[rvnx]

The problem is not technical, FB could write anything, the security of the system is as weak as its weakest link.

The problem here is way way behind the computer.

https://xkcd.com/538/

The weakest link here, is that Facebook has to respect US laws.

They don't have a choice there.

So, if US law permits or requests in some way interception of communications, or that operators have to report certain activities, then your right to secrecy is done.

Of course, a random user won't have its dog food or gardening communications intercepted, but once you trigger certain patterns, welcome to the new "user trials / feature flags / beta".

Not saying it specifically for WhatsApp, it's valid for any US-based app

-> and broadly any app where the founders may eventually be arrested by the US (as the US has a lot of extra-jurisdiction power).

(think about it, how easy it would be to decrypt Mega.nz file, for example in a real-life scenario. One push of code on one URL to send back the part about the # sign, and done, or to activate new trials in Google Chrome, or to push a Play Store update to single users, etc...).

I'd be really surprised that Zuck takes responsibility and ends up in jail because he refuses to execute a legal request regarding imminent terrorism attack (risking penal risk and being charged as helping the criminals, well, there's a plus; that's more time to spend in the Metaverse).

The most likely scenario, is that the US-gov is very powerful and capable to enforce laws in their own country and that you have to respect the laws if you want you company to continue.

Same with China.

[russell_h]

You're describing exactly the problem that key transparency helps to solve.

With this rolled out, the WhatsApp app itself will be able to detect, by default without any manual verification, if FB attempts to MITM the connection.

While this doesn't make it technically impossible for Facebook to modify the app and servers, it does make it organizationally almost impossible to do so secretly. Such a move would require the involvement of numerous individuals across multiple teams and would be noticeable to security researchers through changes to the app.

This approach is taking off in a bunch of similar problem spaces (web PKI, code signing, etc), so very exciting to see it applied here.

Randomly, and somewhat weirdly, Facebook actually offered one of the first Certificate Transparency monitoring tools, which made it possible to monitor all certificates issued for your domain using a very similar approach: https://www.facebook.com/notes/3497286220327506/

[rvnx]

Not really ?

I don't see what prevents the app from pushing a decoded copy of the conversation ?

Even a variant of Skype was caught doing such (we only know about it because they left the server which had the raw logs completely open).

And still, Skype is very secure/encrypted/blablabla; which is true, but within the borders of local regulations.

https://web.archive.org/web/20090210230204/http://www.inform...

The end comment/advice from the US part is even a bit funny: "travelers should assume that all communications are monitored."

[russell_h]

You're making my point: some Chinese Skype variant did this, back in 2009, and got caught.

There's just no way, in real life, for Facebook to add what you're describing to one of the most prominent messaging apps in the world without somebody noticing.

I'm not here to tell you that your WhatsApp messages are perfectly secure. If the CIA wants to read your messages they'll probably just hit you with the wrench instead of some FB exec. But I do think that transparency logs are deeply under-appreciated for their ability to make undetected mass-surveillance dramatically more challenging.

[mschuster91]

> There's just no way, in real life, for Facebook to add what you're describing to one of the most prominent messaging apps in the world without somebody noticing.

That assumes somebody is digging through each update and the thousands of classes. FFS the OG Facebook app was already blowing past the limits of Android in 2013 [1], and the current Whatsapp app isn't much better - just look at the current APK file:

    2023-04-12 11:38:58 .....      2578508      1171345  classes.dex
    2023-04-12 11:39:04 .....     13312588      6020223  classes2.dex
    2023-04-12 11:39:08 .....      7671448      3310145  classes3.dex
    2023-04-12 11:39:08 .....      2118352       945166  classes4.dex

25MB of already compressed Dalvik code, probably double that if you restore it to Java class files and triple to quadruple that in Java source files. It's impossible to audit that there is no routine pushing keys to, say, the usual analytics backend they use - and to make it worse, according to APKMirror, they push updates every few days [2].

Although my biggest question is... it's a fucking messenger app. Why does it produce a larger binary content than a full-blown Linux kernel?!

[1] https://engineering.fb.com/2013/03/04/android/under-the-hood...

[2] https://www.apkmirror.com/uploads/?appcategory=whatsapp

[qtzfz]

>Although my biggest question is... it's a fucking messenger app. Why does it produce a larger binary content than a full-blown Linux kernel?!

Because it does so much more than messaging. Also, UI code is generally very verbose.

[trifurcate]

Also, conversely, the kernel doesn't do that much. Most of the Linux kernel source consists of device drivers, which compile to modules rather than get bundled into vmlinuz. Many of these modules are also rarely built if ever. The kernel itself really is a pretty small fraction of the complete software bundle that makes a Linux system functional.

[mschuster91]

I know. But still, that amount of compiled code is insane.

[buran77]

> There's just no way, in real life, for Facebook to add what you're describing to one of the most prominent messaging apps in the world without somebody noticing

Your point moved from "key transparency is the defense" to "someone will notice". But if your defense is the hope of "someone noticing" you're in for a big surprise. Sometimes things go unnoticed. Look no further than OpenSSL, open source, used by billions, deployed by companies worth as much as small countries, and yet nobody noticed Heartbleed for years.

So I'll be very cynical that some development flag targeting a handful of people in an app like WhatsApp and then is removed will be so noticeable that it's a strong defense.

[palata]

I think you are trying to say "it's never 100% secure", and the parent agrees with you. The parent is just saying "this is making it more secure (but not 100% secure)".

[crote]

The trick is to push a modified version only to the few clients you want to attack. Use it sparingly and you won't get caught.

[palata]

Or just hack the phone of those few clients with another attack vector. Doesn't mean that security is entirely useless. It depends on the threat model.

[rvnx]

and most of all, do not forget the logfiles on an open server (it was their mistake, otherwise it would have been fine I think)

[btown]

There are also tons of ways to exfiltrate data through known channels in ways that are difficult for security researchers to distinguish from otherwise secure app analytics code.

A crash/exception logging system, say, might appear to researchers to anonymize data, but it would be very possible for code to be written that happens to raise a mundane exception when specific users or geofences see specific words on screen, in a way where that list of users/geofences/words could be controlled by non-technical teams. The log message itself doesn't even need to carry sensitive data; its existence alone, when the trigger conditions are known, can be used to carry out a highly targeted attack.

Even open-source systems can be vulnerable to this: see e.g. https://github.com/signalapp/Signal-iOS/blob/eaed4da06347a3a... and consider the ways it might be possible for a small group of people at Signal to cause a specific set of messages to be seen as corrupt without raising any flags to the community auditing the code.

Of course, lack of visibility into runtime errors can lead to vulnerabilities as well. I don't think the solution is for us as a community to advocate for removing all error analytics in distributed systems. But we can't ever forget that: all analytics surfaces are attack surfaces.

[dheera]

Exactly, without Zuck opening the protocol and sanctioning the use of open-source clients it is not meaningful.

[rvnx]

Somehow I think this is still possible. The engineers behind WhatsApp seem to be very talented, and they may be able to convince Zuck that an open client would increase trust in Meta's brands, and increase usage (which can then be used to promote other Meta's products).

If they keep the server-side closed, it's totally fair I think.

[palata]

Or open source alternatives will pick up their work, and the WhatsApp engineers will probably be happy about it.

[kmac_]

This solves a real issue. Key transparency for SSL certificates introduced years ago by Google surfaced a lot of misissued certificates and fixed large hole in the whole system. Of course, this is for WhatsApp and the impact is smaller, but still. Congrats to Meta team.

[2Gkashmiri]

Because of my handle, I would appear to be biased but here is a popular Indian news article around WhatsApp.

https://scroll.in/article/1044425/how-a-cross-border-love-st...

The fact is, Indian govt has long been able to intercept WhatsApp and failing which they force group admins to get "registered"

https://thenextweb.com/news/kashmirs-police-want-people-to-r...

With local Intel suggesting malware being installed when admins to go the station for "registration". Remember, this was before all the state sponsored malware came into light a few years ago so we locally have known this for quite some time now.

[hangonhn]

> So, if US law permits or requests in some way interception of communications, or that operators have to report certain activities, then your right to secrecy is done.

Yep. FISA Section 702 allows that but supposedly only if you're not in the US and not an US citizen. Will an American get caught up the in the net? Maybe? Oh and it doesn't require a warrant. It's set to expire the end of this year but they've been known to renew it. https://www.eff.org/702-spying

[EGreg]

Actually, this is exactly what Pavel Durov (Mark Zuckerberg’s counterpart and founder of the Russian Facebook vkontakte) did when Russian authorities asked him to reveal who helped organize the Maidan protests in 2013/2014

https://globalvoices.org/2014/02/22/pro-maidan-video-goes-vi...

https://www.documentcloud.org/documents/1146789-durov1

(Besides these guys I mean: https://www.ndi.org/eurasia/ukraine)

And he just posted the middle finger on his site.

Pretty soon he started receiving the standard “tax evader” treatment (i.e. offices being ransacked, veiled personal threats etc.), his shareholders pushed him out and he and his brother fled the country and started Telegram.

Pavel is a true libertarian who’s stood for his beliefs against his own government, and lost control of his company as a result. Unlike Moxie Marlinspike (founder of WhatsApp and also Signal) who claims he is an “anarchist”, Pavel walked the walk.

When he started Telegram, he pissed off his US investor who got heat for Telegram being used by ISIS to communicate. The investors were pissed off that they never made a profit on Telegram and was mentally associated with helping ISIS. Although Pavel eventually did take action: https://www.wsj.com/articles/telegram-app-tackles-islamic-st...

Pavel also claims his team was approached by the CIA multiple times and they successfully resisted it. Telegram offices are nowhere to be found in Dubai: https://m.youtube.com/watch?v=Pg8mWJUM7x4

That is how you run a free speech absolutist social network that governments all want to control. Telegram is probably the most secure and trusted centralized social network (with Signal a distant second).

But that is insane. We don’t have to trust Pavel or Moxie to be our “last line of defense.” Why do we rely on giant, centralized corporations to host all our private conversations?

This was my response to Moxie’s critique of Web3 and decentralization:

https://community.intercoin.app/t/web3-moxie-signal-telegram...

[sgjohnson]

So why the fuck Telegram is not e2e encrypted by default, and why are group chats not e2e encrypted?

Not to mention that even when chats are e2e encrypted, they are encrypted using their proprietary algorithm?

[upofadown]

As mentioned in the linked article, E2EE group chats are more or less impractical due to the identity verification problem. This initiative is intended to help with that. I will also point out that large group chats are impractical due to the simple fact that not everyone will know everyone else. So someone can just leak the messages.

The Telegram method of dealing with this is obviously not the only way, but it is a legitimate way.

>Not to mention that even when chats are e2e encrypted, they are encrypted using their proprietary algorithm?

The algorithm is public. It is a straightforward application of well known primitives. It is hardly proprietary.

[robryk]

> The algorithm is public. It is a straightforward application of well known primitives. It is hardly proprietary.

Note that its predecessor, was very much not that (e.g. https://words.filippo.io/dispatches/telegram-ecdh/ was a vulnerability in it, and it stuck to some weird choices of crypto primitives/key sizes for a pretty long time). This colors my expectations about the current version slightly.

I personally know nothing about the current protocol used (mtproto 2.0) and a few minutes of googling surfaced https://eprint.iacr.org/2022/595.pdf, https://eprint.iacr.org/2023/469 and https://arxiv.org/abs/2012.03141, which I'd need to read in reasonable amount of detail to have an opinion on mtproto 2.0.

[EGreg]

That’s like Mehdi Hassan nitpicking small factual inaccuracies in the Twitter filea last week and ignoring the main discussion with Matt Taibbi about government censorship around the world.

Look, if people want to encrypt their chats on Telegram, they start a secret chat. That’s how it should be. Why should it be the default? Because you think people are idiots?

If I make a secret chat on Telegram, I trust it more than a default chat on Signal. Both are good, but one company is much harder to pressure than another.

And this is all a moot point - like arguing which homeless person is richer. If you want real privacy and control — simply communicate without using the infrastructure and software provided by centralized corporations!

[robryk]

> Look, if people want to encrypt their chats on Telegram, they start a secret chat. That’s how it should be. Why should it be the default? Because you think people are idiots?

Because everyone is an idiot once in a while (just after waking up, when drunk, when stressed, when sick, ...). Also, because the very presence of a secret chat is something that can be observed and can be enough to raise suspicion.

[EGreg]

I know this is a bit of a cop-out but even writing in a non-secret chat and having Telegram know, then totally deleting a message on Telegram with no visual trace to the counterpart, is less worrying for me than doing the same on the “e2e encrypted” WhatsApp which shows “Message deleted” and if I failed to do it, prevents me from deleting the message after a while. Telegram lets me delete everyone’s messages and even the entire chat anytime. That shows where their head is at.

That said, you are right that not-on-by-default-for-everyone makes the encrypted chats more suspicious.

I have to say that I have a nuanced view on encryption, which isn’t matching the orthodoxy on HN:

https://community.qbix.com/t/balancing-privacy-and-accountab...

[robryk]

If I understand your proposed world correctly (I understand it as morally equivalent to the escrow of ~all keys with k-of-n split across some well-chosen entities/people), I expect a person holding that view to support encryption-by-default even more strongly, because in a world that looks that way (and that way actually works as described) there is no apparent downside to that. I'm curious whether you disagree with any part of this.

OT: Do you have anything more concrete written on the choice of holders of escrow shares (so that they can be trusted to actually follow the audit rules)?