Hacker News new | ask | show | jobs
by kccqzy 617 days ago
I personally am not very interested in this research. WeChat is well known not to use end-to-end encryption. Considering that the app is unlikely to adopt end-to-end encryption (likely due to censorship being a business requirement, which was mentioned in the article and previously uncovered by this lab), I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption. Parties that are interested in subverting this kind of encryption, such as governments, likely already collaborate Tencent to get decrypted messages from the source.
1 comments
palata 617 days ago
> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption.

That's the difference between "you have to trust WeChat" and "anyone can read your chats". Of course you may not personally be interested because you don't personally use WeChat, but for the billion active users who do, I think it should matter.

link
kccqzy 617 days ago
Where did you see that "anyone can read your chats" in this article? Indeed near the beginning of the article in the fourth bullet point the author states "we were unable to develop an attack to completely defeat WeChat’s encryption" right there. The only parties who are interested in expending more effort to break this kind of encryption are just governments, who can simply force Tencent to give up plaintext records.
link
datadeft 617 days ago
Yep. Btw the threat model for me is this:

- against random 3rd party, even WeChat is ok

- against random black hats, most of chat software is ok, maybe even WeChat

- against gov agencies, nothing is going to protect you

When I am in China, i happily use WeChat including the gazillion of services available through it. Buying metro pass, ordering food, getting a battery pack and so on.

Btw no country could replicate this outside of China, which is an interesting phenomenon. We have endless ads including actual scams and malware distributed by Google Ads yet I cannot buy train tickets in the EU through a single app and order food as well, let alone getting a cab. It would be great though.

link
xvilka 616 days ago
Grab in SEA region could be said as one more example of such a "super app" too.
link
kadoban 617 days ago
> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption

Bad non-end-to-end encryption is exactly that: "anyone can read your chats". That's not what the research found, it's just the implication of your original statement.

link
est 617 days ago
Please realize, in China, you can't trust your "end" either. It's always infested with spyware with local root access.
link
kccqzy 617 days ago
Okay I shouldn't have used the word "bad" here. I should have used "flawed but not detrimental" just like what's described in the article.
link
palata 617 days ago
> Where did you see that "anyone can read your chats" in this article?

I didn't. I answered to what you wrote, which I quoted. But I can quote it again:

> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption.

link