[messaging] Second thoughts on WhatsApp encryption

Nadim Kobeissi nadim at nadim.computer
Fri Nov 21 07:06:46 PST 2014

On Fri, Nov 21, 2014 at 9:54 AM, Joseph Bonneau <jbonneau at gmail.com> wrote:

> On Fri, Nov 21, 2014 at 9:13 AM, Nadim Kobeissi <nadim at nadim.computer>
> wrote:
>> To me this is kind of a deal-breaker. If WhatsApp's servers and
>> executives can decide to revoke my "encryption permit" at any time,
>> silently, server-side and without me knowing, what's the point, at all, of
>> having Axolotl in the first place? Are we hoping that WhatsApp will play
>> nice even when faced with a court order?
> Assuming this is implemented with care, it isn't really any less secure of
> a setup than relying on WhatsApp as a centralized key directory. If Alice
> trusts WhatsApp absolutely to learn the other Bob's key, then it doesn't
> really matter if WhatsApp tells Alice the Bob has no key or that Bob's key
> is something What'sApp knows. If all your communication to WhatsApp is
> through a TLS tunnel then in either case WhatsApp can read your messages
> and other network observers can't. Either solution for key verification
> (fingerprint checking or some sort of transparency log) should also be able
> to detect this type of attack by WhatsApp.

You can actually get around the need to trust WhatsApp as a centralized key
directory (by implementing a simple form of key authentication (QR codes,
fingerprints, etc.)), but that wouldn't solve the problem. The issue here
is that even if key authentication is implemented, WhatsApp servers still
retain the capacity to selectively disable encryption on a case by case

I get that the argument from the beginning has been for opportunistic
encryption, and I think opportunistic encryption is definitely the
reasonable way to proceed. But how much of an "opportunity" is there when
the server silently and always gets the final say?

> There are two ways this could be less secure if implemented poorly:
> 1) If WhatsApp *isn't* wrapping everything with TLS, then I suppose it's
> slightly worse if they put you into no-encryption mode since you're
> vulnerable to the whole network now. AFAIK for any clients recent enough to
> support E2E encryption everything runs over TLS.
> 2) If there is some sort of version rollback attack where a network
> attacker can make the connection fail and convince the clients to try
> communicating without the E2E encryption, this would be bad. TLS should fix
> this problem.
> The only real worry I have about this is that it introduces the
> possibility of whole countries with repressive governments (or whole
> classes of devices sold there) have WhatsApp shipping with encryption
> turned off permanently in the name of "performance" or compliance. These
> countries could always block WhatsApp completely, but this might be very
> unpopular if millions of people can't talk to their friends on WhatsApp in
> other places. You'd like to force countries to either block WhatsApp
> completely and risk popular anger, or allow WhatsApp with E2E included.
> Techies and activists will know if they take the middle route of allowing
> WhatsApp but banning E2E encryption and can protest about it, but I worry
> that's less much likely to cause an uproar.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141121/20bb64cb/attachment.html>

More information about the Messaging mailing list