Security Experts Rebut The Guardian's Report That Claimed WhatsApp Has a Backdoor (gizmodo.com) 114
William Turton, writing for Gizmodo: This morning, the Guardian published a story with an alarming headline: "WhatsApp backdoor allows snooping on encrypted messages." If true, this would have massive implications for the security and privacy of WhatsApp's one-billion-plus users. Fortunately, there's no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian's story is a "major league fuckwittage." [...] Fredric Jacobs, who was the iOS developer at Open Whisper Systems, the collective that designed and maintains the Signal encryption protocol, and who most recently worked at Apple, said, "Nothing new. Of course, if you don't verify keys Signal/WhatsApp/... can man-in-the-middle your communications." "I characterize the threat posed by such reportage as being fear and uncertainty and doubt on an 'anti-vaccination' scale," Muffett, who previously worked on Facebook's engineering security infrastructure team, told Gizmodo. "It is not a bug, it is working as designed and someone is saying it's a 'flaw' and pretending it is earth shattering when in fact it is ignorable." The supposed "backdoor" the Guardian is describing is actually a feature working as intended, and it would require significant collaboration with Facebook to be able to snoop on and intercept someone's encrypted messages, something the company is extremely unlikely to do. "There's a feature in WhatsApp that -- when you swap phones, get a new phone, factory reset, whatever -- when you install WhatsApp freshly on the new phone and continue a conversation, the encryption keys get re-negotiated to accommodate the new phone," Muffett told Gizmodo. Other security experts and journalists have also criticized The Guardian's story.
Yeah both agree on the main points, actually (Score:5, Insightful)
Muffet is saying it's "major league fuckwittage", while acknowledging that the main point is true: Facebook could in fact intercept messages.
Jacobs says "well duh, if you send a message without verifying keys" - and Whatsapp does just that, automatically resends the message before you have a chance to verify the key.
Re: (Score:1)
Backdoor is working as intended. (Score:3)
>> It is not a bug, it is working as designed ...
Backdoor is working as intended. Nothing to see here. Move on. Yeah right.
He is talking about a legitimate feature in the protocol that has a reason to be here but is turned into a genuine backdoor by the Watsapp application because watsapp does not let the user confirm new keys.
Compromise (Score:3)
It would be nice if The Guardian produced a list for the average person of the most popular software that has known backdoors like Skype, so people can see how compromised they are under pretext of "tackling terrorism".
Re: (Score:2, Insightful)
Does Skype even count as backdoored? It needs a new term, like glasshoused or NSAware.
Re: (Score:2)
IOW assume everything is compromised.
Re: (Score:3)
Not necessarily. If the endpoint is shown to be secure, and the keys are generated by the endpoint, and that the endpoint warns you when keys are changed, then all the MITM man can do undetected is to delete messages.
The MITM Man in this case is Watsapp, and the US Gov.
Re: (Score:2)
Good i am having a webcam.
Re: (Score:2)
If alice trusts the provider to tell her that bob is bob and bob trusts the provider to tell him alice is alice then it's all too easy for the provider to pretend to be alice when talking to bob and pretend to be bob when talking to alice.
If you care about provider snooping then you need to use tools where you manage your own keys.
Re:Compromise (Score:5, Informative)
Different problem.
Yes, the provider could initiate a man-in-the-middle attack against all users from the start. However, let us assume that he didn't do that, for various reasons that are for a seperate discussion.
In such a scenario, Alice conversation with Bob is secure. It requires only the initial secure key exchange. Once that is complete, they are fine.
But with the backdoor of silent key-renegotiation, the provider can at any time decide that now they want to eavesdrop into this or that conversation. Say, because a government agency asked them nicely, or a FB employee looked up that woman he met last night in the database and found her WhatsApp number...
It is a different scenario with different ramifications.
Re: (Score:1)
>"provider can at any time decide that now they want to eavesdrop into this or that conversation"
and having hijacked one message in this scenario, what happens to the rest of the conversation? what happens to that message, too?
Re: (Score:2)
the difference here is that wats'app is implementing the end user software, and automatically accepts new certificates on behalf of the user.
Like when you accept broken certificates in your browser, except in this case the browser accepts it for you.#
That's the definition of a backdoor.
Re: (Score:2)
if the provides manages the keys, you're toast.
So never never use watsapp.
Re: (Score:2)
That is what I was saying just without any of the technical details.
In a good system, the provider would not manage the keys. He would only provide the means for the initial key exchange (if for whatever reason he decides to not use DH).
Re:And Muffet is employed by? (Score:5, Informative)
Currently, since July, I am employed by nobody. And loving it.
Previously to that I worked at Facebook, built their Tor onion, and build Facebook Messenger E2E crypto.
So, I'm competent to comment, and beholden to nobody :-P
Re:And Muffet is employed by? (Score:5, Informative)
a) just check my twitter for proof - and my 4-digit Slashdot ID. :-)
b) i've built a reputation for 25 years, saying such things. Go dig up my USENET from 1991. Hasn't done me any harm that I care about, and it has done me measurable good when people see me commit to a set of values or a proposition with no "if", "and" or "but".
c) at least I'm funny. :-)
Re: (Score:1)
Why should we believe Facebook won't invest the time in being able to exploit this for eavesdropping? They already lied to regulators about not sharing data between itself and WhatsApp. It sounds extraordinarily naive to think they won't try that use this as a backdoor.
Re: (Score:2)
Because there are way better ways to drill holes in E2E than this, when in fact you own the codebase.
Re: (Score:1)
> by modifying the code
This is news?
Re: (Score:2)
1) Really, dude, go read my Twitter. I'll post this there.
2) It's not a backdoor. It has an off-switch. It would be a pain to exploit. It would be ugly, obvious and risky to exploit. If such snooping was sought, it would be done better..
https://twitter.com/AlecMuffet... [twitter.com]
Re: (Score:3)
"2) It's not a backdoor."
If facebook received an NSL or warrant, it could trivially trigger this "ugly, obvious, risky" mechanism and read "secure" traffic, with little if any visible sign at the sender / recipient.
It is a backdoor accessible to facebook or people who control it. That's bad enough.
Re: (Score:2)
>If facebook received an NSL or warrant, it could trivially trigger this "ugly, obvious, risky" mechanism and read "secure" traffic, with little if any visible sign at the sender / recipient.
(cough/) how about bunches of messages randomly going missing?
kindly go read this: https://whispersystems.org/blo... [whispersystems.org]
Re: (Score:1)
There probably are. Either way, if they really wanted to shutdown this backdoor talk they should change this behavior. Otherwise the only thing we have to go by is a non-binding "promise" from a known liar.
Re: (Score:1)
>Not convincing
I'd love you to explain to me an even more plausible way to implement a backdoor than "write one, properly."
Re: (Score:1)
So your comeback is that corporations would only write super-secure backdoors? That's a joke, right?
Re: (Score:2)
My comeback is that corporations which are held to be super-smart-and-sneaky one moment should not be assumed to be bone stupid the next.
Re: (Score:1)
Anti-vaccination (Score:2)
Wat? (Score:4, Insightful)
Well, first off, I'm going to be a little suspicious of experts who find fuckwittage in their dictionary, when a stupid cacahead reference will do. I dunno that taking a temper tantrum reassures me all that much.
My guideline is that if it is allowed, it is visible to someone who wants to see it badly enough.
Re: (Score:2)
That's racist. Well no it isn't but language such as that is a sign of upbringing and local colloquial language rather than a sign of intelligence or how much someone knows about a field.
But feel free to bias based on language rather than on fact.
Re: (Score:2)
That's racist.
Ah, a term used so much it is like saying "Scotch tape" or Xerox copy.
Well no it isn't but language such as that is a sign of upbringing and local colloquial language rather than a sign of intelligence or how much someone knows about a field.
But feel free to bias based on language rather than on fact.
Aren't you doing the exact same thing as you accuse me of doing? And facts are good, and highly indicated in this discussion. I approve. But "Fuckwittery" is rather difficualt to prove as a fact. "fuckwittery" tells us about the person claiming it though.
Now I don't know about you, but if I'm trying to convince people that something is safe when someone else says it isn't, I'll probably use explanatory terms, and not call those folks w
"ignorable" (Score:1)
So it _is_ a backdoor (Score:1)
The supposed "backdoor" the Guardian is describing is actually a feature working as intended, and it would require significant collaboration with Facebook to be able to snoop on and intercept someone's encrypted messages, something the company is extremely unlikely to do
That sounds like a back door to me. Who trusts facebook anyway?
Re: (Score:2)
To use the usual paraphrasing of Mandy Rice Davies' immortal words "well he would say that wouldn't he?"
Re: (Score:1)
Exactly. They already lied about data sharing when buying WhatsApp in the first place. So why should anyone believe they wouldn't invest in the effort to exploit this hole. Are people still really so naive.?
Re: (Score:1)
>"So why should anyone believe they wouldn't invest in the effort to exploit this hole"
Because it would be cheaper and far more secure, convenient an scalable to build a _real_ back door.
Re: (Score:1)
So then change this behavior and silence all the backdoor claims. That would seem to be less effort than all this spin doctoring and PR damage control. Sorry, the "promise" of a liar holds no merit.
Re: (Score:1)
Oh, prove a negative, you mean?
Re: (Score:1)
No, not at all. Fixing this specific behavior would be trivial to do. The fact that it's not being done so and you and others are trying to tell us to ignore it just trust that a data-mining company with a history of lying is absurd.
Re: (Score:1)
But Facebook is an honest company with no history of lying about things. It's not like their business is in data mining or anything. Also, they have no history of being a part of the government's mass surveillance apparatus. /s
Re: (Score:2)
Exactly. Denying there's a backdoor while acknowledging there is a backdoor, but they *promise* not to use it.. Hardly reassuring, and a pretty lousy rebuttal.
Re: (Score:1)
Considering how much spin doctoring is going on, the safer bet is that Facebook already is working on or already has completed the work to exploit this for eavesdropping.
"Fuckwittage" (Score:2)
The Guardian has created a big name for itself for the massive scoops it has delivered.
Sometimes this leads to the unrealistic expectation that the scoops can keep being manufactured at a steady rate. Trying too hard much?
Old news... (Score:2)
Sure it's not a backdoor... (Score:1)
"The supposed "backdoor" the Guardian is describing is actually a feature working as intended, and it would require significant collaboration with Facebook to be able to snoop on and intercept someone's encrypted messages, something the company is extremely unlikely to do."
A backdoor that requires Facebook's help to snoop is still a backdoor, is it not?
Re: (Score:1)
A backdoor that allows facebook to snoop means that it's already in full use for datamining and resale for advertisement and well paying government agencies.
If it's no big deal, let me disable it... (Score:1)
If it's no big deal, where's the option to disable this autorenegotiation of keys, assuming that I'm not fussed about whether my messages migrate when I update my handset, but am fussed about Facebook having the technical means to give a copy of my supposedly secure messages to any random phone that their system authenticates?
Comment removed (Score:5, Insightful)
Re: (Score:2)
EXACTLY. I went into a lot more detail and rambling in my own comment, but you are 100% right.
Re: (Score:2)
Re: (Score:2)
Well, if it's open source, it's likely that someone else has done an audit of the code, and even if I haven't looked at each line of code, someone else probably has (if it's popular enough). While it's possible to hide a loophole in popular compilers, I think this is hard to pull off. The government has a lot of resources, but it's also big, slow, and leaky, so I don't think it could pull off a sophisticated compiler loophole without people noticing.
On the other hand, an Windows operating system backdoor is
Re: (Score:2)
THIS.. and... (Score:3)
it's owned by Facebook.
Re: (Score:1)
The Whatsapp client is proprietary and closed source.
It should be assumed to be compromised regardless of what anyone says about it.
We would but our tinfoil hats fell off.
missing the point (Score:5, Informative)
He is missing the point.
The article is not speaking about an encryption flaw or anything like that, but about a backdoor - a feature that allows Facebook, without any code changes on your device or other intrusion - to eavesdrop on any conversation you are having.
A good encryption would be impenetrable even to the vendor. It should not allow the keys to be changed underneath you. It should not warn you afterwards about this fact, and only if you have a special option enabled, but it should tell you before it does a key change, and require your consent.
Denial of the problem is the first stage (Score:2)
There is a problem in my opinion and denial won't get it fixed. Sure you need to renegotiate keys with a new device but it should not happen automagically without your knowledge. You should have to do it manually and it should not be done for you based on an assumption and all your messages be resent with the new keys.
SubjectsInCommentsAreStupidCauseTheSubjectIsTFA (Score:2)
That's doubleplus bad.
I think we can leave it at that without the drama.
Re: (Score:2)
Did Whatsapp go open source yet? (Score:5, Insightful)
Some disclaimer:
I have moderate IT Security experience. I'm admittedly not the ITSec convention-going type, but I've developed for solid security, done successful penetration testing on people's code and the likes... From the guardian's article, and from my POV, the major issue here is one of wording: a Backdoor is a feature, one intentionally added by developers and hidden from the end user-facing stuff such as UI and (R)TFM. This is definitely not a backdoor - it looks like a flaw, probably associated with different use cases of whatsapp vs the original API, considering it happens on verbose conditions, and it surely seems tricky to replicate without very explicit user behavior. Apparently even a change in defaults by whatsapp can solve this.
Now for the real issue:
How can anyone even start arguing about an article's guilt on this or Whatsapp intentions without tackling the subject that: every closed source app claiming privacy (such as whatsapp), however you paint it, can never do so as guaranteed without being open source. There is one way, and one way only, that privacy can be achieved without having to trust on privacy policies, disclosures, public legal action or even secretive court orders and it is to open source the damn thing and providing a way of building that outputs the same without the branding (think Chromium or the Mozilla suite in Debian).
Here's the deal: Whatsapp states it uses the Whisper API but they might as well not use it. Whisper and Signal might state they collaborate and trusts they do use it, but who is to say they aren't being paid for this, lying or even chain-trusting blindly in Whatsapp statements of use? Oh wait, so there's a legal binding document saying Whatsapp actually does this... BIG DEAL. There are also constitutions being RAPED EVERY DAY by US, Chinese, Russian, (every country?) security services.
Snowden advises on using Signal for two essential reasons that cannot be taken apart:
1. he has access to the shyt going on inside and...
2. he actually understands that shyt.
Number one is the big deal here, and number 2 is the reason he publicly admits his support for Signal - people trust his technical judgement. Granted, no.1 won't make much sense to 99% of the world at which point you have to start trusting on someone's technical ability, reputation and honor, and for fuck sake Whatsapp is a commercial application based in the US - they HAVE to lie about such things, they don't even get a choice. Just having no.1 is like placing your neck under the sword of the entire world community. It's a lot better than a feature list, and advert, a legal document, someone's word. it's everybody's word.
This is no conspiration theory, but logic beats trust, and most here, as engineers should be very aware of that. Even the trust in one's own actions isn't fallible - some people lie to themselves, some people don't know better than to believe they have failed at something and will trust blindly on their own ability. But sooner or later everybody finds out we are only as perfects as what we are made of. SHOW ME WHAT YOUR APP IS MADE OF and you will have the right for my complete blind trust (because it just isn't blind anymore). It can even be coded in esperanto (intentional bullshit here). It's the only way it is honestly submitted for scrutiny of your own statements of privacy and security.
Re: (Score:1)
Not very smart (Score:1)
And this was a program championed by a supposedly smart security researcher - Moxie.
Good thing I don't trust people who say "You should trust this encryption!" because they've all been proven wrong historically.
Re: (Score:1)
I've criticised a Guardian article, entirely justifiably. As for the underlying issue, it's a design consideration for usability. I actually don't like it, but I respect the choice.
It's basic encryption (Score:4, Informative)
If you don't trust WhatsApp to faithfully regenerate encryption keys, why the hell did you trust them to generate the initial keys in the first place? They could have just given Facebook a key then and let them listen in to your messages at any time. ANY messaging app, no matter how secure, can do this.
This is not a backdoor, it's an inherent vulnerability in all encryption systems. If you don't trust one end of the encryption, it doesn't matter if the keys are only generated once or if they're generated over and over, or if you're notified when they're regenerated or if they just regenerate them on the fly. At any point, an untrustworthy server can simply make a valid key for a third party, and your encryption is compromised.
This is a non-story. You know what 99% of people do in Signal when they get a notification that their encryption key has changed? They hit OK and re-send the message, just like WhatsApp does by default.
It's just like EULA's, nobody pays attention to those damn thigns. WhatsApp just skips the step of asking you to verify the encryption change unless you go into the settings and explicitly tell it to notify you. For most people, that's exactly the appropriate behavior.
It is downgrading the security (Score:2)
It is downgrading the security. Normally, an attacker would need to steal your key or the receiving end (you and the other person in turns) will get "wrong key, somebody is doing something BAD" warnings.
Whatsapp doesn't do this. Whatsapp displays a message "the remote end has changed its security number[sic!]". But only if you activated it in the settings. Else you get NO HINT AT ALL.
The next point are unsent messages. The report seems to exaggerate there a bit. The problem here: Go offline, type some messa
Schneier says that this vulnerability is real (Score:1)