[ralusek]

I mean at the very least if their clients can read it then they can at least read it through their clients, right? And if their clients can read it’ll be because of some private key stored on the client device that they must be able to access, so they could always get that. And this is just assuming that they’ve been transparent about how it’s built, they could just have backdoors on their end.

[basch]

they can also just .. brute force passwords. the pin to encrypt fb messenger chat is 6 digits for example.

[farbklang]

but that is a pin and can be rate limited / denied, not a cryptograhpic key that can be used to brute force and compare hash generations (?)

[barbazoo]

They likely wouldn’t rate limit themselves, rate limiting only applies when you access through their cute little enter your pin UI.

[solenoid0937]

The PIN is used when you're too lazy to set an alphanumeric pin or offload the backup to Apple/Google. Now sure, this is most people, but such are the foibles of E2EE - getting E2EE "right" (eg supporting account recovery) requires people to memorize a complex password.

The PIN interface is also an HSM on the backend. The HSM performs the rate limiting. So they'd need a backdoor'd HSM.

[barbazoo]

That added some context I didn’t have yet thanks. I’m not seeing yet how Meta if it was a bad actor wouldn’t be able to brute force the pin of a particular user. Of this was a black box user terminal site, Meta owns the stack here though, seems plausible that you could inject yourself easily somewhere.

[solenoid0937]

If you choose an alphanumeric pin they can't brute force because of the sheer entropy (and because the key is derived from the alphanumeric PIN itself.)

However, most users can't be bothered to choose such a PIN. In this case they choose a 4 or 6 digit pin.

To mitigate the risk of brute force, the PIN is rate limited by an HSM. The HSM, if it works correctly, should delete the encryption key if too many attempts are used.

Now sure, Meta could insert itself between the client and HSM and MITM to extract the PIN.

But this isn't a Meta specific gap, it's the problem with any E2EE system that doesn't require users to memorize a master password.

I helped design E2EE systems for a big tech company and the unsatisfying answer is that there is no such thing as "user friendly" E2EE. The company can always modify the client, or insert themselves in the key discovery process, etc. There are solutions to this (decentralized app stores and open source protocols, public key servers) but none usable by the average person.

[basch]

That might be a different pin? Messenger requires a pin to be able to access encrypted chat.

Every time you sign in to the web interface or resign into the app you enter it. I don’t remember an option for an alphanumeric pin or to offload it to a third party.

[solenoid0937]

Oh my bad! I was talking about WhatsApp.

The Messenger PIN is rate limited by an HSM, you merely enter it through the web interface.

Of course, the HSM could be backdoored or the client could exfil the secret but the latter would be easy to discover.

Harder to do any better here without making the user memorize a master password, which tends to fail miserably in real life.