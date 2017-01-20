Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security News

Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report (technosociology.org) 42

Posted by msmash from the no-mercy dept.
Earlier this month The Guardian reported what it called a "backdoor" in WhatsApp, a Facebook-owned instant messaging app. Some security researchers were quick to call out The Guardian for what they concluded was irresponsible journalism and misleading story. Now, a group of over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian's report fell short, and also asking the publication to retract the story. From the story: The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off. A debate on this trade-off is fine, but calling this a "loophole" or a "backdoor" is not productive or accurate. The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method. Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what's actually been happening since the publication of this story and years of experience in these areas. You never should have reported on such a crucial issue without interviewing a wide range of experts. The vaccine metaphor is apt: you effectively ran a "vaccines can kill you" story without interviewing doctors, and your defense seems to be, "but vaccines do kill people [through extremely rare side effects]."

Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report More | Reply

Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report

Comments Filter:

  • Link to actual letter (Score:2, Insightful)

    by Anonymous Coward

    http://technosociology.org/?page_id=1687

    Rather than recursive links to other slashdot articles on the subject

  • Retracting the Truth (Score:1)

    by Anonymous Coward

    Why the heck would they retract the truth?
    If your threat model includes government spying, WhatsApp is not secure since the government can force WhatsApp to reissue your key and then scoop us the resulting messages.
    The editorial spin on this story from slashdot is very disappointing.

    • Re: (Score:2)

      by ledow ( 319597 )

      If WhatsApp want to sniff your messages, they can. They update the app to just not encrypt.

      If government forces them to do that, they can.

      In and of itself, that's an entirely different threat model.

      What this says is not "WhatsApp is 100% secure to use" (because security experts are not stupid enough to ever say that).

      They are saying "This compromise that you claim lets anyone open your encrypted messages? Yeah, it's rubbish unless you literally take over WhatsApp servers."

      There is no service in the world

      • The point of the "compromise" is not to let "anyone" open your encrypted messages, it is exactly for letting WhatsApp (the people that already control their servers) open your encrypted messages.

        And while this design flaw is being touted as a convenience feature, there's no telling what other flaws can be used along with this one for additional exploitation.

        And warning the user of a possible compromise AFTER the message has been sent? Yea that's real good security right there.

    • Why the heck would they retract the truth? If your threat model includes government spying, WhatsApp is not secure since the government can force WhatsApp to reissue your key and then scoop us the resulting messages. The editorial spin on this story from slashdot is very disappointing.

      There is no back door. The security issue that stemmed all of this is that whatsapp will deliver messages that were sent while a user moves from one device to another. So, if I send it to you while your phone is busted and you reinstall on a new phone, you get the messages. The recepient key changes, and the sender is notified of this.

      The security angle is that with SMS verification you could intentionally intercept someone else's messages. Well, message (singular) because as stated, it notifies the sende

      • Re: (Score:3)

        by arth1 ( 260657 )

        There is no back door. The security issue that stemmed all of this is that whatsapp will deliver messages that were sent while a user moves from one device to another. So, if I send it to you while your phone is busted and you reinstall on a new phone, you get the messages. The recepient key changes, and the sender is notified of this.

        The problem, if I understand this correctly, is that the sender is notified after the message has been recrypted and sent to the recipient.
        If it alerted and required an accept before the message was sent to the new key, I don't think anyone would have a problem with it.

        • The problem, if I understand this correctly, is that the sender is notified after the message has been recrypted and sent to the recipient. If it alerted and required an accept before the message was sent to the new key, I don't think anyone would have a problem with it.

          But it is not a back door. It's a very limited channel to obtaining a few messages that requires you to have some way of verifying the account (SMS interception). If you are going to build a back door to something, this is about the worst way possible.

          • Re: (Score:3)

            by arth1 ( 260657 )

            I think back door is a completely wrong description, but I still think it is a security concern.
            If a notification that the recipient key has changed only occurs after delivering the message anyhow, it kind of defeats having key verification in the first place.

            It's like if your bank re-routes your money transfer to a different recipient account than what you initially specified, and notifies you after the fact, instead of asking you if it's okay before doing so.

  • Remember (Score:5, Insightful)

    by GeekWithAKnife ( 2717871 ) on Friday January 20, 2017 @11:17AM (#53703661)

    WhatsApp is big money...and combined with the fact it's hard to prove that a vulnerability was intentional and thus a "back door" it's hard for Joe Average to tell who's right.

    Don't worry about this stuff. Just keep using WhatsApp. It's just as secure as everything else, honest.

    Telling people not to use WhatsApp is apparently "endangering people"...as it is a "crucial issue".

    Summary; do not use Signal, ChatSecure, OTR or Telegram. Use WhatsApp, it's clearly safer #because_danger (??).


    Personally I never thought WhatsApp was secure even after this (maybe backdoor-ed) end to end encryption - Consider many people use WhatsApp? it's the number one target IM. If it ever was secure it won't be so tomorrow.

    • Why would I use Telegram if I were concerned about security? It has a closed-source, roll your own crypto system. WhatsApp and Signal use OpenWhisper.

      Anyway, WhatsApp might have security vulnerabilities or backdoors but the reported "backdoor" isn't a backdoor. It's a design choice, and there is an option for security-conscious people to see when a new crypto key is generated.

  • Why? "Signal not an option for many people"... (Score:4, Interesting)

    by yayoubetcha ( 893774 ) on Friday January 20, 2017 @11:17AM (#53703663)

    Why is "signal" not an option?

    • I guess because it is .001% harder to use...

      I was going to say "because it isn't integrated into your FB contacts" but that might not be true... depending on how you sync your contacts.

    • Read the article. The people they are concerned about are journalists and activists in repressive countries who use WhatsApp because it provides encrypted messaging. If they switch to Signal, which almost no one uses, just being observed using it may be enough cause for the government to pick them up. If they are able to use WhatsApp, however, they are hiding among the millions of other people that use it for no special reason other than it is a good messaging app.

    • Re: (Score:2)

      by sl3xd ( 111641 )

      The story may be different if Signal was a federated protocol with entirely decentralized servers (like email).

      However, it's not, and there's a single point of failure that can be blocked.

      WhatsApp became popular and widespread before many repressive governments realized what it could do, so they can't block it without widespread outcry.

      Not so with Signal, which is blocked, and therefore not an option.

      • The point is that if WhatsApp is not blocked and Signal is, using WhatsApp is better than other options. You say yourself that the single block-able route is not the difference, its that one is blocked and the other isn't. As for the article, I would say that if someone's life or freedom depends on whether WhatsApp is secure -- they better well understand how this vulnerability applies to them based on their specific usage pattern, not based on some generalization from a newspaper article.
    • What's the point of being on an Instant Message service if none of the people you actually want to message are on it?
  • In these days of 24 hour news cycles and online publication, journalists and editors don't have time to do basic things like fact check with experts or even spell/grammar check. With no print deadlines they can throw up anything online at any time and easily edit it later, and preferably give it a nice clickbait title. It's the race to be first that journalism has always had but taken to an extreme combined with the fact that many journalists don't have the background or interest in the field the topic th

    • I agree with your assessment but would suggest you remove the words, "journalists."

      There aren't any.

      That shit died when advertisers, CEOs and shareholders grabbed "news" by the fucking balls.

  • "Telling people to switch away from WhatsApp is very concretely endangering people." -- err, what?!? How in the world is that "concretely endangering people?!?"

  • ... including the comment section, is like using a fucking elephant gun to kill a piss ant.

Slashdot Top Deals

The goal of science is to build better mousetraps. The goal of nature is to build better mice.

Close