[Busec] WhatsApp default settings vulnerability

Ran Canetti canetti at tau.ac.il
Sat Jan 14 20:28:31 EST 2017

Question: Is anyone aware of a study of the level of protection that 
Whatsapp/Signal  gives from the OS itself, or from other applications on 
the phone? If anything, this attack surface appears to me much more 
scary than these re-encryption buglets... presumably the Signal/Whatsapp 
application keeps a lot of sensitive information -  public keys, secret 
keys, buffered messages, etc - both on RAM and on secondary storage. I 
once tried to look at what Whatsapp say about this in their 
documentation but didnt find much.

On 1/13/2017 5:32 PM, Sarah Scheffler wrote:
> I mean, calling it a vulnerability definitely makes it sound worse 
> than it is, but I also think that a lot of people basically assume 
> that as long as they're using WhatsApp, nothing they send will be read 
> by anyone other than who they're sending it to.  I think calling this 
> a vulnerability in the news is actually good, as it brings public 
> awareness of the issue, and now people know whether or not they want 
> to check the box, or look at other settings.  Perhaps my email could 
> have been named with less hype, but to be honest this /is/ a 
> vulnerability as far as most users' usage is concerned, and I think 
> it's fine to treat it as such.  At the very least, this will hopefully 
> make people think "hey, there are things that are not automatically 
> solved by me using WhatsApp."  Which is obvious to people used to 
> thinking about cryptography, but not to the average person, who's 
> basically been showered with advice that WhatsApp will solve all of 
> their privacy problems.
> Also, I think a much better thing would have been for WhatsApp to 
> start with Signal's behavior, with a little blurb that says "if you 
> don't want to see these messages anymore, check this box."  I think 
> opting out, in general, is better than opting in.  That way, if people 
> are going to click through, they can check the box and it's the same 
> end result. And if they're not going to click through, then we helped 
> some people have a little more security at the cost of verifying a key 
> change once every month or so (or whatever the rate of their friends 
> getting new phones is).
> But it's fair, causing a panic about a not-really-vulnerability is 
> only going to make it worse when a /real/ vulnerability comes along.  
> So I don't know. Information is difficult.
> Cheers!
> Sarah
> PS: If anyone wants to participate in the MIT Mystery Hunt this 
> weekend and doesn't have a team, I have a team of people from Harvey 
> Mudd College and we're always looking for new team members; send me an 
> email if you want into our slack room.
> On Fri, Jan 13, 2017 at 5:00 PM Mayank Varia <varia at bu.edu 
> <mailto:varia at bu.edu>> wrote:
>     Hi Sarah,
>     I think Signal is overhyped sometimes, but calling this a
>     "vulnerability" or a "backdoor" seems way overblown to me. It's
>     important that Signal/WhatsApp supports key migration somehow,
>     since keys can change for many innocuous reasons, such as simply
>     un/reinstalling the program on your phone or recovering your
>     entire phone state from a backup snapshot (which, at least in my
>     case, didn't save my old keys). For a long time Signal also made
>     notifications of key changes unobtrusive by default; I had to
>     enable the warning messages manually on my phone.
>     Basically, nothing about this post seems like news to me; it's a
>     conscious decision by the developers of a security software to
>     provide the best security/usability tradeoff to their customers as
>     they can. Compare to the alternative. If the billion(ish) WhatsApp
>     users received one of those "security warning" messages every time
>     any single one of their friends migrated to a new key, I'm pretty
>     sure people would be overburdened by these messages and would
>     quickly learn to ignore them and simply click through. I don't see
>     any benefit to this strategy at all. Signal itself only seems to
>     be able to handle a "warn by default" mechanism because its user
>     base is currently smaller and more tech-savvy/paranoid than
>     WhatsApp's.
>     FYI, Open Whisper Systems' official response is here:
>     https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/. I
>     agree with the criticism that the Guardian never bothered to ask
>     the experts they interviewed about the (so-called) vulnerability,
>     but rather the unrelated and completely-leading question "are
>     backdoors in crypto bad?" That's all that the quotes in the
>     Guardian article seem to indicate, as I read it.
>     Mayank
>     P.S. for a shameless plug: if you want to learn more details about
>     the Signal messaging protocol, take my applied crypto course at BU
>     this semester (CS 591 V1).
>     On Fri, Jan 13, 2017 at 4:42 PM Sarah Scheffler <sscheff at bu.edu
>     <mailto:sscheff at bu.edu>> wrote:
>         This might be old news for some of you, but it was news to me.
>         <https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages>
>         TL;DR: If you use Signal, you're good.  If you use WhatsApp,
>         you should set the setting where it tells you if the
>         recipient's key was changed while they were offline, and also
>         be aware that messages sent to people who are offline may be
>         re-encrypted under a different (!) key and sent without your
>         intervention.  Or switch to Signal.
>         Basically if you send a message in WhatsApp to someone who is
>         offline, WhatsApp can replace the public key of the person to
>         whom you're sending with a new one, and the messages you sent
>         will be automatically re-encrypted and sent under the new
>         key.  Only after they are successfully transmitted are you
>         told that this key change happened, and even then only if you
>         check a little (non-default) box that says so.  It was
>         explained a little more sanely and with more pictures by the
>         finder, Tobias Boelter from Berkeley:
>         https://tobi.rocks/2016/04/whats-app-retransmission-vulnerability/
>         Apparently Facebook knows about this and isn't planning on
>         changing anything.  The finder of this vulnerability says
>         <https://tobi.rocks/2017/01/what-is-facebook-going-to-do-a-suggestion/> he's
>         pretty sure it was a bug, but also that they should claim that
>         it wasn't and that they just made a poor design choice, and
>         change it.
>         Cheers!
>         Sarah
>         _______________________________________________
>         Busec mailing list
>         Busec at cs.bu.edu <mailto:Busec at cs.bu.edu>
>         http://cs-mailman.bu.edu/mailman/listinfo/busec
> _______________________________________________
> Busec mailing list
> Busec at cs.bu.edu
> http://cs-mailman.bu.edu/mailman/listinfo/busec

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/20170114/da891870/attachment.html>

More information about the Busec mailing list