back to article Rap for crap WhatsApp trap flap: Yack yack app claptrap slapped

Computer security experts and cryptographers have accused The Guardian of overblowing what was claimed to be a backdoor in WhatsApp's encryption. Zeynep Tufekci, an assistant professor at the University of North Carolina and associate at the Harvard University's Berkman Center for Internet and Society, wrote an open letter …

  1. Anonymous Coward
    Anonymous Coward

    That's carefully avoiding another few issues, though

    WhatsApp did not start out as being secure - as a matter of fact, the very first thing it did on installation was to ship the user's address book to the WhatsApp servers (it won't even work without having that access) - that was possibly the data that convinced Zuck to pay a lot of money to buy it.

    Now it is "secure" - in other words, security has been retrofitted, never quite the best option.

    Next we get the owner's business. Where does FB make its money? User data and advertising. In other words, you have an application, offered for free, which is in direct conflict with the aims of its owner (and the government in that country). That's not a very good argument to trust it IMHO.

    Signal does not have that conflict of interest at the very heart of its operation, which is why I would choose it if I didn't use another solution (no, not Telegram - not found of it broadcasting who joined now because it means it keeps re-checking a list).

    So, nice letter, but not entirely in agreement with the argumentation.

    1. Anonymous Coward
      Anonymous Coward

      Re: That's carefully avoiding another few issues, though

      Signal may or may not have a conflict of interest, but you are forced to sign up for either a Google account or an Apple account to download/use it. Which I have no intention of doing.

      WhatsApp will work after a fashion if you deny it access to your contacts...someone has to send you a message first, as you can't initiate a conversation; and also you have to remember who you're talking to as it won't let you change the display name (telephone number); but it is do-able. But seeing as Facebook paid 19 billion for it I'm going on the assumption that any encryption does not prevent FB from reading your stuff. For them -Facebook, you will note- to shell out that sort of cash and lock themselves out (On what....honour? Principle?) seems to be somewhere on the far side of unlikely to me.

      1. Anonymous Coward
        Anonymous Coward

        Re: That's carefully avoiding another few issues, though

        Signal may or may not have a conflict of interest, but you are forced to sign up for either a Google account or an Apple account to download/use it. Which I have no intention of doing.

        You choose your poison - I prefer to get apps from a source where there's at least a modicum of malware checking in place. With respect to actually signing in, this is one of the reasons I like Threema. It knows the distinction between being anonymous and being unaccountable (they're not the same, and it's typically Swiss to be that precise), which means it will ask you some form of ident (email or phone) but you are perfectly free to talk to people who are not in your address book - you can add their IDs yourself too.

      2. Adrian 4 Silver badge

        Re: That's carefully avoiding another few issues, though

        Denying access to contacts isn't very useful for these communication apps. What's needed is bunkered contacts - seperate lists for skype, whatsapp, emil, phone etc. This is directly contradictory to what those app authors (wanting to mine networking information) want and counterintuitive to the average user, who thinks he wants all his contacts together.

        But I don't want a popup that asks me if I want to contact the person through SMS or skype. Nor do I want the app owners to spam my contacts list like LinkedIn. I'm quite happy to choose the communication medium first and the contact second.

    2. Oh Homer
      Childcatcher

      "user-interface trade-off"

      In other words shiny trumps secure.

      Sorry, but compromising security is compromising security, whichever way you try to whitewash it.

  2. SkippyBing

    To quote the Daily Mash 'The Guardian. Wrong about everything. All the time'

    1. jgarbo
      Facepalm

      So the Groin is consistent, as they advertise.

  3. Neil Barnes Silver badge

    And there's the problem...

    A very technical issue that I suspect many folks here would not have comprehended immediately - but the print journo has a deadline and a nice headline is always nicer than two inches on page seventeen.

    What do you expect him to do?

    1. a_yank_lurker Silver badge

      Re: And there's the problem...

      Get the story right. But the 'press' seems to be more interested in overhyping issues well beyond any reason and not getting any story remotely right. As purveyors of most of the fake news this does not surprise me. Remember the CBS non-sequitur meme of "fake but accurate" is the motto of most of the press.

  4. inmypjs Silver badge

    "Signal is not an option for many people"

    Why is that?

    Being part of the Facebook family of companies is enough to make whatsapp not an option for me.

    1. Jess

      Re: "Signal is not an option for many people" Why is that?

      Because it requires a supported smartphone.

      Whatsapp has the same issue. (especially since they announced they were dropping support for most of the phones my closest contacts use.)

      I have moved to Telegram, because that can be installed on a tablet or PC too.

      (I have also resurrected my old ICQ account, to regain a chat system with the old mobiles. ICQ has been seriously upgraded, now using Telegram style authentication, but old accounts still work with old clients and can be upgraded to new style accounts without losing that compatibility.)

      1. inmypjs Silver badge

        Re: "Signal is not an option for many people" Why is that?

        "Because it requires a supported smartphone"

        I know it needs a mobile number and an SMS to register as does whatsapp I believe. It works on the 4 android phones I have (which includes a Chinese ulefone that cost 53 quid).

        What makes a phone not supported?

      2. Dan 55 Silver badge

        Re: "Signal is not an option for many people" Why is that?

        If you're going to move to a different IM network, it'd be better to move to Signal (which you've discounted), Wire, or Wickr, not Telegram which seems to have a reputation for privacy and security even though anyone who's looked at it in any detail says it's some badly implemented half-arsed roll-your-own solution.

  5. Anonymous Coward
    Anonymous Coward

    Steve Gibson's Podcast 595

    Steve Gibson's Podcast 595

    https://www.twit.tv/shows/security-now/episodes/595

    Gave a good clear explanation (watch from 1hr22min). It's more of a compromise than a security flaw, but you should never underestimate the money/resources available in order to turn such compromises into active snooping methods, by further probing.

    Security services do have granular access to blocking recipients phones on the fly, from the mobile network, causing sender's messages to queue. This could allow seemless switching to a cloned sim, to gather the messages. In theory you could kill the message before the last byte transmits, so the message is mostly received, but still shown as unsent by WhatsApp. Then remove the block on the recipients phone. The recipient receives message as 'normal'.

    WhatsApp could certainly see this happening, but they could be under a gag order.

    Bottom Line: There are definitely things WhatsApp can improve regards the validity of the recipient, regards delayed messages, due to recipients being unavailable at time message is sent, but that involves exposing the user to more complication, do they want that? They should be often they don't.

  6. Warm Braw Silver badge

    This is non-trivial to exploit

    Encryption ultimately relies on making it sufficiently costly for potential eavesdroppers that they are largely deterred. What we (should) have learned from Snowden is that the specific potential eavesdroppers that this type of privacy mechanism is supposed to deter are prepared to expend more resources that most of us had previously considered possible - and few of us consider reasonable - to ensure they miss nothing. "Non-trivial" is not a barrier.

  7. Milton

    Ah, the Grauniad

    Once renowned for its typos (back in the prehistoric days of print-only), the Graun is by and large a good newspaper—indeed, compare it to the infantile, asswipe drivel from the likes of the Mail and Express and it's positively brilliant—but it does indeed have a weakness with technology. The most obvious symptom is the 'Ask Jack' column, which is embarrassingly feeble: so bad that you wonder if they still indulge the old practice of maintaining a vanity column to keep old hacks in cheap whisky while they wait for their prostate to fall out. And there's Simon Jenkins, wonderful in so many ways, who can't resist publishing ill-informed rants against math and science, a classic "If I can't understand, it can't be important" sneer that resounds so cheaply from such a smart guy. I suspect most Guardian readers, spying a technology article, move quickly to below the line, where they will find informed comment and corrections.

    Still, though we may hope for improvement (it can't be *that* difficult to fill out a P45 for Schofield), even without it, the Guardian does good work. You may not agree with them, but they'll always make you think.

    Oh—PS, they absolutely despise the Trumpecile, so a round of applause for that if nothing else. I'm holding out for an article on the US presidency in three months' time: "One Hundred Days, One Hundred Lies" ... but I worry Trump will blow his entire quota of porkies before the end of February.

    1. jgarbo
      Big Brother

      Re: Ah, the Grauniad

      Beg to differ. The Groin has become a blatant establishment tool, or better put by Off-Guardian, "Robin to MI5's Batman". I hope the implications stop at names.

      https://off-guardian.org/2016/11/01/guardian-plays-robin-to-mi5s-batman/

  8. NonSSL-Login
    Meh

    Option should have been on by default

    If the option to warn you about changes in keys was on by default, which is the best option, the whole story could have been avoided.

    This is an ease of use/retaining users balance by sacrificing some security decision most probably, although the backdoor option is still valid as much as the security community condemn it being said as such.

    With the default setting if state actors do their stuff to try and impersonate you, the keys will change and you get no warning.

    If the key change warning was on by default, you would get a warning that somethings not quite right. You can try and verify if your contact has a new phone or whatever.

    You could make the argument that 95% of Whatsapp users are just average Joe's countries where the intelligence services or Governments are only interested in a small number of peoples communications and they don't want the confusion of error messages they don't understand to continue to talking to their BFF and Uncle Fester. For the others though, especially those in certain countries, this could be a big issue for them.

    Fair enough they can turn it on but how many of them knew to do this before the article? Telegram was the same when it first came out in the way end to end encryption was not enabled by default. That's not mentioning the whole SMS message verification interception.

    So a setting that doesn't warn the user when something fishy happens with their contacts being set by an American company as Off by default, may be seen by some as intentionally helping governments who would want to abuse the app for their own uses. It has plausible deniability for them and it wouldn't surprise me if it was actually set this way on purpose.

    The Guardian could have reported it so much differently but as with many news organisations, it's no longer about news but about popular clicks and profit for the business. The news is now not about this potential issue but about the guardian and whatsapp in general. The information is lost.

  9. Doctor Syntax Silver badge

    One consequence of condemning the report is that it might in future make them less likely to report a more serious issue.

  10. fnusnu

    You missed a bit

    Rap for crap WhatsApp trap flap: Graun Hack in Yack yack app claptrap slapped

  11. GrapeBunch
    Thumb Up

    Record?

    Is the rhyme of the headline some sort of record? Even for El Reg, leaders of the pack?

  12. Tree
    Thumb Down

    WhatsApp Crap

    FaceButt is the problem. Suckerberg wants to sell your private parts for money. Just do not use WhatsApp for anything important like sending account numbers or passwods.

  13. hellwig

    Non-Trivial, for not WhatsApp

    Isn't part of the problem that WhatsApp itself can essentially use this to read your messages? End-to-End encryption means no one except the sender and receiver can read them,but I thought this flaw design decision means that essentially WhatsApp can read your messages (And thus, be compelled by law to relinquish your read messages to the authorities).

    When the FBI sued Apple, Apple physically could not un-encrypt the phone. When the FBI sues Facebook, they CAN force the client app to un-encrypt the messages, can they not? Isn't that the difference here? Isn't that what makes this a back door?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022