Has anyone heard anything from Moxie Marlinspike on this? Would be interesting to hear his perspective - Open Whisper Systems helped out with the encryption.
Well there are two possible scenarios I can envisage.
a) The issue was an oversight and simply a bug that needs
to be fixed. The question is why FB doesn't want it
fixed?
b) Moxie knew that this issue existed but was NDA'ed into
leaving it there for nefarious purposes. Now it's public
knowledge, where do we go from here?
This exploit is not in the original Signal protocol, and was introduced by WhatsApp. Signal discards undelivered messages when the encryption key changes, WhatsApp implemented re-transmission because they think it improves usability. It does do that, and it also introduces this security risk.
It says so right in the article. Stop spreading FUD.
Moxie endorsed Whatsapp, though. We view Moxie as a trusted actor, so either he is untrustworthy which would SUCK or he didn't know that they did this.