[messaging] The downsides of no key verification

lists at tobi.rocks lists at tobi.rocks
Sun Jun 12 13:35:47 PDT 2016

Yeah, I blogged about this Apr 16: https://tobi.rocks/2016/04/whats-app-retransmission-vulnerability/. Signal is doing it right btw, giving the user the choice of retransmitting under the new public key or not. WhatsApp is "aware of the issue and might change it in the future, but for now it's not something [they]'re actively working on changing”. 

> On Jun 9, 2016, at 1:42 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Thu, Jun 9, 2016 at 10:40 PM, Nadim Kobeissi <nadim at nadim.computer> wrote:
>> I've also noticed this, but in my experience, Bob's phone will also show a notification that Alice's "security code has changed" right before re-transmitting the "lol" message. Does this notification appear for you?
> It mentions that the security code has changed, but it still
> retransmits the messages automatically, and clicking on the security
> code thinger a nice popup shows saying "the person you're talking to
> probably just got a new phone! keep calm, carry on."
>> this re-transmission should not be automatic.
> Yes, I believe this is the crux of the problem.
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging

More information about the Messaging mailing list