Hacker News new | ask | show | jobs
by 7a1c9427 1903 days ago
> I will take this moment also to mention that "re-implement" isn't exactly right in that they modified the protocol slightly to allow for someone in control of the administration server to change a user's private key without their knowing, so that the admin can decrypt the E2E communications using the known key.

Do you have a source for that claim?
2 comments
lxgr 1902 days ago
GP is probably referring to this:

https://boelter.blog/2016/04/whats-app-retransmission-vulner...

link
7a1c9427 1902 days ago
I think that is a very charitable assumption about the GP claim. The linked article describes a very specific implementation vulnerability around handling of offline messages that would appear to be routed in user experience being ranked higher than operational security by WhatsApp (understandably). In this case it also does notify the user once they are online, and the original phone is logged out alerting the compromised user.

The GP claim is far broader that all E2E communication can be compromised without user awareness permitting ongoing communication between two unaware parties to be monitored.

link
uoaei 1902 days ago
> I think that is a very charitable assumption about the GP claim. The linked article describes a very specific implementation vulnerability around handling of offline messages that would appear to be routed in user experience being ranked higher than operational security by WhatsApp (understandably).

Both points (security vulnerability and user experience prioritization) can be true simultaneously. This is the root of all plausible deniability when it comes to installing vulnerabilities in technologies.

I don't see why we should care at all about WhatsApp's intentions with the change when the effects are so pernicious. Facebook et al. definitely do not deserve the benefit of our doubt anymore.

link
7a1c9427 1902 days ago
This is true. But I would suggest your operational security has bigger issues than this potential vulnerability if you are using WhatsApp.

Regardless - you still haven't given a source for you original claim. "not deserving benefit of the doubt" does not qualify. If the linked article is in fact you source then in the future please do not exaggerate such claims as you have done. I would have expected a claim from the article to read (along with a link to the source!):

> WhatsApp have modified the protocol slightly auspiciously for user experience but this allows a third party attacker to intercept messages sent offline only alerting the sender after they have been disclosed.

link
secfirstmd 1903 days ago
Yeh that's a big claim. Love to know source
link
EGreg 1903 days ago
I would also like to mention that information is encrypted and cannot be proven.
link