Hacker News new | ask | show | jobs
by CiPHPerCoder 3440 days ago
> I'll point out none of the security researchers in the article dispute the vulnerability is as described.

Just so you know, tptacek signed this letter. I did as well.

Calling it a backdoor was outright dishonest. I've written backdoors. I even won a cryptography backdoor contest at DEFCON with one of my designs.

https://underhandedcrypto.com/2015/08/08/crypto-privacy-vill...

https://paragonie.com/blog/2016/01/on-design-and-implementat...

If it's to be said that there is a vulnerability, then it is simply, "If there are any messages that haven't been delivered yet, and the recipient changes keys, the client will re-encrypt to the new public key before alerting."

Okay, a lot of security experts wouldn't make that trade-off, especially if they were trying to compete with Signal. But WhatsApp isn't a Signal competitor. The alternative means of contacting someone you'd normally use WhatsApp for is SMS, because that's what people are using today.

Most WhatsApp users aren't interested in encryption. It just works for them. They may still need it, but they don't care about it.

Even if you could exploit this, you get:

  - Any undelivered messages (if any)
  - No past messages
  - No stealth either; the user does get alerted
So, yes, we do dispute the vulnerability is as described, especially when it was called a backdoor.
3 comments
lmm 3440 days ago
It's a vulnerability. The article says only that it "could be used by government agencies as a backdoor", which is true of almost any vulnerability. If a vulnerability exists in a given cryptosystem then to a large extent it doesn't matter whether it's there by accident or design. At least, that's been the security community's line for decades prior to this particular incident.
link
Dan_JiuJitsu 3440 days ago
I stand by my assertion that the vulnerability exists exactly as described. You have said nothing that disputes that. If I understand you correctly, you take issue specifically with the characterization of the vulnerability as a 'backdoor', which suggests intent. I don't know the dev's intent, so I'm unable to speak to the validity of that characterization in that context. That said, the Guardian corrected the story in this regard, and the text now reads 'vulnerability', which I think we all can agree on.

WhatsApp is not a secure communications platform. Claiming otherwise is disingenuous.

link
Dan_JiuJitsu 3440 days ago
- No stealth either; the user does get alerted

IF the user opts in, they have the option of being notified. Most users do not know this option exists or care to enable it, so I'm not sure the above is strictly true.

link