Sign in / up

back to article WeChat devs introduced security flaws when they modded TLS, say researchers

Messaging giant WeChat uses a network protocol that the app's developers modified – and by doing so introduced security weaknesses, researchers claim. WeChat uses MMTLS, a cryptographic protocol heavily based on TLS 1.3. The devs essentially tweaked standard TLS but in turn that left the app with an encryption implementation, …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. munnoch Silver badge

    NewDNS

    New Snapchat

    New Facebook

    New Zillow

    New Expedia

    New Reddit

    New Spotify

    New Kickstarter

    New Pied Piper...

    1 1 Reply
    1. A. Coatsworth Silver badge
      Reply Icon
      Big Brother

      Re: NewDNS

      ...NewSpeak?

      3 0 Reply
  2. An_Old_Dog Silver badge
    Joke

    MMTLS

    MMTLS == "Man-in-the-Middle Transport Layer Security"?

    18 0 Reply
    1. Hubert Cumberdale Silver badge
      Reply Icon

      Re: MMTLS

      Every internet transaction in China has a man in the middle. He looks like Winnie the Pooh.

      5 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    Ho Hum .....

    Roll your own Cryptography by another name !!!

    Always works ... NOT !!!

    Don't worry the *next* time it *will* work ... honest !!!

    [Swap those 2 lines around & change that 2 to 3 then XOR the result with 1337(hex)... that should do it]

    [Just like TLS but 'better' !!!]

    :)

    7 0 Reply
  4. heyrick Silver badge

    Only in China is it common for developers to against the grain and whip up their own cryptography system

    Perhaps because elsewhere it is understood that encryption is hard and it's not the sort of thing that anybody can cobble together and expect to be "secure".

    8 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Only in China is it common for developers to whip up their own cryptography system

      [Telegram has entered the chat…]

      2 0 Reply
    2. Richard 12 Silver badge
      Reply Icon

      The NSA, probably

      Once bitten, twice shy and all that.

      If you think there are multiple TLA agencies trying to sneak backdoors in, then it makes sense to try.

      1 0 Reply
      1. Claptrap314 Silver badge
        Reply Icon

        Re: The NSA, probably

        Not really. These systems are reviewed academically, and the people doing the reviews are highly motivated to find issues. And while the NSA has certainly neglected the first item in its charter in the past, we have good hope that they are on a better footing today.

        0 0 Reply
  5. Zippy´s Sausage Factory
    Devil

    "A network eavesdropper, or network tap, placed within WeChat's intranet could then attack the business-layer encryption on these forwarded requests. However, this scenario is purely conjectural."

    Is conjectural being used as a euphemism here?

    Only in China is it common for developers to against the grain and whip up their own cryptography system, the researchers said, and generally none of these are as effective as the standard TLS 1.3 or QUIC implementations.

    So the best case scenario is that Chinese tech companies have "not invented here" syndrome. Combined with the top one though, is it just to give the companies plausible deniability?

    4 0 Reply
  6. Alistair
    Windows

    Chinese entities rolling their own cryptography?

    Whoda Thunkit.

    Sure effective cryptography is hard, but that is *not* why they roll their own. Its easier to ensure the CCP is happy if you give them a carte blanche back door. Yeesh.

    10 0 Reply
    1. Not Yb Silver badge
      Reply Icon
      Coat

      Someone really needs to invent a software library called "Whoda Thunkit".

      2 0 Reply
  7. Adair Silver badge

    Who uses WeChat anyway?

    1. Due diligence

    2. Actions have consequences

    1 1 Reply
    1. PermissionToSpeakPlease
      Reply Icon

      Re: Who uses WeChat anyway?

      1.37 billion active monthly users, apparently - https://www.statista.com/statistics/255778/number-of-active-wechat-messenger-accounts/

      2 0 Reply
      1. Adair Silver badge
        Reply Icon

        Re: Who uses WeChat anyway?

        I wonder what they expect, and how many of them actually have a choice of messaging apps?

        Given the source of WeChat there is no reason to suppose that is is in any way meaningfully secure from state intrusion, let alone anyone else's efforts to subvert its 'security'.

        Please note that I am not in the least implying that other similar apps from other sources are any better, and some may well be worse, but 'deliberate security flaws in WeChat'? Quelle surprise.

        2 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like