13 Jan 2017
Why the "WhatsApp-backdoor" is not a WhatsApp-backdoor
Today I read about this “new” discovery of a so called “backdoor” in WhatsApp. You can find the article of the Guardian here.
A researcher discovered, that WhatsApp (or Facebook) could force the WhatsApp mobile client to generate new encryption keys. Due to this, WhatsApp would be able to intercept the key exchange and - of course - would be able to intercept the messages.
This is how a man-in-the-middle attack works and it only works when both parties - which are communicating with each other - do not verify the fingerprints of the exchanged keys.
Signal and WhatsApp are using a concept called “TOFU” or “Trust on first use”. This means, that when a key is exchanged, this key is trusted as long as the key does not change. Signal and WhatsApp have different default settings what happens, when the key-material of a contact changes: WhatsApp just notifies the user when key material changes. Signal blocks outgoing messages and does not send new messages to a user where the key material has changed. A Signal user has to manually verify the new key by default (in this case, a user should verify the key material in person by scanning the QR code of the fingerprint).
This is not a backdoor, this is a default setting of WhatsApp and everybody is able to opt-in the feature which blocks message sending when the key material changes.
EDIT: It seems that the WhatsApp still sends the message even when the keys have changed. At the time of writing there seems to be no way of opting this out…
Half a year ago, we at our university wrote a paper about the usability of Signal in general. We “man-in-the-middled” 28 people and had a look, how many people would be able to successfully verify the identity of each other. Only seven users were able to successfully verify the fingerprint of each other. Since the study, the user inteface of Signal was improved (especially the key verification), so I would expect a better result now. The detailed results of this study can be found in our paper When SIGNAL hits the Fan: On the Usability and Security of State-of-the-Art Secure Mobile Messaging
Conclusion
When a provider says that they use end-to-end encryption and they have “no way of reading messages”, this is definitely wrong!
A provider always has the ability to intercept messages as long as the user does not verify fingerprints.
With WhatsApp, it is even harder to make sure, no MitM takes or took place. WhatsApp is closed source, so who can tell, if WhatsApp just displays wrong identity keys and lets the user think that everything is perfectly OK ..?
Contact
If you want to discuss this post, feel free to contact me. Details can be found here.