[daghamm]

WeChat is basically one of the tools the communist party uses to control the population. If something is on there it is most likely by design.

Off topic (or is it?): While back a western journalist in China reported that her wechat account was banned 10 minutes after changing her password to "fuckCCP"...

[tptacek]

The point being made in the preceding comment is that the threat model for WeChat already overtly includes its operators being able to puncture its confidentiality. It doesn't make a lot of operational sense to introduce complicated cryptographic backdoors (such as the IV construction, which the authors say could potentially introduce an AES-GCM key/IV brute forcing attack) when you control the keys for all the connections in the first place.

[throwaway48476]

Not only control keys, but control the software update mechanism (backdoor a la xz).

[randomNumber7]

And the argument is pretty weak. It doesnt cost them much to introduce cryptographic backdoors. Once they have done this they have even more control. It is then also less effort, because you don't have to deal with a company (like WeChat) directly to spy on their customers.

[tptacek]

Look at the weaknesses in this blog post; can you tell me which ones are suggestive of a broadly-useful backdoor that would be deployed to avoid having to deal directly with Tencent, which is already controlled by the CCP?

[homebrewer]

I had my account banned for absolutely no reason (I didn't even use it to talk to anyone and was simply learning the interface myself to explain it later to a friend who was traveling to China). You can't infer anything from that story. Their "security" automation is even more paranoid than Google's, that's probably all there's to it.

[olalonde]

The issue of accounts being banned after a password change is quite common, especially outside of China. This isn't related to the content of the new password.

Additionally, it's unlikely that the protocol has government-mandated vulnerabilities, as such weaknesses could potentially allow foreign governments to spy on WeChat users that are abroad. The Chinese government doesn't need such weaknesses, as they have access to the servers.

[Spooky23]

“The government” isn’t a single entity. Agents within the bureaucracy have to within rules and policies. And the front door access methods have things like audit trails to prevent internal abuse.

There are many scenarios where the existence of an official investigation as evidenced by said audit logs is undesirable for a variety of reasons.

[mschuster91]

> Agents within the bureaucracy have to within rules and policies. And the front door access methods have things like audit trails to prevent internal abuse.

In Western countries, yes - but even there, abuse and evasion of audit trails is quite common. The most infamous scandal here in Germany was around a cop station that more than not resembled a pig sty when it comes to procedures [1] - after the address of a lawyer representing the victims of the far-right NSU terror crew got leaked to another far-right terror cell, the audit trail led to a precinct in Frankfurt but went cold there as supposedly, the cops there all used a shared account of one of them. IMHO, every single one of these cops should have faced a year or two in jail for that stunt.

[1] https://taz.de/Ermittlungen-zu-NSU-20-eingestellt/!5989941/

[mmooss]

> If something is on there it is most likely by design.

It's a common mistake to overestimate the 'bad guy'. The Chinese government, like all other large human institutions, certainly does plenty of dumb stuff.

[shiroiushi]

Hanlon's Razor: never ascribe to malice that which can be adequately explained by incompetence or stupidity.

[lucw]

The server-side store a full plain text archive with government access is by design. the weak encryption is NOT by design. It's due to incompetent programmers.