[Busec] Busec Digest, Vol 73, Issue 15

Aanchal Malhotra aanchal4 at bu.edu
Sun Jan 15 16:02:00 EST 2017


On Sat, Jan 14, 2017 at 8:55 PM, <busec-request at cs.bu.edu> wrote:

> Send Busec mailing list submissions to
>         busec at cs.bu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://cs-mailman.bu.edu/mailman/listinfo/busec
> or, via email, send a message with subject or body 'help' to
>         busec-request at cs.bu.edu
>
> You can reach the person managing the list at
>         busec-owner at cs.bu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Busec digest..."
>
>
> Today's Topics:
>
>    1. Re: WhatsApp default settings vulnerability (Ran Canetti)
>    2. Re: WhatsApp default settings vulnerability (Ari Trachtenberg)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 14 Jan 2017 20:28:31 -0500
> From: Ran Canetti <canetti at tau.ac.il>
> To: Sarah Scheffler <sscheff at bu.edu>, Mayank Varia <varia at bu.edu>,
>         "busec at cs.bu.edu" <busec at cs.bu.edu>
> Subject: Re: [Busec] WhatsApp default settings vulnerability
> Message-ID: <ab636838-5f0e-5ada-8edd-836f45d21d66 at tau.ac.il>
> Content-Type: text/plain; charset="windows-1252"; Format="flowed"
>
> Question: Is anyone aware of a study of the level of protection that
> Whatsapp/Signal  gives from the OS itself, or from other applications on
> the phone? If anything, this attack surface appears to me much more
> scary than these re-encryption buglets... presumably the Signal/Whatsapp
> application keeps a lot of sensitive information -  public keys, secret
> keys, buffered messages, etc - both on RAM and on secondary storage. I
> once tried to look at what Whatsapp say about this in their
> documentation but didnt find much.
> Ran
>

Following up with Mayank and Sarah's discussion, in my opinion, the big
security trade-off made by WhatsApp is to make their service more reliable
and usable. A couple of quotes from this article
<https://www.eff.org/deeplinks/2017/01/google-launches-key-transparency-while-tradeoff-whatsapp-called-backdoor>
:

"*WhatsApp's default behavior makes the service seem more reliable: it's
one less way a message can fail to be delivered*"

"*If encryption can cause messages to not be delivered in new ways, the
average WhatsApp user will see that as a disadvantage. WhatsApp is not
competing with Signal in the marketplace, but it does compete with many
apps that are not end-to-end encrypted by default and don't have to make
these security trade-offs, like Hangouts, Allo, or Facebook Messenger ...* "

"T*his is a classic security trade-off. Every communication system must
make security trade-offs. Perfect security does no good if the resulting
tool is so difficult that it goes unused.*"

But I would also agree to "*this is certainly a vulnerability of WhatsApp,
and they should give users the choice to opt into more restrictive
Signal-like defaults.*"

Best,
Aanchal Malhotra.

>
>
> On 1/13/2017 5:32 PM, Sarah Scheffler wrote:
> > I mean, calling it a vulnerability definitely makes it sound worse
> > than it is, but I also think that a lot of people basically assume
> > that as long as they're using WhatsApp, nothing they send will be read
> > by anyone other than who they're sending it to.  I think calling this
> > a vulnerability in the news is actually good, as it brings public
> > awareness of the issue, and now people know whether or not they want
> > to check the box, or look at other settings.  Perhaps my email could
> > have been named with less hype, but to be honest this /is/ a
> > vulnerability as far as most users' usage is concerned, and I think
> > it's fine to treat it as such.  At the very least, this will hopefully
> > make people think "hey, there are things that are not automatically
> > solved by me using WhatsApp."  Which is obvious to people used to
> > thinking about cryptography, but not to the average person, who's
> > basically been showered with advice that WhatsApp will solve all of
> > their privacy problems.
> >
> > Also, I think a much better thing would have been for WhatsApp to
> > start with Signal's behavior, with a little blurb that says "if you
> > don't want to see these messages anymore, check this box."  I think
> > opting out, in general, is better than opting in.  That way, if people
> > are going to click through, they can check the box and it's the same
> > end result. And if they're not going to click through, then we helped
> > some people have a little more security at the cost of verifying a key
> > change once every month or so (or whatever the rate of their friends
> > getting new phones is).
> >
> > But it's fair, causing a panic about a not-really-vulnerability is
> > only going to make it worse when a /real/ vulnerability comes along.
> > So I don't know. Information is difficult.
> >
> > Cheers!
> > Sarah
> >
> > PS: If anyone wants to participate in the MIT Mystery Hunt this
> > weekend and doesn't have a team, I have a team of people from Harvey
> > Mudd College and we're always looking for new team members; send me an
> > email if you want into our slack room.
> >
> > On Fri, Jan 13, 2017 at 5:00 PM Mayank Varia <varia at bu.edu
> > <mailto:varia at bu.edu>> wrote:
> >
> >     Hi Sarah,
> >
> >     I think Signal is overhyped sometimes, but calling this a
> >     "vulnerability" or a "backdoor" seems way overblown to me. It's
> >     important that Signal/WhatsApp supports key migration somehow,
> >     since keys can change for many innocuous reasons, such as simply
> >     un/reinstalling the program on your phone or recovering your
> >     entire phone state from a backup snapshot (which, at least in my
> >     case, didn't save my old keys). For a long time Signal also made
> >     notifications of key changes unobtrusive by default; I had to
> >     enable the warning messages manually on my phone.
> >
> >     Basically, nothing about this post seems like news to me; it's a
> >     conscious decision by the developers of a security software to
> >     provide the best security/usability tradeoff to their customers as
> >     they can. Compare to the alternative. If the billion(ish) WhatsApp
> >     users received one of those "security warning" messages every time
> >     any single one of their friends migrated to a new key, I'm pretty
> >     sure people would be overburdened by these messages and would
> >     quickly learn to ignore them and simply click through. I don't see
> >     any benefit to this strategy at all. Signal itself only seems to
> >     be able to handle a "warn by default" mechanism because its user
> >     base is currently smaller and more tech-savvy/paranoid than
> >     WhatsApp's.
> >
> >     FYI, Open Whisper Systems' official response is here:
> >     https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/. I
> >     agree with the criticism that the Guardian never bothered to ask
> >     the experts they interviewed about the (so-called) vulnerability,
> >     but rather the unrelated and completely-leading question "are
> >     backdoors in crypto bad?" That's all that the quotes in the
> >     Guardian article seem to indicate, as I read it.
> >
> >     Mayank
> >
> >     P.S. for a shameless plug: if you want to learn more details about
> >     the Signal messaging protocol, take my applied crypto course at BU
> >     this semester (CS 591 V1).
> >
> >
> >     On Fri, Jan 13, 2017 at 4:42 PM Sarah Scheffler <sscheff at bu.edu
> >     <mailto:sscheff at bu.edu>> wrote:
> >
> >         This might be old news for some of you, but it was news to me.
> >         <https://www.theguardian.com/technology/2017/jan/13/
> whatsapp-backdoor-allows-snooping-on-encrypted-messages>
> >
> >
> >         TL;DR: If you use Signal, you're good.  If you use WhatsApp,
> >         you should set the setting where it tells you if the
> >         recipient's key was changed while they were offline, and also
> >         be aware that messages sent to people who are offline may be
> >         re-encrypted under a different (!) key and sent without your
> >         intervention.  Or switch to Signal.
> >
> >         Basically if you send a message in WhatsApp to someone who is
> >         offline, WhatsApp can replace the public key of the person to
> >         whom you're sending with a new one, and the messages you sent
> >         will be automatically re-encrypted and sent under the new
> >         key.  Only after they are successfully transmitted are you
> >         told that this key change happened, and even then only if you
> >         check a little (non-default) box that says so.  It was
> >         explained a little more sanely and with more pictures by the
> >         finder, Tobias Boelter from Berkeley:
> >         https://tobi.rocks/2016/04/whats-app-retransmission-
> vulnerability/
> >
> >         Apparently Facebook knows about this and isn't planning on
> >         changing anything.  The finder of this vulnerability says
> >         <https://tobi.rocks/2017/01/what-is-facebook-going-to-do-
> a-suggestion/> he's
> >         pretty sure it was a bug, but also that they should claim that
> >         it wasn't and that they just made a poor design choice, and
> >         change it.
> >
> >         Cheers!
> >         Sarah
> >
> >         _______________________________________________
> >         Busec mailing list
> >         Busec at cs.bu.edu <mailto:Busec at cs.bu.edu>
> >         http://cs-mailman.bu.edu/mailman/listinfo/busec
> >
> >
> >
> > _______________________________________________
> > Busec mailing list
> > Busec at cs.bu.edu
> > http://cs-mailman.bu.edu/mailman/listinfo/busec
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/
> 20170114/da891870/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 14 Jan 2017 20:54:40 -0500
> From: Ari Trachtenberg <trachten at bu.edu>
> To: Ran Canetti <canetti at tau.ac.il>
> Cc: "busec at cs.bu.edu" <busec at cs.bu.edu>
> Subject: Re: [Busec] WhatsApp default settings vulnerability
> Message-ID: <6517296E-9549-4D28-893E-65B3BC3C3178 at bu.edu>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Not sure how you can protect from the OS without heavy-duty crypto or some
> trusted computing base (often an attack surface in its own right).
> The OS, for example, can completely replace the app, at its discretion.
>
> > On Jan 14, 2017, at 8:28 PM, Ran Canetti <canetti at tau.ac.il> wrote:
> >
> > Question: Is anyone aware of a study of the level of protection that
> Whatsapp/Signal  gives from the OS itself, or from other applications on
> the phone? If anything, this attack surface appears to me much more scary
> than these re-encryption buglets... presumably the Signal/Whatsapp
> application keeps a lot of sensitive information -  public keys, secret
> keys, buffered messages, etc - both on RAM and on secondary storage. I once
> tried to look at what Whatsapp say about this in their documentation but
> didnt find much.
> > Ran
> >
> >
> > On 1/13/2017 5:32 PM, Sarah Scheffler wrote:
> >> I mean, calling it a vulnerability definitely makes it sound worse than
> it is, but I also think that a lot of people basically assume that as long
> as they're using WhatsApp, nothing they send will be read by anyone other
> than who they're sending it to.  I think calling this a vulnerability in
> the news is actually good, as it brings public awareness of the issue, and
> now people know whether or not they want to check the box, or look at other
> settings.  Perhaps my email could have been named with less hype, but to be
> honest this is a vulnerability as far as most users' usage is concerned,
> and I think it's fine to treat it as such.  At the very least, this will
> hopefully make people think "hey, there are things that are not
> automatically solved by me using WhatsApp."  Which is obvious to people
> used to thinking about cryptography, but not to the average person, who's
> basically been showered with advice that WhatsApp will solve all of their
> privacy problems.
> >>
> >> Also, I think a much better thing would have been for WhatsApp to start
> with Signal's behavior, with a little blurb that says "if you don't want to
> see these messages anymore, check this box."  I think opting out, in
> general, is better than opting in.  That way, if people are going to click
> through, they can check the box and it's the same end result.  And if
> they're not going to click through, then we helped some people have a
> little more security at the cost of verifying a key change once every month
> or so (or whatever the rate of their friends getting new phones is).
> >>
> >> But it's fair, causing a panic about a not-really-vulnerability is only
> going to make it worse when a real vulnerability comes along.  So I don't
> know.  Information is difficult.
> >>
> >> Cheers!
> >> Sarah
> >>
> >> PS: If anyone wants to participate in the MIT Mystery Hunt this weekend
> and doesn't have a team, I have a team of people from Harvey Mudd College
> and we're always looking for new team members; send me an email if you want
> into our slack room.
> >>
> >> On Fri, Jan 13, 2017 at 5:00 PM Mayank Varia <varia at bu.edu <mailto:
> varia at bu.edu>> wrote:
> >> Hi Sarah,
> >>
> >> I think Signal is overhyped sometimes, but calling this a
> "vulnerability" or a "backdoor" seems way overblown to me. It's important
> that Signal/WhatsApp supports key migration somehow, since keys can change
> for many innocuous reasons, such as simply un/reinstalling the program on
> your phone or recovering your entire phone state from a backup snapshot
> (which, at least in my case, didn't save my old keys). For a long time
> Signal also made notifications of key changes unobtrusive by default; I had
> to enable the warning messages manually on my phone.
> >>
> >> Basically, nothing about this post seems like news to me; it's a
> conscious decision by the developers of a security software to provide the
> best security/usability tradeoff to their customers as they can. Compare to
> the alternative. If the billion(ish) WhatsApp users received one of those
> "security warning" messages every time any single one of their friends
> migrated to a new key, I'm pretty sure people would be overburdened by
> these messages and would quickly learn to ignore them and simply click
> through. I don't see any benefit to this strategy at all. Signal itself
> only seems to be able to handle a "warn by default" mechanism because its
> user base is currently smaller and more tech-savvy/paranoid than WhatsApp's.
> >>
> >> FYI, Open Whisper Systems' official response is here:
> https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/ <
> https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/>. I agree
> with the criticism that the Guardian never bothered to ask the experts they
> interviewed about the (so-called) vulnerability, but rather the unrelated
> and completely-leading question "are backdoors in crypto bad?" That's all
> that the quotes in the Guardian article seem to indicate, as I read it.
> >>
> >> Mayank
> >>
> >> P.S. for a shameless plug: if you want to learn more details about the
> Signal messaging protocol, take my applied crypto course at BU this
> semester (CS 591 V1).
> >>
> >>
> >> On Fri, Jan 13, 2017 at 4:42 PM Sarah Scheffler <sscheff at bu.edu
> <mailto:sscheff at bu.edu>> wrote:
> >> This might be old news for some of you, but it was news to me. <
> https://www.theguardian.com/technology/2017/jan/13/
> whatsapp-backdoor-allows-snooping-on-encrypted-messages>
> >>
> >> TL;DR: If you use Signal, you're good.  If you use WhatsApp, you should
> set the setting where it tells you if the recipient's key was changed while
> they were offline, and also be aware that messages sent to people who are
> offline may be re-encrypted under a different (!) key and sent without your
> intervention.  Or switch to Signal.
> >>
> >> Basically if you send a message in WhatsApp to someone who is offline,
> WhatsApp can replace the public key of the person to whom you're sending
> with a new one, and the messages you sent will be automatically
> re-encrypted and sent under the new key.  Only after they are successfully
> transmitted are you told that this key change happened, and even then only
> if you check a little (non-default) box that says so.  It was explained a
> little more sanely and with more pictures by the finder, Tobias Boelter
> from Berkeley: https://tobi.rocks/2016/04/whats-app-retransmission-
> vulnerability/ <https://tobi.rocks/2016/04/whats-app-retransmission-
> vulnerability/>
> >>
> >> Apparently Facebook knows about this and isn't planning on changing
> anything.  The finder of this vulnerability says <
> https://tobi.rocks/2017/01/what-is-facebook-going-to-do-a-suggestion/>
> he's pretty sure it was a bug, but also that they should claim that it
> wasn't and that they just made a poor design choice, and change it.
> >>
> >> Cheers!
> >> Sarah
> >> _______________________________________________
> >> Busec mailing list
> >> Busec at cs.bu.edu <mailto:Busec at cs.bu.edu>
> >> http://cs-mailman.bu.edu/mailman/listinfo/busec <
> http://cs-mailman.bu.edu/mailman/listinfo/busec>
> >>
> >>
> >> _______________________________________________
> >> Busec mailing list
> >> Busec at cs.bu.edu <mailto:Busec at cs.bu.edu>
> >> http://cs-mailman.bu.edu/mailman/listinfo/busec <
> http://cs-mailman.bu.edu/mailman/listinfo/busec>
> >
> > _______________________________________________
> > Busec mailing list
> > Busec at cs.bu.edu
> > http://cs-mailman.bu.edu/mailman/listinfo/busec
>
> ---
> Prof. Ari Trachtenberg            ECE, Boston University
> trachten at bu.edu                    http://people.bu.edu/trachten
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/
> 20170114/336d0107/attachment.html>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 495 bytes
> Desc: Message signed with OpenPGP using GPGMail
> URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/
> 20170114/336d0107/attachment.sig>
>
> ------------------------------
>
> _______________________________________________
> Busec mailing list
> Busec at cs.bu.edu
> http://cs-mailman.bu.edu/mailman/listinfo/busec
>
>
> End of Busec Digest, Vol 73, Issue 15
> *************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/20170115/4c0c9702/attachment-0001.html>


More information about the Busec mailing list