[merlincorey]

Apparently some researchers from the GCHQ in the UK are proposing that "secure" messaging systems like iMessage and WhatsApp which manage group chats centrally in a manner that bypasses the end to end encryption should:

- Add "ghost" users/devices to existing chats

- Suppress notifications of these additions to users

This would perpetuate a currently known bug in secure communication protocols, effectively turning it into "feature" for law enforcement.

Fortunately, systems like Signal and Briar have already moved past this flaw.

[goblin89]

Keybase Teams—also featuring e2e-encrypted group chat—appears to be proof against the ghost-user-based attack.

It would be interesting to compare its implementation to how Signal does group messaging in TextSecure v2.

[0] https://keybase.io/blog/introducing-keybase-teams#anyway-tea...

[maxtaco]

Thanks for the mention! We designed Keybase with these exact attacks in mind.

[zzo38computer]

What is need is open protocols. Users can write their own implementation if they do not want to use the existing ones. WhatsApp uses XMPP according to Wikipedia, so you could implement your own according to XMPP, I suppose. You might also just use your own programs and protocols. If the messages are encrypted with the recipient's key then nobody else can know what is the message, but only that there is a message. So, you can implement encryption on client the server does not need to know about it.

[EGreg]

What does that mean, “manage centrally in a manner”... and how does Signal not manage it centrally?

[vonseel]

Signal groups are managed by the client devices. The details are quite complicated, but some are documented here: https://signal.org/blog/private-groups/

Perhaps another user with stronger familiarity on the subject can expand on this (ELI5 would be great!).

[zzzcpan]

Signal client is centrally managed and can be updated for every user. And it's quite ridiculous claim that Signal can't implement a backdoor in the client because of some arbitrary design choice.

[gepoch]

Yeah security is not really "proveable" in any software system.

However, a few points to consider:

1. The signal server can't "see" the group. Clients are just sending N messages to everyone in the group with some encrypted metadata that says it's a group message.

2. The client app is open source. You can go look for a ghost user or backdoor mechanism yourself.

3. The build is reproduceable. You can build it yourself and sideload your own APK, or compare it to the APK coming from the play store.

I don't think it's impossible to put a backdoor in, but I think it at least makes vigilance a good defense. Smart serious people are paying attention.

[bigiain]

Moxie and Whispersystems have got some interesting thinking around using Intel's SGX:

"Modern Intel chips support a feature called Software Guard Extensions (SGX). SGX allows applications to provision a “secure enclave” that is isolated from the host operating system and kernel, similar to technologies like ARM’s TrustZone. SGX enclaves also support a feature called remote attestation. Remote attestation provides a cryptographic guarantee of the code that is running in a remote enclave over a network.

Originally designed for DRM applications, most SGX examples imagine an SGX enclave running on a client. This would allow a server to stream media content to a client enclave with the assurance that the client software requesting the media is the “authentic” software that will play the media only once, instead of custom software that reverse engineered the network API call and will publish the media as a torrent instead.

However, we can invert the traditional SGX relationship to run a secure enclave on the server. An SGX enclave on the server-side would enable a service to perform computations on encrypted client data without learning the content of the data or the result of the computation."

https://signal.org/blog/private-contact-discovery/#trust-but...

I don't know if they've got that in production yet - and I don't know just how strong the "cryptographic guarantee" of the secure enclave code is, but the fact that they're trying it fills me with joy...

[joecool1029]

Yeah... about that: https://www.eteknix.com/intel-sgx-speculative-exploit/

[maxerickson]

Binaries are not opaque gibberish, it is possible to analyze them.

And of course for major apps, there are people doing so.

[hinata]

Are these analysis efforts publically viewable?

[xorcist]

> The build is reproduceable. You can build it yourself and sideload your own APK, or compare it to the APK

Have you tried this? Most people seems content that there is some source available and trust the binary. That may not be an option for everyone.

[Arnt]

I have tried it.

There's a non-zero number of people around the world who check the builds. Your security rests on the difficulty of feeding you a subverted APK without feeding any of them the same APK.

[pariahHN]

Yes but they would have to alter the clients code - this would be reflected in the source and comparing hashes of the binary (as Signal would have to keep that code change out of the public repo). So yes, the design of the system quite effectively prevents a client side backdoor from going unnoticed.

Edit: also, this is a deliberate design choice not an arbitrary one.

[EGreg]

Interesting. Compare https://safenetworkprimer.com/ by the way

[Tsubasachan]

Signal is great and all but does it scale? If half a billion people sign up tomorrow can they cope? How deep are their coffers?

[tivert]

> Signal is great and all but does it scale? If half a billion people sign up tomorrow can they cope? How deep are their coffers?

At least $50 million, courtesy of a WhatsApp founder: https://www.wired.com/story/signal-foundation-whatsapp-brian...