset and have messages resent. I don't see how it is at all irrelevant since it is exactly what the cause is here.
The issue is that the client software being open source (rather than closed source) would do nothing to change the risk profile, so it's not worth bringing up.

If the client is open source: What the server is doing is irrelevant as long as the client is secure.

If the client is closed source: What the server is doing is irrelevant as long as the client is secure.

If the server can compromise the client, whether or not the client is open source does not matter.

People who believe that open source is a prerequisite for security are disregarding the entire discipline of reverse engineering which is a large chunk of software security expertise.

Interesting how the goal posts keep moving, meanwhile I get down votes and my comments are being removed.

Look you're wrong, you're wrong for multiple reasons and this happens all the time, especially in politics, where the so called experts reject the common sense of hobbyists, amateurs, and mere working stiffs like me who is merely a lowly sys admin.

Open source software allows anyone at anytime to conduct a security audit without advanced warning, open source allows you to access server and client side code equally, open source software doesn't require the additional work of de obsuficanting binaries, open source code can be forked and modified and tested easily, there are no additional barriers and anyone can pick it up and do it at any time, that makes open source software inheritly easier to test and verify.

Also large open source projects are more difficult to inflitrate with a back door, all a closed source project needs to do is modify some server side behavior that no one gets to see. Most closed source software lives on closed servers.

Sure closed source programs can be secure, can be trusted, and can be verified, but to pretend it isn't harder, sometimes impossible, and trivial to backdoor is to ignore history and common sense. You're wrong, it's okay to be wrong and if you need to take out your anger by flagging my remarks so they aren't seen then so be it.

There's a split in the HN community on this issue.

The split seems to be:

- Some people are OK with compromise for usability

- Others think being uncompromising is the only way to eventually achieve security. (This group is also, rightly imo, suspicious of WhatsApp/Facebook or any centralized product)

I do understand the latter mindset. Often the only way to get high security is dogged attention to detail, letting nothing slide. Attackers love to promote products which provide the illusion of security, but contain flaws or backdoors; and often the illusion of security is worse than nothing.

But I'm with the group that favors usability compromise here. Open source projects have successfully built high security products, but rarely gotten mass consumer adoption, precisely because of an unwillingness to make concessions to usability.

Without usability concessions, we end up with 30 character random login passwords - written on stickies on the terminal.

Even if you don't agree with the particular compromises in this case, please engage with those who do. There's no reason to think they are shills trying to undermine security. Favoring usability here is at least reasonable, with the same shared end goal of increased security for end users - this should be acknowledged, especially given the mass adoption success of WhatsApp/OWS.

If we don't care about being secure against an attacker who controls Facebook then what was the point of end-to-end encryption in the first place? If you're going to "compromise" that far you might as well just use any number of centralised messengers with transport encryption.

> There's no reason to think they are shills trying to undermine security.

Moxie's comments about OpenPGP are ample reason. And in any case our response needs to be robust against the possibility that they are.

> this should be acknowledged, especially given the mass adoption success of WhatsApp/OWS.

The mass adoption is precisely why it's so important.

People aren't using WhatsApp to replace GPG with a carefully-curated web of trust. They're using it to replace SMS which can be surveilled both en masse by governments and telecoms, and surveilled by individuals savvy enough to set up a fake cell tower.

WhatsApp is an unqualified success in this regard. That it makes trade-offs unsuitable for dissidents of world governments does not diminish this.

To the extent that it's displacing SMS, great - anything with transport encryption is better than SMS. To the extent that it's displacing Skype/Facebook Messenger/..., meh - if it's not actually secure against a hostile Facebook (and they have no intention of fixing the flaw) then it's not really any better than anything that uses SSL. To the extent that people using it assume it's secure against a hostile Facebook when it isn't, that is terrible. Fake security is worse than no security.
> To the extent that it's displacing SMS, great

This is reassuringly the overwhelming majority of the market that WhatsApp is eating into.

> To the extent that it's displacing Skype/Facebook Messenger/..., meh

And in this case, it's at least not worse. Although I will argue it's still much better. As has been discussed elsewhere ad infinitum, this tradeoff in WhatsApp still allows savvy users to enable notifications. And the fact that some people will do this (and it stands to reason, the people who do this are precisely the ones who are likely to be targeted) is an effective deterrent for doing it at all.

> To the extent that people using it assume it's secure against a hostile Facebook when it isn't, that is terrible. Fake security is worse than no security.

Security is not a boolean. It is unequivocally more secure than Facebook Messenger, which we can assume is not E2E encrypted. Facebook or governments with appropriate authority can surveil this en masse. They can not do this for WhatsApp messages. Attempts to surveil these messages even at a small scale carry a high risk of tipping their hand that they're doing this surveillance at all.

1/7th of the world's population is now using E2E-encrypted messaging thanks to collaboration between WhatsApp and OWS. The number of people who need to consider Facebook or governments with control over it an active threat against them perhaps number in the hundreds to low thousands, and this affords good (if not perfect) protection even to them through a toggle, and some protection even to those who don't enable the toggle.

Anyone who is in this last group is either aware of these limitations, or is completely fucked anyway because achieving practical security against a determined, well-funded governmental adversary is frighteningly difficult and requires ongoing effort and attention.

> 1/7th of the world's population is now using E2E-encrypted messaging thanks to collaboration between WhatsApp and OWS. The number of people who need to consider Facebook or governments with control over it an active threat against them perhaps number in the hundreds to low thousands

Agreed, but those few are the only people for whom E2E-encrypted is a substantial advantage over transport-encrypted.

> Anyone who is in this last group is either aware of these limitations

Largely thanks to the good offices of the Guardian.

WhatsApp claimed to have true E2E security. And it doesn't. The public needed to be told.

> Agreed, but those few are the only people for whom E2E-encrypted is a substantial advantage over transport-encrypted.

I could not disagree more.

This is the difference between large-scale, passive, implicit surveillance of an entire population and small-scale, active, explicit interception of handfuls of individuals at best.

> WhatsApp claimed to have true E2E security. And it doesn't. The public needed to be told.

You have to stop treating security like it's a binary thing. Threat models are important. It does have E2E security, it just has a tradeoff that allows for the interception of a single message by a nation-state attacker, with the probability of this event being detected increasing dramatically with the number of users they do.

This is not even close the same thing as not having true E2E security.

> This is the difference between large-scale, passive, implicit surveillance of an entire population and small-scale, active, explicit interception of handfuls of individuals at best.

The large-scale passive surveillance you're talking about in the transport-encryption case could only be happening with the provider's cooperation. I can maybe see Facebook/Microsoft/etc. cooperating with the NSA in that way, but certainly not with the governments mentioned in the letter's rhetoric.

And note that a cooperating WhatsApp could do large-scale, passive, implicit surveillance of WhatsApp metadata and use that for targeting active attacks.

> You have to stop treating security like it's a binary thing. Threat models are important. It does have E2E security, it just has a tradeoff that allows for the interception of a single message by a nation-state attacker, with the probability of this event being detected increasing dramatically with the number of users they do.

An attacker with control of WhatsApp could continue to MitM indefinitely, no? They would be detected only when the users met up and compared security codes, which I suspect even dissidents wouldn't be doing frequently.

I agree that WhatsApp is probably more secure, and certainly no less secure, than apps with zero effort at E2E (I more-or-less endorse the preference order given at https://copperhead.co/android/docs/usage_guide ). But this is a real vulnerability that makes WhatsApp substantially less secure than was previously thought and claimed, and substantially less secure than what someone who just heard "end-to-end encrypted" would expect. It needed to be publicised.

> If we don't care about being secure against an attacker who controls Facebook then what was the point of end-to-end encryption in the first place?

As a user of WhatsApp, I'd prefer if it was fully robustly end-to-end encrypted, in an auditable App, if it was still usable enough I could talk to my family with it. I think all the more privacy conscious folk on HN could agree with that ideal. But I don't think we (yet) know how to achieve that ideal. [The hard part being getting family/friends on it reliably].

What is on offer is: End-to-end encryption which has some usability tradeoffs, that leaves it vulnerable to[0]:

- A code backdoor of some form in the App

- [As in this issue] an attack where the server MITMs it in limited circumstances by switching recipient keys for undelivered messages.

First off, this secures against mass passive monitoring on the wire, or even in the internal data center infrastructure, which the non-e2e transport encryption you mention does not.

Second, exploiting either of these issues en masse would run the risk of FB/WhatsApp getting caught. Maybe through a black-box audit of the App, or someone detects mass MITM'ing because they have key change notifications turned on. [Lets leave out the scenario of someone internal leaking what's happening.]

So my best judgement, as a user, is that these attacks are not likely to be happening en masse, because they would result in a large business risk to WhatsApp.

> If you're going to "compromise" that far you might as well just use any number of centralised messengers with transport encryption.

In that case [without e2e] the server would see all the messages in the clear. Absent a leak, there's no way they would be caught supporting a mass-monitoring program. They could allow their infrastructure to be passively monitored, giving plausible deniability while cooperating. That's clearly a different threat model.

I don't see why WhatsApp would have introduced this feature, and then compromised it in a way that risks getting caught. That would be a huge business risk for dubious benefit.

I could see they could be forced to do an attack on a limited number of individuals, risking getting caught. Again, I'm hoping that is an expensive enough business risk that it doesn't happen often, if ever.

But in this model, 1B peoples messages will be secure the vast majority of the time against pervasive monitoring.

[0] based on my understanding of these issues; obviously as a spectator I don't claim to have an exhaustive list of vulnerabilities/issues.

The Guardian is a fake news website. Of course they won't pull it.
The Guardian has trained and experienced reporters, a code of conduct to keep them honest, subeditors who are also fact checkers, and an ombudsman (Readers' editor) with independent power to cross check and correct mistakes. It's also owned by a charitable trust, and is under no obligation to publish the lies preferred by its non-existent fat-cat proprietor.

Calling it a fake new site says more about you than it says about the Guardian.

None of that changes anything about the fact that they regularly publish half-truths or outright lies, though. As is the case in this situation.

There's a big gap between theory and practice.

A small gap, which is hardly unusual given that humans are not perfect. It's still not a fake news site. There are plenty of those, and telling lies about the Guardian doesn't help anyone.
The vulnerability in WhatsApp was correctly described by the Guardian. Signal is more secure and does not have this vulnerability. How, exactly is suggesting users migrate to a more secure messaging platform misleading in any way?
Because, once again, the billion-plus WhatsApp users don't use WhatsApp because they care about cryptography; they use it because it's the most dependable method they have to communicate with their peer group. If The Guardian tells them to switch to Signal because WhatsApp is bad, they'll use Signal for 4 minutes before switching to SMS --- which is what's actually happening.
So, we agree that calling this a 'fake' article is itself misleading. We also agree that Signal is a more secure alternative. Your position is essentially 'people cant be trusted with accurate information, you have to dumb it down so they can make the "right" choice based on the limited information they can absorb, so the Guardian should apologize and retract their accurate story.'
Does this kind of rhetoric work for you in other venues?
Non-experts can't be expected to make an accurate evaluation of the UX trade-offs in handling buffered message delivery after a key change.

They trust that the Guardian, a highly reputable newspaper, has spoken to experts in the field, done the research, and made this evaluation, which it accurately reflected in the headline.

That trust is misplaced. That's why this is a fake story.

It's not a fake story. Every piece of information they presented is accurate. The Guardian did speak to experts in the field. I won't bore you with my credentials, but I agree with their assessment as well. Taking issue with the advice they give on UX grounds is one thing, but attacking the factual basis of the article is misguided.
I have to come back to the vaccine analogy. Running a story headlined "Common Vaccine Can Kill Your Children" would be factually accurate, too. Experts in the field would confirm that that can happen.

This is not a "well, actually" nerdfight. This is about putting real people in danger through egregiously irresponsible reporting.

So, basically, your argument is that 'People can not be trusted with information that may be nuanced, so instead news outlets should limit themselves to headlines that minimize risk.' Comparing the use of an app to a lifesaving medicine is, in my view, a gross mis-characterization. The article suggested a more secure alternative that we all agree is more secure. What's the issue?
I won't bore you with my credentials

No, please, do. None of us will be bored by this.

> We also agree that Signal is a more secure alternative.

Signal is only a more secure alternative in _some_ threat models. The most obvious counterexample is that, in some contexts, using WhatsApp marks you as a person who owns a smartphone, while using Signal marks you as a dissident. There are other contexts where losing messages while not being actively attacked (not even just due to this design decision; Signal ultimately just does not have as reliable infrastructure as WhatsApp) is more dangerous than WhatsApp's resend behavior.

As a Guardian supporting member, I'm forwarding this directly to their editorial complaints. There are other publications that deserve my money if the Guardian refuses to stop being sensationalist.
Thank you. This is really exactly what needs to happen. My understanding, thirdhand, is that The Guardian ran this story based on a single source; Moxie apparently tried to talk to them and was rebuffed.

The Guardian must retract this story, loudly and clearly.

Moreover, in the future, The Guardian and every outlet like it needs to understand that stories like this require more than one source. If you've got a legitimate story about a crypto backdoor in a popular product, security researchers will fall over themselves to comment on it.

As you can see in this case, they're falling over themselves to disavow it. In the last hour, we've added Collin Mulliner, Matt Blaze, Peter Honeyman (\o/), Chris Kanich, and Nicolas Christin --- and all we're doing is circulating the letter on Twitter. It'll pick up steam from there.

This is not a position The Guardian or any other major news outlet should ever find itself in. This situation is what the concept of "retraction" was invented to cover.

if Whatsapp can snoop on user conversations, their app is not a secure medium of communication. It has a security hole. IT IS INSECURE
if Whatsapp can snoop on user conversations, their app is not a secure medium of communication
It's not a backdoor, but it's not "not a protocol flaw" either. If The Guardian had reported it as a flaw in the protocol, would you have been okay with the coverage?
No. That's what their current reporting says, too. The reporting challenge here is the same as vaccine reporting: primum non nocere.
But the fact is that it is a protocol flaw (deliberate choice or not).

The Guardian should have inserted caveats stating that this flaw is highly unlikely to have been exploited, but I would argue that not telling the people of the flaw is as bad as telling them that it's backdoored.

And a small number of people really are allergic to vaccines. Primum non nocere. The Guardian failed, badly, and needs to retract loudly.
Even if they retracted, isn't the damage already done?

The problem with yellow journalism and sensationalism is that purportedly respectable institutions spin narratives that are dangerous.

I'd be curious to see some empirical data on the impact of this story, i.e. how many users switched from WhatsApp to Signal or vanilla SMS.

(comment deleted)
Thank you, you've inspired me to send a similar letter.

It's funny, I hadn't worked out that it's pointless to cancel a subscription if I don't first tell them why.

Ironically, if they fix this, you may have kept a subscriber with them who'd otherwise have left!

I'm not much for conspiracy theories, but it's interesting to note that The Guardian actually recommends people concerned about surveillance to stop using WhatsApp, without offering any alternatives.

>If you use WhatsApp as a way to avoid government surveillance due to its end-to-end encryption service, you should stop using it immediately.

In the wake of the UK snoopers charter having sailed through parliament, this seems odd. Occam's razor tells us that it's coincidence and bad reporting, but still.

State security services can't buy this kind of PR with money; only a cocktail of vanity and incompetence can do it.
Occam's razor is a good guide to avoid critical thinking.
TheGuardian was also one of the publications allowed access to the unfettered and uncensored Snowden documents.
The Guardian is a big place. Note that this article was written by a freelancer. It's not a coded signal to the readership to beware; it's an egregious error of editorial judgement, followed by doubling down to avoid admitting error.
Apparently some members are more equal than others since if I tried to post a dozen times in this thread I'd be banned. In fact posting this will likely result in flags and a banning.

Keep this in mind, how open and trustworthy can a discussion be when speech is so very privileged between members.

Guardian did good, now it will stirr things up. Now, even if WhatsAppers will disable retransmission, the amount of flame on the topic will ensure that they are labelled as backdoored until the end of days.

WhatsApp, please go down

The Guardian made a mistake. They mischaracterized the issue. Now they're trying to correct it and offering a forum for rebuttal. The comparison with vaccines is actually offensive to me as someone negatively affected by that controversy.

In general I want potential issues like this to be noted (when properly defined and characterized) and debated.

These experts are arguing that WhatsApp makes the best possible trade offs given their user base. I don't agree and think it's worthy of discussion. The tradeoff they refer to is really a UX/product design decision.

Why is the vaccine comparison offensive to you?
Andrew Wakefield's autism claims were not based on honest scientific research.

Do you think that Tobias Boelter faked his research?

That's what your comparison implies....

People are saying "VACCINES CAN KILL", not "VACCINES CAUSE AUTISM", FYI. One is true based on honest scientific research.

And headlining it that way in The Guardian would be just as grossly negligent as what they did.

I'm not referring to autism, but rare fatalities from vaccination due to things like anaphylactic shock. It is documented that they happen, and they are also a terrible reason not to vaccinate.
Rather old story. It was the Wakefield saga that kicked off the anti-vaxxing thing...
First Question:

Lets suppose I'm human right activist in Egypt. If I enabled security notification in WhatsApp and other person's phone is captured by authorities but they cannot unlock it so they make it that user lost their phone. Now, if I send the message to that user, is this message received by other party with warning that is not encrypted or it is not delivered at all?

Second Question:

Is there any guarantee that server cannot change settings on the client?

> Now, if I send the message to that user, is this message received by other party with warning that is not encrypted or it is not delivered at all?

It's delivered and then you see the warning.

> Is there any guarantee that server cannot change settings on the client?

No. Prior to this story I would have assumed there would at least be some risk of being caught by security professionals, but I guess the security community would be falling over itself to explain how the backdoor was an accident or a legitimate usability choice.

> other person's phone is captured by authorities but they cannot unlock it

They don't need to. They just take out the SIM card, put it in another phone, install WhatsApp and now they can impersonate that person.

When Apple said that iMessage uses end-to-end encryption, everyone started complaining that it's not real end-to-end since we have to trust Apple for key exchange.

Now we have the same thing with What's App: we have to trust them with the key exchange. It's marginally better, since they have an optional way to enable notifications after a key was changed.

I applaud the Guardian to run with the story. Whether to call it a back door / flaw / trade-off is just quarreling over semantics, when the important part is that you need to trust a central service.

If you want to be sure that noone can intercept your messages, use PGP or S/MIME, (preferably encrypting your message on an air-gapped computer)

Saying that we shouldn't worry about state-level actors is a bit naive after PRISM was revealed.

If you are doing something that someone in power might dislike, you should not rely on Whats App.

> Whether to call it a back door / flaw / trade-off is just quarreling over semantics

I think this is writing off a significant portion of the meta-story here, semantics matter very much in journalism. While the technical nuances of trust are important, they won't be understood or digested by the average reader. What will be remembered is the headline, which doesn't say "Whatsapp is as secure as iMessage" it just says "Whatsapp has a backdoor".

The story you tell is framed by the audience that's listening, and the framing the Guardian chose unfairly paints Whatsapp as not just secure, but less secure than alternatives by singling them out. That's not an accurate story.

I cannot believe many of the people here are appealing to authority. Stop all the bush and trump bashing then. I imagine none of the bashers have any clue on how to run a country. The politicians know "better", sp let's respect whatever they decide on our behalf.
back door

ˈˌbak ˈdô(ə)r/

noun

noun: backdoor

1. the door or entrance at the back of a building.

2. a feature or defect of a computer system that allows surreptitious unauthorized access to data.

Seems like a backdoor to me. The reality is that the way it is implemented allows a foreign government to see messages it is not supposed to see...and that is a defect. I thank the Guardian for taking the lead on this and bring this issue to light.

I posted this in the other[tm] thread earlier today: https://news.ycombinator.com/item?id=13442653

Basically everyone in this thread who are NOT signatories to the open letter could spend their time a lot worse than by listening to the segment with Alec Muffatt.

I may disagree with some of his opinions on the desired UX, but the technical details and threat model considerations are very thorough and thought out.

Reading this thread I want to be the Guardian, half of the comments assume >1 Billion of people are reading the Guardian and act on articles.
Word gets around. People attending the Women's March in DC got an email telling them not to use WhatsApp. We have evidence that people in authoritarian countries outside the US are moving off WhatsApp based on this article.

All it takes is a rumor.

Most comments here are like not reporting HTTPS certificate problems/MITM leakage with arguing that it's better to have HTTPS than not.

I wonder what people here would say if browsers would act with certificates the way WhatsApp handles key renewal.

We even discuss certificate pinning etc. in the web space.

I'm not sure if I understood the issue fully: Assuming both parties have the "show security warnings" setting enabled and take it seriously, but ignore the lack of "message delivered" checkmarks, can the attacker snoop on one message or multiple ones?

As soon as the message is delivered it cannot be resent anymore, but could the attacker refuse to provide the delivery confirmations, then perform the attack (getting all messages that weren't yet marked as delivered, potentially over a large timeframe, while also showing the warning)? If so, I'd say it is a thing to worry about.

A smart attacker could wait until one party is switching phones, so that the warning is not considered suspicious, and since they could swap the new-correct key in immediately afterwards, users would be likely to dismiss the missing checkmarks and double key-change notification (at least before this news was published).

Also, for phone calls, WhatsApp only shows the warning after the call.

I don't believe these are backdoors, but I'm surprised WhatsApp isn't taking it more seriously and trying to address it.