<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Nov 21, 2014 at 9:54 AM, Joseph Bonneau <span dir="ltr"><<a href="mailto:jbonneau@gmail.com" target="_blank">jbonneau@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote"><span>On Fri, Nov 21, 2014 at 9:13 AM, Nadim Kobeissi <span dir="ltr"><<a href="mailto:nadim@nadim.computer" target="_blank">nadim@nadim.computer</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>To me this is kind of a deal-breaker. If WhatsApp's servers and executives can decide to revoke my "encryption permit" at any time, silently, server-side and without me knowing, what's the point, at all, of having Axolotl in the first place? Are we hoping that WhatsApp will play nice even when faced with a court order?</div></div></blockquote><div><br></div></span><div>Assuming this is implemented with care, it isn't really any less secure of a setup than relying on WhatsApp as a centralized key directory. If Alice trusts WhatsApp absolutely to learn the other Bob's key, then it doesn't really matter if WhatsApp tells Alice the Bob has no key or that Bob's key is something What'sApp knows. If all your communication to WhatsApp is through a TLS tunnel then in either case WhatsApp can read your messages and other network observers can't. Either solution for key verification (fingerprint checking or some sort of transparency log) should also be able to detect this type of attack by WhatsApp.</div></div></div></div></blockquote><div><br></div><div>You can actually get around the need to trust WhatsApp as a centralized key directory (by implementing a simple form of key authentication (QR codes, fingerprints, etc.)), but that wouldn't solve the problem. The issue here is that even if key authentication is implemented, WhatsApp servers still retain the capacity to selectively disable encryption on a case by case basis.</div><div><br></div><div>I get that the argument from the beginning has been for opportunistic encryption, and I think opportunistic encryption is definitely the reasonable way to proceed. But how much of an "opportunity" is there when the server silently and always gets the final say?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><br></div><div>There are two ways this could be less secure if implemented poorly:</div><div><br></div><div>1) If WhatsApp *isn't* wrapping everything with TLS, then I suppose it's slightly worse if they put you into no-encryption mode since you're vulnerable to the whole network now. AFAIK for any clients recent enough to support E2E encryption everything runs over TLS.</div><div><br></div><div>2) If there is some sort of version rollback attack where a network attacker can make the connection fail and convince the clients to try communicating without the E2E encryption, this would be bad. TLS should fix this problem.</div><div><br></div><div>The only real worry I have about this is that it introduces the possibility of whole countries with repressive governments (or whole classes of devices sold there) have WhatsApp shipping with encryption turned off permanently in the name of "performance" or compliance. These countries could always block WhatsApp completely, but this might be very unpopular if millions of people can't talk to their friends on WhatsApp in other places. You'd like to force countries to either block WhatsApp completely and risk popular anger, or allow WhatsApp with E2E included. Techies and activists will know if they take the middle route of allowing WhatsApp but banning E2E encryption and can protest about it, but I worry that's less much likely to cause an uproar.</div><div><br></div><div><br></div></div></div></div>
</blockquote></div><br></div></div>