While people discuss about a possible state-actor stronghanding WhatsApp and the semantics of backdoor, the "design feature" of not showing the key changes are making real victims, at least in Brasil:<p>The attacker first try to duplicate the mobile phone number of the first victim, probably by social engineering their phone company. This part may look difficult to do, but it is not hard if you realize you do not need to target anyone special - everyone uses WhatsApp, so any number gives a high probability of success.<p>After getting the first victim number, the attacker install WhatsApp, which gladly verifies the user via SMS - WA has no login, no password, so anyone receiving the SMS can impersonate anyone else.<p>As Whatsapp does not send any alert of key change by default, the attacker is free to impersonate to person - in this case, he simply asks for some borrowed money to be transferred to a bank account, which will be paid soon. The recipient has no reason to distrust the message - it is being sent by his friend in the same chat window as they always talked to, even the logs are there. There is no message to warn about the potential issue, by design!<p>This is no hypothesis - this is actually happening for some time, now.[1] This design feature surely has some loyal users.<p>[1]<a href="http://www.correiobraziliense.com.br/app/noticia/cidades/2016/05/11/interna_cidadesdf,531298/brasilienses-caem-em-fraudes-cometidas-atraves-de-aplicativo-de-celula.shtml" rel="nofollow">http://www.correiobraziliense.com.br/app/noticia/cidades/201...</a>
The article mostly just quotes two other sources that have already been discussed here:<p><i>WhatsApp backdoor allows snooping on encrypted messages</i>, <a href="https://news.ycombinator.com/item?id=13389935" rel="nofollow">https://news.ycombinator.com/item?id=13389935</a><p><i>There is no WhatsApp 'backdoor'</i>, <a href="https://news.ycombinator.com/item?id=13394900" rel="nofollow">https://news.ycombinator.com/item?id=13394900</a>
The question for me is that posed by the hacker who discovered the vulnerability. Here's what he said [1]:<p>"He (Moxie) said: “The choice to make these notifications ‘blocking’ would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn’t, effectively telling the server who it could man-in-the-middle transparently and who it couldn’t; something that WhatsApp considered very carefully.”<p>This claim is false. Those “blocking” clients could instead retransmit a message of the same length that just contains garbage and this message would just not be displayed by the receiver’s phone. Encryption guarantees the garbage or real messages are indistinguishable in the encrypted form. Hence, this technique would make identifying users with the additional security enabled on a large scale impossible."<p>This was raised in the previous WhatsApp vuln thread but as far as I'm aware, Moxie is yet to address this criticism. Would be good to get a response on this.<p>[1] <a href="https://www.theguardian.com/technology/2017/jan/16/whatsapp-vulnerability-facebook" rel="nofollow">https://www.theguardian.com/technology/2017/jan/16/whatsapp-...</a>
Even if they changed this specific design decision/vulnerability, it seems like there's a big gaping hole (or I'm missing something).<p>Given that WhatsApp brokers the initial key exchange, lawful interdiction can take place at WhatsApp under subpoena. What we hope is the case is that WhatsApp would fight these orders in court, claiming that the keys are merely forwarded and aren't stored by design. But if they fought and lost, then presumably they'd comply with the orders and the provision not to reveal the order. Do we really think that WhatsApp and/or Facebook have the conviction of Ladar Levison?<p>It would seem that all new accounts created at WhatsApp after that theoretical warrant is executed are at risk.
If your threat model is the government compelling Facebook, then you should be using a different product that's geared specifically towards security, such as Signal. WhatsApp is a mass-market product aimed at the whole world, which means it makes different tradeoffs, providing a less comprehensive threat model in favor of higher usability. And that's a perfectly fine thing for this app to do.
I didn't quite grasp why attacking entity (e.g. government) has the ability to read messages.
What does "WhatsApp has the ability to force the generation of new encryption keys for offline users" mean? Does it mean that WhatsApp backend has the ability to force sender to use pregenerated compromised key provided by attacker?
In terms of WhatsApp security whitepaper, does that mean that attacker can force sender to use newly generated (by attacker) S_recipient, O_recipient and the main one, I_recipient?
I'm asking because "force the generation of new _encryption_ keys" doesn't really specify who would generate keys, or what about identity key that signs everything.
conspicuously missing from this discussion is the self-healing capabilities of the signal protocol, which as far as i understand is a major feature. when marlinspike says, "This is called a \"man in the middle\" attack, or MITM, and is endemic to public key cryptography, not just WhatsApp," i find it odd that he wouldn't even address the fact that the signal protocol has protections against this built into the protocol.