rysiek ✅ is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

> In a phone call with WIRED, a WhatsApp spokesperson confirmed the researchers' findings, but emphasized that no one can secretly add a new member to a group—a notification does go through that a new, unknown member has joined the group.

Yeah, that solves it. -_-;


@rysiek that does solve it though...

Unless you want every user to do manual key management/verification there is no solution. And if you want every user to do that they will get annoyed at the app for the intruisions and always click "yes" to any security question that pops up.

@feld in no universe doe sthat solve anything.

1. as others pointed out there is nothing stopping WhatsApp to change that in the future;
2. I am part of about 20 Signal groups, am pretty savvy user, and got surprised by some new people on some of them multiple times.

It's not about key management, it's about WhatsApp being able to *modify group membership*. Let's not mix things.

@rysiek Is there any way in which this attack could be played out and the members of the group chat not be notified of a new member joining?

If yes, I'm interested.

If no, I don't care. This is a stupid argument. Stop please.

If you're in a sensitive E2E chat and someone new unexpectedly joins and you don't immediately start investigating, you're already vulnerable by bad opsec.
rysiek ✅ @rysiek@mastodon.social

@feld if you're in a sensitive E2E chat that gets a fair amount of traffic you are not going to notice the notification that somebody joined.

Notifying about this is not nearly enough.

When choosing tools to secure one's communication one has to take into account potential opsec failures. And a small notification about a potentially huge security problem (some random person just joined the group) simply does not cut it.

· Web · 2 · 3

@feld plus, the bigger problem is that the *protocol* allows for this. This means that WhatsApp could remove the notification at any point in time and just add people as they see fit (or as the nice man in a trenchcoat asks them to) without notifying the members of the group.

You are basically asking me to trust WhatsApp not to do this. The whole *point* of E2E is to not have to trust the service provider.

"So Breaking News, People Still Miss The Point Of E2E Entirely", I guess? ;)

@rysiek I think you're missing the point of E2E

The point is that it's encrypted on the wire and a state level attack or interception of the data in transit cannot recover the original messages and also it is resistant to MITM attacks.

Your desire for certain UI and UX semantics is outside the scope of E2E.

@feld how is a state actor asking WhatsApp "politely" to add a person to a group without notifying the group not something E2E should protect from?

Again, since the protocol allows for it, WhatApp can remove the notification whenever it wants.

@rysiek Three Letter Agency has compromised the admin of your Whatsapp chat. The admin announces "guys i need to add my new phone to the chat" and invites the agent of said Three Letter Agency.

Now what?

@feld Three Letter Agency compromised all our brains, we're in the Matrix already, WAT NAO?

There is trust involved in all those things. I trust people I work with way more than WhatsApp. And for good reasons.

There are always ways in. I'd just rather minimize the number of them that affect me and my peers.

@feld also, this is the good old "can't be 100% secure, so why even try" argument.

Can't say it swept me off my feet the first time I head it, and that was a good decade ago. :)

@rysiek even if Whatsapp decides to add people remotely into your group chat, it's still E2E. You can be mad at this all you want, but it's not going to change the fact that they've fulfilled the requirements of E2E.

The company I work for has a business IM/collaboration client that boldly advertises E2E. The keys are stored centrally and the admins at your company can log and decrypt every message.

But it's still E2E.

@feld I beg to differ:
"End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages."


The whole point of E2E is not that "it's encrypted, somehow", but that it's encrypted *effectively*, so that only the intended users can read it in transit.

Your take on E2E would mean that rot13 + double-XOR would be enough of an "encryption" on the wire. It is very definitely not.

@rysiek they can't decrypt the messages not sent to them encrypted with their own key

When someone gets added to a group chat they are now an "intended user" and will get copies of the messages they can decrypt.

Some random nerd with tcpdump cannot read the messages. They are not an intended user.

Stop trying to change the definition of E2E to fit your narrative.

@feld the intended user in the case of a WhatsApp encrypted group chat is the user the Admin intended to read the messages.

A user added by WhatsApp is not the intended user. And it requires just a moment of lack of attention to miss that fact.

This is not acceptable.

@rysiek You're mixing up the "intended user" from a protocol and a human perspective. Remove the human element from this conversation. It's irrelevant.

@feld the human element is the only thing that is relevant.

I don't care what the protocol considers okay or not if a person that trusted me to select secure communication tools for them gets surveilled, attacked, or incarcerated.

@rysiek the only possible way to solve this problem is to have an E2E messenger that requires manual key management and verification. The only one I know of that will allow this for a group chat is Matrix. You can choose to not accept keys for new people/devices in group chats and they will not be able to decrypt your messages.

@feld another one is Tox. Yet another is Briar. Not sure about Wire, but also a contender.

@feld Pond used to be a thing. Plus, of course, anything supporting OTR or GPG (with the caveat that key management there is a PITA royale).

@rysiek yes correct OTR and GPG are alternatives and possibly some of the most secure alternatives

GPG is beyond painful to use.

@feld agreed on GPG. The "plan for opsec failures" thing is why we are pushing people towards Signal instead. With GPG-encrypted e-mail it's simply too easy to fsck up.

@rysiek I've heard talk that FreeBSD secteam was considering moving from GPG to Signal for some comms but I don't think it went anywhere.
@rysiek I just want you to say "It's not a vulnerability in the protocol, it's a vulnerability in the UX / application design."

The protocol is sound. Only those with the key to decrypt the message can decrypt it. That is 100% as intended. Nobody can eavesdrop on the wire.

@feld for the last time, WhatsApp can remove the notification whenever they want. This is not acceptable.

@rysiek but that's still not a protocol vulnerability. Nobody eavesdropping on the wire can decrypt the data.

It's not the Signal protocol at fault.

@feld and I am not saying it's Signal's fault. I don't care if it's Signal's fault, or WhatsApps implementation, or pixie dust from a galaxy far far away.

The point is, WhatsApp server admins can do this. This is utterly unacceptable.

@rysiek Apple and Google can publish a modified WhatsApp update for your phone which is compromised and captures copies of all text sent before encryption and all text received after encryption.
@feld @rysiek they can target to your specific account and device so WhatsApp will never know any of their users were compromised

@feld you have to trust someone anyway, but the fewer entities (people, corporations, etc) you have to trust, the better.

Yet again, I simply do not trust WhatsApp not to abuse this one way or another.

@feld that's why I do not use neither Android, nor iOS-based devices.

But again with the same "can't be 100% secure, so why even try" thing? You've used this one already. Come on, you can do better.

@rysiek what OS are you and your crypto friends using Signal and WhatsApp on? Signal only works on Android and iOS

@feld I'm on en.wikipedia.org/wiki/Sailfish

Others are on iOS and Android. And again, if I have to choose between trusting Google/Apple *and* WhatsApp, vs. trusting just Google/Apple, I choose the latter.

Not sure where you're going with this discussion though. You clearly thing it's fine if server admins can add people to an encrypted groupchat with just a notification, I clearly don't. You look at E2E on a protocol level, I look at it at whether or not it's actually effective in it's goal.

@feld I don't think we can convince each other, so I'll just proceed to drink some good tea and perhaps watch a movie. :)

@rysiek better look out because Apple can add keys to your iCloud device and give anyone full access.

WhatsApp has done more for the world’s communication privacy and safety than anyone else in the history of mankind, but you can nitpick this stupid issue instead of the million other more viable attack vectors.

Have you considered One Time Pads and carrier pigeons? /s
@rysiek I would also bet good money the WhatsApp “user has joined” message is produced by the client when it receives the keys for the new chat member and not a message sent by the server. That would be a terrible design flaw and would require a control channel that isn’t E2E, so I doubt WhatsApp can “hide this”.

The only non-E2E comms in WhatsApp to my knowledge are media/file sharing because that’s posted to a web server and fetched with TLS by all members in the room.
@rysiek wait a minute you’re trying to badmouth WhatsApp over a fake security issue when you’re running a phone that doesn’t even have an HSM or full disk encryption? 🤯

@feld if I hear Signal server admins can do the same thing (add users to a groupchat with only a notification displayed), I will consider Signal just as unsafe.

@rysiek @feld Even though I don't like Signal much, that's understandable. Sadly similar still applies with XMPP, and there really needs to be an XMPP client which can only do encrypted communications so that it's not possible for the user to mess up.
@rysiek I'm not familiar with Tox, Briar, or Ricochet, but my last run-in with Wire was that it did not provide this capability. Maybe they changed things?

@feld also, which company, pray tell! So that we can stay a far away as possible.

@rysiek Doesn't matter, just stay away from any enterprise messenger if you care about security. they are all going to have backdoors for "compliance".
@rysiek "sensitive E2E chat that gets a fair amount of traffic" sounds like a group chat of internet friends who want to shitpost memes at each other all day or share nudes.

If I have something so sensitive that a 3rd party reading it is a threat to my life, safety, or well being I'm going to be speaking in code and using abbreviations and communicating as little info as possible because I don't even want someone shoulder surfing to understand it.

@feld well good luck with that.

On the other hand, I'll keep making sure people who need and depend on secure communication every day stay clear of WhatsApp.