The Guardian have just released an article supposedly revealing a Backdoor in WhatsApp that allows snooping of users' messages. That's what I'll be addressing here...
I'd like to start out by saying that this is a very technically accurate and concise article. While reading it, I found that all the questions I would have had as someone in the security community were answered. However, it is sensationalist, in particular the headline.
Backdoors are traditionally discreet and unnoticeable, you would sneak it in, and certainly not see anything in the UI. In this instance however, it is completely observable in the UI (if you have the security notifications enabled), although if you aren't keeping a close eye, it may be difficult to determine exactly which messages were re-sent to the new key.
So this is not a backdoor, at least I wouldn't call it that, I would call it a design flaw... a design flaw with security consequences. But some wouldn't even consider it something as severe as that, to some this is working as intended.
Back when this behaviour / flaw was first talked about in April 2016, Facebook responded with:
[...] We were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing." [...]
And Facebook are likely to come out with a similar (perhaps more fluffy) response now that this is being re-hashed in the mainstream media.
UX vs Security
It becomes a question of user experience vs increased security, like it always does with secure communications software. As former Signal developer Frederic Jacobs puts it:
Should key verification be a blocking or non-blocking user interaction? Signal chose blocking. WhatsApp chose non-blocking.#UXvsSecurity?— Frederic Jacobs (@FredericJacobs) January 13, 2017
Ultimately, the UX choices to deal with potential Man-in-the-Middle attacks look like this:
- Don't notify the user and continue on as normal and resend failed messages (WhatsApp's default behaviour)
- Notify the user, but continue on as normal and resend failed messages. (WhatsApp's behaviour with security notifications enabled)
- Notify the user, and block conversation until user has confirmed they're happy that their contact's key has changed. After that point, maybe re-send failed messages, or ask the user if they would like to, or just don't. (Signal's behaviour, with no re-sending)
All three of these options are completely effective against passive surveillance, and have forward secrecy and all the juicy crypto features we've come to know and love. Where they differ is in how they confirm that the user is communicating with who they think they are, which is an age-old problem.
Improvements WhatsApp can make
So the two security improvements that WhatsApp could make are:
- Change the default behaviour, and perhaps remove the option to disable these notifications completely.
- When security notifications are enabled, block the conversation (and certainly don't re-send failed messages) until the user has confirmed they're happy with this change. Perhaps even have a secondary confirmation asking if the user wants to re-send messages if there are unsent messages?
Facebook are unlikely to implement the first change, but I think we'd all like to see some hard statistics about how frequently user's really change their device / reinstall WhatsApp... The hard truth of it is that these security notifications shouldn't happen that frequently, certainly never frequently enough to disrupt the flow of conversation! So would it be that much of a usability hit?
It will be hard to persuade me that they shouldn't make the second improvement though (particularly after the reaction that some people are having following the Guardian article). If people have enabled security notifications, they've already indicated they have an increased interest in higher security (in the same way that installing Signal indicates they have an interest in increased security), so adding some blocking behaviour for re-sending failed messages is obviously the sensible thing to do right?
I'll be interested in where they go from here...
All this being said... it's still possible for WhatsApp to go ahead and install a "real" backdoor in their apps that simply read the messages after decrypting and send them on to whoever wants to snoop... And unless we get binary transparency, and people are constantly auditing the decompiled binaries, this will go undetected.