Home
_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
HTML Visit Hacker News on the Web
COMMENT PAGE FOR:
HTML Should We Chat, Too? Security Analysis of WeChat's Mmtls Encryption Protocol
ELPROFESOR wrote 1 hour 14 min ago:
Hello
est wrote 2 hours 41 min ago:
Chinese apps don't need encryption but pretends to, the government had
direct access to all clear-text data. If you can't comply your business
would be fucked one way or another.
Security researchers need to stop beating the dead horse. The
encryption mechanism is mostly used for compliance or certification. In
fact many corp-intranet middleboxes can decrypt wechat communications,
it's not a bug, it's a feature.
IRL people just treat wechat as somekind of Discord with payment
options. If you say something slightly wrong your account would
instantly get into trouble. Just assume your wechat chat records are
public one way or another.
CGamesPlay wrote 2 hours 22 min ago:
Just to be clear, encryption to hide from broad government
surveillance is one valid use for encryption (which WeChat doesn't
have), but it is far from the only reason for encrypted
communications. Common theives, abusive exes, or overbearing
employers are a few others that immediately come to mind.
est wrote 2 hours 11 min ago:
> Common theives, abusive exes, or overbearing employers
as I commented on other thread, they don't even bother with network
protocols.
They just mandate install spyware on your end devices. So E2EE
won't help here.
Chinese Android ROMs are notorious for this. Even the phone
manufacturers are collecting data
imiric wrote 5 hours 47 min ago:
These findings are so unsurprising that the research is borderline
boring.
What I would like to see are similar efforts directed at the tower of
complexity that is the modern TLS stack. From the Snowden leaks we know
that the NSA has tried to break cryptographic algorithms for decades
via their project Bullrun, and that they bribed the RSA to default to
their compromised algorithm. From the recent XZ incident we also know
that supply chain attacks can be very sophisticated and difficult to
detect.
How likely is it that the protocols we consider secure today are
silently compromised by an undetected agent? Should we just assume that
they are, like a sibling comment suggested?
I'm frankly more interested in knowing if there is oversight of these
complex technologies that could possibly alert us of any anomalies of
this type, so that we don't have to rely on whistleblowers or people
who happen to notice strange behavior and decide to look into it out of
curiosity. Too much is at stake for this to be left up to chance.
upofadown wrote 6 hours 23 min ago:
>Generally, NIST recommends[1] not using a wholly deterministic
derivation for IVs in AES-GCM since it is easy to accidentally re-use
IVs.
A quick skim of the referenced document did not show where NIST
recommended against the use of deterministic IVs. The document actually
spends a significant amount of text in discussing how one would do such
a thing. Did I miss something?
>Lack of forward secrecy
The article mentions that the key is forgotten when you close the app.
Probably enough forward secrecy for most people.
>Since AES-CBC is used alongside PKCS7 padding, it is possible that the
use of this encryption on its own would be susceptible to an AES-CBC
padding oracle, which can lead to recovery of the encrypted plaintext.
This is a messaging app. Is there actually an available oracle? Does
the implementation even generate a padding error?
HTML [1]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublica...
tptacek wrote 4 hours 30 min ago:
The GCM IV thing didn't ring true to me either; in fact, the whole
reason we have XAES-type constructions is to enable fully
nondeterministic IVs, which don't fit comfortably in the GCM IV
space.
Regarding padding oracles: it is most definitely not necessary for a
target to generate a "padding error", or even an explicit error of
any sort, to enable the attack.
mozman wrote 3 hours 3 min ago:
> nondeterministic IVs
Can you explain what this means?
tptacek wrote 2 hours 55 min ago:
In this case it's just a fancy way of saying "random". What's
important about a GCM nonce is that it never repeat, not that
it's unpredictable (to me, a distinction between a "nonce" and an
"IV"; a CBC IV must be unpredictable).
Because you only get 96 bits of nonce space with vanilla GCM,
there's common advice to use a counter as the nonce.
upofadown wrote 3 hours 28 min ago:
There has to be some reverse channel to do an oracle. Timing? That
might not be a thing for messaging. Signal apparently also uses CBC
with the same type of padding. So the same shade could be thrown in
that direction if someone really wanted to do so.
I would be happier if there were fewer vague assertions in these
sorts of writeups...
tptacek wrote 3 hours 24 min ago:
I'm not sure what part of Signal you're referring to, but the
Signal Protocol generally uses AEAD constructions. That aside:
the kind of padding is not the issue; every serious system that
uses CBC uses PKCS7 padding. The issue is the lack of
authenticated ciphertext, which is what enables the attack. The
authenticated scheme composing CBC and HMAC in an EtM arrangement
is not susceptible to padding oracle attacks. There are other
error and behavior oracles for other padding schemes, and for
different block cipher modes.
spacebanana7 wrote 6 hours 30 min ago:
I wonder whether WeChat is one of the safest messaging apps because it
has the strength to say no to western agencies.
Signal and Matrix can be pressured with a rubber hose if thereâs
enough desire. And I imagine bureaucratic equivalents exits for
iMessage and WhatsApp. But the CCP can offer genuine protection to
WeChat executives.
palata wrote 6 hours 12 min ago:
> I wonder whether WeChat is one of the safest messaging apps because
it has the strength to say no to western agencies.
That is not how cryptography works.
If you use proper end-to-end encryption (e.g. the Signal protocol),
and assuming that you use it properly, then the server does not have
access to the content of the encrypted messages. So the server cannot
be pressured, period. So the Signal protocol is strictly better than
a protocol that is audited and found wanting (TFA talking about the
WeChat protocol here).
vbezhenar wrote 6 hours 1 min ago:
Until next update will send your keys. Do you disassemble every
update? I doubt it. In the end it's all about developer trust,
because no popular messaging has thriving multi-client ecosystem
after Jabber was abandoned. They all have "official" blessed client
and some even fight third-party clients.
Not even talking about server side, things are just grim there.
hackernudes wrote 4 hours 47 min ago:
Signal does a far better job than most. They have open source
clients. They sign their builds. The android build is
reproducible (you can build it yourself and it will match exactly
what they publish, see [1] ). Presumably some people in the world
do it.
Now of course I personally don't check the app shipped to me from
the Google Play Store, but at least I could!
It's not that I disagree with your point at all. There are still
many places for world powers to compel companies to spy on users
(in both hardware and software). Just want to call out that
Signal is doing pretty much the best they can.
HTML [1]: https://github.com/signalapp/Signal-Android/blob/main/re...
osamagirl69 wrote 6 hours 18 min ago:
I have not been following the end-to-end encryption discussion in a
while so please excuse my ignorance in asking...
How does the 'rubber hose' threat apply to Matrix? So long as you are
in control of your home server (or at least use a home server you
trust) I am not sure who your advisary would pressure.
jeltz wrote 5 hours 42 min ago:
They could force them to add a backdoor in the Element build
uploaded to the app store so they can use that backdoor to attack
specific users. This is why we need reproducible builds and code
which automatically check for discrepancies.
thimabi wrote 6 hours 36 min ago:
WeChat using a custom protocol like MMTLS instead of sticking with
something solid like TLS 1.3 is a risky move. Rolling your own crypto
almost always leads to trouble. Of course, there may be ulterior
motives behind Tencentâs decision, and users have little power to
change it. For an app with over a billion users, thatâs pretty
concerning.
tptacek wrote 4 hours 30 min ago:
Is it concerning? It's not end-to-end secure to begin with.
thimabi wrote 4 hours 24 min ago:
It is insecure depending on oneâs threat model. Though I agree
end-to-end encryption would be the best practice.
est wrote 2 hours 32 min ago:
> end-to-end encryption would be the best practice
If you think about it, no it's not in this case.
The "end" you are refering to here, are mostly Chinese android
phones.
The system just hook into your apk, read your (encrypted) sqlite3
local data, or screen-read your UI for content.
Even the Wechat realized how badly the landscape was, so they
even rolled rolled out inhouse "input method" for "privacy
conerns"
tptacek wrote 4 hours 12 min ago:
Can you articulate what that threat model would be?
xvector wrote 3 hours 45 min ago:
You are only okay with the CCP and your recipient knowing your
conversation.
tptacek wrote 3 hours 30 min ago:
That's kind of how I read it too, which makes some of the
suppositions here (about the CCP inducing bad protocol
design) odd.
bzmrgonz wrote 7 hours 4 min ago:
What do you say to observers who would see this analysis as a parallel
to the huawei or Tiktok western argument, meaning, "don't let them spy
on you, let us spy on you instead!!!"
jeltz wrote 5 hours 33 min ago:
Isn't this the opposite? It is warning that WeChat's security might
be weak since it is using weird non-standard stuff which means
everyone might be able to spy on WeChat users, not just China. If
WeChat fixed this then only China would be able to spy on the users.
two-sandwich wrote 6 hours 57 min ago:
Is there something you'd like those observers to hear?
dtquad wrote 7 hours 11 min ago:
The Chinese government has direct access to the WeChat backend so it's
unlikely that these weaknesses were government mandated. Probably just
the result of overworked 996 developers:
>The name 996.ICU refers to "Work by '996', sick in ICU", an ironic
saying among Chinese developers, which means that by following the
"996" work schedule, you are risking yourself getting into the ICU
(Intensive Care Unit)
HTML [1]: https://github.com/996icu/996.ICU
firen777 wrote 6 min ago:
> The Chinese government has direct access to the WeChat backend
Oh dear, I need to rant about this.
Everyone and their grandma know in their guts that the ccp keep every
single thing you ever send. So why on earth do wechat not back up
your convo (a bog standard feature that is available to even e2ee
messengers) when you need to switch to a new phone? Yes, I know you
can transfer data locally (with unintuitive process since wechat does
not support simultaneous login on multiple devices) but what happens
if your old phone outright died? I already relinquish all my privacy
to the overlord so can they at least give us back some usability
instead of this archaic pos?
Just need to vent my recent painful experience.
notpushkin wrote 33 min ago:
Most likely, yeah. This also reminds me of the issues with KakaoTalk:
[1] [2] , [3] Wondering if Line is next up!
HTML [1]: https://stulle123.github.io/posts/kakaotalk/secret-chat/
HTML [2]: https://stulle123.github.io/posts/kakaotalk-account-takeover...
HTML [3]: https://news.ycombinator.com/item?id=40776880
daghamm wrote 6 hours 49 min ago:
WeChat is basically one of the tools the communist party uses to
control the population. If something is on there it is most likely by
design.
Off topic (or is it?): While back a western journalist in China
reported that her wechat account was banned 10 minutes after changing
her password to "fuckCCP"...
lucw wrote 44 min ago:
The server-side store a full plain text archive with government
access is by design.
the weak encryption is NOT by design. It's due to incompetent
programmers.
mmooss wrote 2 hours 25 min ago:
> If something is on there it is most likely by design.
It's a common mistake to overestimate the 'bad guy'. The Chinese
government, like all other large human institutions, certainly does
plenty of dumb stuff.
olalonde wrote 3 hours 18 min ago:
The issue of accounts being banned after a password change is quite
common, especially outside of China. This isn't related to the
content of the new password.
Additionally, it's unlikely that the protocol has
government-mandated vulnerabilities, as such weaknesses could
potentially allow foreign governments to spy on WeChat users that
are abroad. The Chinese government doesn't need such weaknesses,
as they have access to the servers.
homebrewer wrote 6 hours 3 min ago:
I had my account banned for absolutely no reason (I didn't even use
it to talk to anyone and was simply learning the interface myself
to explain it later to a friend who was traveling to China). You
can't infer anything from that story. Their "security" automation
is even more paranoid than Google's, that's probably all there's to
it.
tptacek wrote 6 hours 45 min ago:
The point being made in the preceding comment is that the threat
model for WeChat already overtly includes its operators being able
to puncture its confidentiality. It doesn't make a lot of
operational sense to introduce complicated cryptographic backdoors
(such as the IV construction, which the authors say could
potentially introduce an AES-GCM key/IV brute forcing attack) when
you control the keys for all the connections in the first place.
throwaway48476 wrote 5 hours 36 min ago:
Not only control keys, but control the software update mechanism
(backdoor a la xz).
mouse_ wrote 7 hours 26 min ago:
Show me the outcome and I'll show you the incentive.
Hint: backdoors
I wouldn't trust any federally approved encryption. From any country.
I wouldn't trust them, but I WOULD use them, given no other choice to
reach the users I'm after. But always assume zero trust. With any
computer thing, zero trust. Computer systems and those who orchestrate
them are sneaky little devils.
palata wrote 6 hours 10 min ago:
> I wouldn't trust them, but I WOULD use them, given no other choice
to reach the users I'm after.
Which is no different from trusting them. The reality is that you
have to trust something at some point.
sodality2 wrote 4 hours 21 min ago:
Not true, you can use something in an untrusting manner. Like
assuming everything you send on the platform to be known to the
government. Anyone in the USA who uses SMS should be operating like
that, for example.
creatonez wrote 7 hours 7 min ago:
And even if it isn't screwed up by active malice... don't be
surprised if it's screwed up by pure incompetence. South Korea's
internet is still plagued by government-approved encryption
standards, which, due to the deprecation of ActiveX, sometimes
require installing institution-specific cryptography software to
tunnel connections through a local HTTP server so it can be encrypted
outside of the web browser -
HTML [1]: https://palant.info/2023/01/02/south-koreas-online-security-...
kccqzy wrote 7 hours 29 min ago:
I personally am not very interested in this research. WeChat is well
known not to use end-to-end encryption. Considering that the app is
unlikely to adopt end-to-end encryption (likely due to censorship being
a business requirement, which was mentioned in the article and
previously uncovered by this lab), I don't really feel like I care a
whole lot between good non-end-to-end encryption and bad non-end-to-end
encryption. Parties that are interested in subverting this kind of
encryption, such as governments, likely already collaborate Tencent to
get decrypted messages from the source.
palata wrote 7 hours 25 min ago:
> I don't really feel like I care a whole lot between good
non-end-to-end encryption and bad non-end-to-end encryption.
That's the difference between "you have to trust WeChat" and "anyone
can read your chats". Of course you may not personally be interested
because you don't personally use WeChat, but for the billion active
users who do, I think it should matter.
kccqzy wrote 7 hours 17 min ago:
Where did you see that "anyone can read your chats" in this
article? Indeed near the beginning of the article in the fourth
bullet point the author states "we were unable to develop an attack
to completely defeat WeChatâs encryption" right there. The only
parties who are interested in expending more effort to break this
kind of encryption are just governments, who can simply force
Tencent to give up plaintext records.
palata wrote 6 hours 7 min ago:
> Where did you see that "anyone can read your chats" in this
article?
I didn't. I answered to what you wrote, which I quoted. But I can
quote it again:
> I don't really feel like I care a whole lot between good
non-end-to-end encryption and bad non-end-to-end encryption.
datadeft wrote 6 hours 59 min ago:
Yep. Btw the threat model for me is this:
- against random 3rd party, even WeChat is ok
- against random black hats, most of chat software is ok, maybe
even WeChat
- against gov agencies, nothing is going to protect you
When I am in China, i happily use WeChat including the gazillion
of services available through it. Buying metro pass, ordering
food, getting a battery pack and so on.
Btw no country could replicate this outside of China, which is an
interesting phenomenon. We have endless ads including actual
scams and malware distributed by Google Ads yet I cannot buy
train tickets in the EU through a single app and order food as
well, let alone getting a cab. It would be great though.
kadoban wrote 7 hours 2 min ago:
> I don't really feel like I care a whole lot between good
non-end-to-end encryption and bad non-end-to-end encryption
Bad non-end-to-end encryption is exactly that: "anyone can read
your chats". That's not what the research found, it's just the
implication of your original statement.
kccqzy wrote 1 hour 54 min ago:
Okay I shouldn't have used the word "bad" here. I should have
used "flawed but not detrimental" just like what's described in
the article.
est wrote 2 hours 30 min ago:
Please realize, in China, you can't trust your "end" either.
It's always infested with spyware with local root access.
DIR <- back to front page