<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Question: Is anyone aware of a study of the level of protection that
    Whatsapp/Signal  gives from the OS itself, or from other
    applications on the phone? If anything, this attack surface appears
    to me much more scary than these re-encryption buglets... presumably
    the Signal/Whatsapp application keeps a lot of sensitive information
    -  public keys, secret keys, buffered messages, etc - both on RAM
    and on secondary storage. I once tried to look at what Whatsapp say
    about this in their documentation but didnt find much. <br>
    Ran<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 1/13/2017 5:32 PM, Sarah Scheffler
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAH_gZeF_uMY8E2R=kbMbOFeRo1u0=4zs5cQmozqt3xkE+QRsVA@mail.gmail.com"
      type="cite">
      <div dir="ltr">I mean, calling it a vulnerability definitely makes
        it sound worse than it is, but I also think that a lot of people
        basically assume that as long as they're using WhatsApp, nothing
        they send will be read by anyone other than who they're sending
        it to.  I think calling this a vulnerability in the news is
        actually good, as it brings public awareness of the issue, and
        now people know whether or not they want to check the box, or
        look at other settings.  Perhaps my email could have been named
        with less hype, but to be honest this <i>is</i> a vulnerability
        as far as most users' usage is concerned, and I think it's fine
        to treat it as such.  At the very least, this will hopefully
        make people think "hey, there are things that are not
        automatically solved by me using WhatsApp."  Which is obvious to
        people used to thinking about cryptography, but not to the
        average person, who's basically been showered with advice that
        WhatsApp will solve all of their privacy problems.
        <div><br>
        </div>
        <div>Also, I think a much better thing would have been for
          WhatsApp to start with Signal's behavior, with a little blurb
          that says "if you don't want to see these messages anymore,
          check this box."  I think opting out, in general, is better
          than opting in.  That way, if people are going to click
          through, they can check the box and it's the same end result. 
          And if they're not going to click through, then we helped some
          people have a little more security at the cost of verifying a
          key change once every month or so (or whatever the rate of
          their friends getting new phones is).</div>
        <div><br>
        </div>
        <div>But it's fair, causing a panic about a
          not-really-vulnerability is only going to make it worse when a
          <i>real</i> vulnerability comes along.  So I don't know. 
          Information is difficult.</div>
        <div><br>
        </div>
        <div>Cheers!</div>
        <div>Sarah</div>
        <div><br>
        </div>
        <div>PS: If anyone wants to participate in the MIT Mystery Hunt
          this weekend and doesn't have a team, I have a team of people
          from Harvey Mudd College and we're always looking for new team
          members; send me an email if you want into our slack room.</div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr">On Fri, Jan 13, 2017 at 5:00 PM Mayank Varia &lt;<a
            moz-do-not-send="true" href="mailto:varia@bu.edu">varia@bu.edu</a>&gt;
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div dir="ltr" class="gmail_msg">
            <div dir="ltr" class="gmail_msg">Hi Sarah,
              <div class="gmail_msg"><br class="gmail_msg">
              </div>
              <div class="gmail_msg">I think Signal is overhyped
                sometimes, but calling this a "vulnerability" or a
                "backdoor" seems way overblown to me. It's important
                that Signal/WhatsApp supports key migration somehow,
                since keys can change for many innocuous reasons, such
                as simply un/reinstalling the program on your phone or
                recovering your entire phone state from a backup
                snapshot (which, at least in my case, didn't save my old
                keys). For a long time Signal also made notifications of
                key changes unobtrusive by default; I had to enable the
                warning messages manually on my phone.</div>
              <div class="gmail_msg"><br class="gmail_msg">
              </div>
              <div class="gmail_msg">Basically, nothing about this post
                seems like news to me; it's a conscious decision by the
                developers of a security software to provide the best
                security/usability tradeoff to their customers as they
                can. Compare to the alternative. If the billion(ish)
                WhatsApp users received one of those "security warning"
                messages every time any single one of their friends
                migrated to a new key, I'm pretty sure people would be
                overburdened by these messages and would quickly learn
                to ignore them and simply click through. I don't see any
                benefit to this strategy at all. Signal itself only
                seems to be able to handle a "warn by default" mechanism
                because its user base is currently smaller and more
                tech-savvy/paranoid than WhatsApp's.</div>
              <div class="gmail_msg"><br class="gmail_msg">
              </div>
              <div class="gmail_msg">FYI, Open Whisper Systems' official
                response is here: <a moz-do-not-send="true"
                  href="https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/"
                  class="gmail_msg" target="_blank">https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/</a>.
                I agree with the criticism that the Guardian never
                bothered to ask the experts they interviewed about the
                (so-called) vulnerability, but rather the unrelated and
                completely-leading question "are backdoors in crypto
                bad?" That's all that the quotes in the Guardian article
                seem to indicate, as I read it.</div>
            </div>
          </div>
          <div dir="ltr" class="gmail_msg">
            <div dir="ltr" class="gmail_msg">
              <div class="gmail_msg"><br class="gmail_msg">
              </div>
              <div class="gmail_msg">Mayank</div>
            </div>
          </div>
          <div dir="ltr" class="gmail_msg">
            <div dir="ltr" class="gmail_msg">
              <div class="gmail_msg"><br class="gmail_msg">
              </div>
              <div class="gmail_msg">P.S. for a shameless plug: if you
                want to learn more details about the Signal messaging
                protocol, take my applied crypto course at BU this
                semester (CS 591 V1).</div>
              <div class="gmail_msg"><br class="gmail_msg">
              </div>
            </div>
            <br class="gmail_msg">
          </div>
          <div dir="ltr" class="gmail_msg">
            <div class="gmail_quote gmail_msg">
              <div dir="ltr" class="gmail_msg">On Fri, Jan 13, 2017 at
                4:42 PM Sarah Scheffler &lt;<a moz-do-not-send="true"
                  href="mailto:sscheff@bu.edu" class="gmail_msg"
                  target="_blank">sscheff@bu.edu</a>&gt; wrote:<br
                  class="gmail_msg">
              </div>
            </div>
          </div>
          <div dir="ltr" class="gmail_msg">
            <div class="gmail_quote gmail_msg">
              <blockquote class="gmail_quote gmail_msg" style="margin:0
                0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                <div dir="ltr" class="gmail_msg"><a
                    moz-do-not-send="true"
href="https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages"
                    class="gmail_msg" target="_blank">This might be old
                    news for some of you, but it was news to me.</a>
                  <div class="gmail_msg"><br class="gmail_msg">
                  </div>
                  <div class="gmail_msg">TL;DR: If you use Signal,
                    you're good.  If you use WhatsApp, you should set
                    the setting where it tells you if the recipient's
                    key was changed while they were offline, and also be
                    aware that messages sent to people who are offline
                    may be re-encrypted under a different (!) key and
                    sent without your intervention.  Or switch to
                    Signal.<br class="gmail_msg">
                    <div class="gmail_msg"><br class="gmail_msg">
                    </div>
                    <div class="gmail_msg">Basically if you send a
                      message in WhatsApp to someone who is offline,
                      WhatsApp can replace the public key of the person
                      to whom you're sending with a new one, and the
                      messages you sent will be automatically
                      re-encrypted and sent under the new key.  Only
                      after they are successfully transmitted are you
                      told that this key change happened, and even then
                      only if you check a little (non-default) box that
                      says so.  It was explained a little more sanely
                      and with more pictures by the finder, Tobias
                      Boelter from Berkeley: <a moz-do-not-send="true"
href="https://tobi.rocks/2016/04/whats-app-retransmission-vulnerability/"
                        class="gmail_msg" target="_blank">https://tobi.rocks/2016/04/whats-app-retransmission-vulnerability/</a></div>
                  </div>
                  <div class="gmail_msg"><br class="gmail_msg">
                  </div>
                  <div class="gmail_msg">Apparently Facebook knows about
                    this and isn't planning on changing anything.  The
                    finder of this vulnerability <a
                      moz-do-not-send="true"
href="https://tobi.rocks/2017/01/what-is-facebook-going-to-do-a-suggestion/"
                      class="gmail_msg" target="_blank">says</a> he's
                    pretty sure it was a bug, but also that they should
                    claim that it wasn't and that they just made a poor
                    design choice, and change it.</div>
                  <div class="gmail_msg"><br class="gmail_msg">
                  </div>
                  <div class="gmail_msg">Cheers!</div>
                  <div class="gmail_msg">Sarah</div>
                </div>
              </blockquote>
            </div>
          </div>
          <div dir="ltr" class="gmail_msg">
            <div class="gmail_quote gmail_msg">
              <blockquote class="gmail_quote gmail_msg" style="margin:0
                0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                _______________________________________________<br
                  class="gmail_msg">
                Busec mailing list<br class="gmail_msg">
                <a moz-do-not-send="true" href="mailto:Busec@cs.bu.edu"
                  class="gmail_msg" target="_blank">Busec@cs.bu.edu</a><br
                  class="gmail_msg">
                <a moz-do-not-send="true"
                  href="http://cs-mailman.bu.edu/mailman/listinfo/busec"
                  rel="noreferrer" class="gmail_msg" target="_blank">http://cs-mailman.bu.edu/mailman/listinfo/busec</a><br
                  class="gmail_msg">
              </blockquote>
            </div>
          </div>
        </blockquote>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Busec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Busec@cs.bu.edu">Busec@cs.bu.edu</a>
<a class="moz-txt-link-freetext" href="http://cs-mailman.bu.edu/mailman/listinfo/busec">http://cs-mailman.bu.edu/mailman/listinfo/busec</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>