The Chinese government has direct access to the WeChat backend so it's unlikely that these weaknesses were government mandated. Probably just the result of overworked 996 developers:
>The name 996.ICU refers to "Work by '996', sick in ICU", an ironic saying among Chinese developers, which means that by following the "996" work schedule, you are risking yourself getting into the ICU (Intensive Care Unit)
One of my family members who lived in China was involved in a Ponzi fraud couple years ago. They told me that when they entered the interrogation room, officers had already printed out their WeChat chatting history, even before they handed out their phone.
> The Chinese government has direct access to the WeChat backend
Oh dear, I need to rant about this.
Everyone and their grandma know in their guts that the ccp keep every single thing you ever send. So why on earth do wechat not back up your convo (a bog standard feature that is available to even e2ee messengers) when you need to switch to a new phone? Yes, I know you can transfer data locally (with unintuitive process since wechat does not support simultaneous login on multiple devices) but what happens if your old phone outright died? I already relinquish all my privacy to the overlord so can they at least give us back some usability instead of this archaic pos?
Yes. The Chinese government likely have "front door" access rather than having to rely on capturing network traffic and exploit some hidden weakness in a protocol.
But why are Chinese companies making their own security protocol / libraries rather adopting "cryptographic best practices"? Do they actually think that common crypto libraries are flawed? Or is this a part of China's deep tech / self-sufficient efforts?
WeChat is basically one of the tools the communist party uses to control the population. If something is on there it is most likely by design.
Off topic (or is it?): While back a western journalist in China reported that her wechat account was banned 10 minutes after changing her password to "fuckCCP"...
The point being made in the preceding comment is that the threat model for WeChat already overtly includes its operators being able to puncture its confidentiality. It doesn't make a lot of operational sense to introduce complicated cryptographic backdoors (such as the IV construction, which the authors say could potentially introduce an AES-GCM key/IV brute forcing attack) when you control the keys for all the connections in the first place.
And the argument is pretty weak. It doesnt cost them much to introduce cryptographic backdoors. Once they have done this they have even more control. It is then also less effort, because you don't have to deal with a company (like WeChat) directly to spy on their customers.
I had my account banned for absolutely no reason (I didn't even use it to talk to anyone and was simply learning the interface myself to explain it later to a friend who was traveling to China). You can't infer anything from that story. Their "security" automation is even more paranoid than Google's, that's probably all there's to it.
The issue of accounts being banned after a password change is quite common, especially outside of China. This isn't related to the content of the new password.
Additionally, it's unlikely that the protocol has government-mandated vulnerabilities, as such weaknesses could potentially allow foreign governments to spy on WeChat users that are abroad. The Chinese government doesn't need such weaknesses, as they have access to the servers.
The server-side store a full plain text archive with government access is by design.
the weak encryption is NOT by design. It's due to incompetent programmers.
> If something is on there it is most likely by design.
It's a common mistake to overestimate the 'bad guy'. The Chinese government, like all other large human institutions, certainly does plenty of dumb stuff.
>Generally, NIST recommends[1] not using a wholly deterministic derivation for IVs in AES-GCM since it is easy to accidentally re-use IVs.
A quick skim of the referenced document did not show where NIST recommended against the use of deterministic IVs. The document actually spends a significant amount of text in discussing how one would do such a thing. Did I miss something?
>Lack of forward secrecy
The article mentions that the key is forgotten when you close the app. Probably enough forward secrecy for most people.
>Since AES-CBC is used alongside PKCS7 padding, it is possible that the use of this encryption on its own would be susceptible to an AES-CBC padding oracle, which can lead to recovery of the encrypted plaintext.
This is a messaging app. Is there actually an available oracle? Does the implementation even generate a padding error?
The GCM IV thing didn't ring true to me either; in fact, the whole reason we have XAES-type constructions is to enable fully nondeterministic IVs, which don't fit comfortably in the GCM IV space.
Regarding padding oracles: it is most definitely not necessary for a target to generate a "padding error", or even an explicit error of any sort, to enable the attack.
There has to be some reverse channel to do an oracle. Timing? That might not be a thing for messaging. Signal apparently also uses CBC with the same type of padding. So the same shade could be thrown in that direction if someone really wanted to do so.
I would be happier if there were fewer vague assertions in these sorts of writeups...
I'm not sure what part of Signal you're referring to, but the Signal Protocol generally uses AEAD constructions. That aside: the kind of padding is not the issue; every serious system that uses CBC uses PKCS7 padding. The issue is the lack of authenticated ciphertext, which is what enables the attack. The authenticated scheme composing CBC and HMAC in an EtM arrangement is not susceptible to padding oracle attacks. There are other error and behavior oracles for other padding schemes, and for different block cipher modes.
In this case it's just a fancy way of saying "random". What's important about a GCM nonce is that it never repeat, not that it's unpredictable (to me, a distinction between a "nonce" and an "IV"; a CBC IV must be unpredictable).
Because you only get 96 bits of nonce space with vanilla GCM, there's common advice to use a counter as the nonce.
Chinese apps don't need encryption but pretends to, the government had direct access to all clear-text data. If you can't comply your business would be fucked one way or another.
Security researchers need to stop beating the dead horse. The encryption mechanism is mostly used for compliance or certification. In fact many corp-intranet middleboxes can decrypt wechat communications, it's not a bug, it's a feature.
IRL people just treat wechat as somekind of Discord with payment options. If you say something slightly wrong your account would instantly get into trouble. Just assume your wechat chat records are public one way or another.
Just to be clear, encryption to hide from broad government surveillance is one valid use for encryption (which WeChat doesn't have), but it is far from the only reason for encrypted communications. Common theives, abusive exes, or overbearing employers are a few others that immediately come to mind.
For one thing, Chinese government does have an incentive to enforce good encryption so that foreign adversaries cannot snoop in on important Chinese communications. Only the Chinese government has access via Tencent’s backend.
These findings are so unsurprising that the research is borderline boring.
What I would like to see are similar efforts directed at the tower of complexity that is the modern TLS stack. From the Snowden leaks we know that the NSA has tried to break cryptographic algorithms for decades via their project Bullrun, and that they bribed the RSA to default to their compromised algorithm. From the recent XZ incident we also know that supply chain attacks can be very sophisticated and difficult to detect.
How likely is it that the protocols we consider secure today are silently compromised by an undetected agent? Should we just assume that they are, like a sibling comment suggested?
I'm frankly more interested in knowing if there is oversight of these complex technologies that could possibly alert us of any anomalies of this type, so that we don't have to rely on whistleblowers or people who happen to notice strange behavior and decide to look into it out of curiosity. Too much is at stake for this to be left up to chance.
WeChat using a custom protocol like MMTLS instead of sticking with something solid like TLS 1.3 is a risky move. Rolling your own crypto almost always leads to trouble. Of course, there may be ulterior motives behind Tencent’s decision, and users have little power to change it. For an app with over a billion users, that’s pretty concerning.
Show me the outcome and I'll show you the incentive.
Hint: backdoors
I wouldn't trust any federally approved encryption. From any country.
I wouldn't trust them, but I WOULD use them, given no other choice to reach the users I'm after. But always assume zero trust. With any computer thing, zero trust. Computer systems and those who orchestrate them are sneaky little devils.
And even if it isn't screwed up by active malice... don't be surprised if it's screwed up by pure incompetence. South Korea's internet is still plagued by government-approved encryption standards, which, due to the deprecation of ActiveX, sometimes require installing institution-specific cryptography software to tunnel connections through a local HTTP server so it can be encrypted outside of the web browser - https://palant.info/2023/01/02/south-koreas-online-security-...
Not true, you can use something in an untrusting manner. Like assuming everything you send on the platform to be known to the government. Anyone in the USA who uses SMS should be operating like that, for example.
I personally am not very interested in this research. WeChat is well known not to use end-to-end encryption. Considering that the app is unlikely to adopt end-to-end encryption (likely due to censorship being a business requirement, which was mentioned in the article and previously uncovered by this lab), I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption. Parties that are interested in subverting this kind of encryption, such as governments, likely already collaborate Tencent to get decrypted messages from the source.
> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption.
That's the difference between "you have to trust WeChat" and "anyone can read your chats". Of course you may not personally be interested because you don't personally use WeChat, but for the billion active users who do, I think it should matter.
Where did you see that "anyone can read your chats" in this article? Indeed near the beginning of the article in the fourth bullet point the author states "we were unable to develop an attack to completely defeat WeChat’s encryption" right there. The only parties who are interested in expending more effort to break this kind of encryption are just governments, who can simply force Tencent to give up plaintext records.
- against random black hats, most of chat software is ok, maybe even WeChat
- against gov agencies, nothing is going to protect you
When I am in China, i happily use WeChat including the gazillion of services available through it. Buying metro pass, ordering food, getting a battery pack and so on.
Btw no country could replicate this outside of China, which is an interesting phenomenon. We have endless ads including actual scams and malware distributed by Google Ads yet I cannot buy train tickets in the EU through a single app and order food as well, let alone getting a cab. It would be great though.
> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption
Bad non-end-to-end encryption is exactly that: "anyone can read your chats". That's not what the research found, it's just the implication of your original statement.
Systems whose scrutiny/reputation is more subject to western "trust me bro". Authors had courtesy to recognize TLS drama in 2010s, and assumes it's... better/sufficient now because why, a bunch of US companies, many with teams of ex US intelligence on internal security teams is doing bulk of the scrutinizing.
PRC seems to like their home-grown cryptography gated behind language barrier. Maybe they're hedging on bet that enough diverse implementations better than eggs in single basket. Or the amount of Chinese fluency decreasing in west going to add another layer of security/obscurity. Ultimately who knows, other than PRC would be idiotic to listen to OTF-ICFP funded recommendations, a program that avoids "focus" on countries with minimal information controls, i.e. if there's a reason not to trust western scrutinized crypto systems, you likely won't find it from OTF and citizenlab.
I don't see how the language barrier provides any security. If your threat model is foreign governments and you're rolling your own crypto you have to assume they have plenty of budget for translation. Technology is one of the main collection activities of any spy agency.
Trust in a crypto system is established by having multiple adversarial parties use it and the system being open to attack for many years without success.
Western spy agencies already overwhelmed by volume of PRC cyber activity per recent headlines, meanwhile FVEY also short of Chinese specialists, and institutions not generating enough language talent. It's less budget issue as bodies issue. Multiple adversarial parties who are still likely cooperating with intelligence - MSS isn't going to get a seat at the table/behind the scenes for western crypto standards.
Do we really know system hasn't been attacked without success when there's frequent PRC penetration in the news. What we do know is west/US has advtanges along the hardware/software stack, so smart for PRC to obfusgate and add complexity at points they can control. And that one of OTF's explicit mission, especially ICFP funded fellows is to undermine PRC controlled web - it would be incredibly dumb for PRC to take their advice seriously.
What do you say to observers who would see this analysis as a parallel to the huawei or Tiktok western argument, meaning, "don't let them spy on you, let us spy on you instead!!!"
Isn't this the opposite? It is warning that WeChat's security might be weak since it is using weird non-standard stuff which means everyone might be able to spy on WeChat users, not just China. If WeChat fixed this then only China would be able to spy on the users.
I wonder whether WeChat is one of the safest messaging apps because it has the strength to say no to western agencies.
Signal and Matrix can be pressured with a rubber hose if there’s enough desire. And I imagine bureaucratic equivalents exits for iMessage and WhatsApp. But the CCP can offer genuine protection to WeChat executives.
> I wonder whether WeChat is one of the safest messaging apps because it has the strength to say no to western agencies.
That is not how cryptography works.
If you use proper end-to-end encryption (e.g. the Signal protocol), and assuming that you use it properly, then the server does not have access to the content of the encrypted messages. So the server cannot be pressured, period. So the Signal protocol is strictly better than a protocol that is audited and found wanting (TFA talking about the WeChat protocol here).
Until next update will send your keys. Do you disassemble every update? I doubt it. In the end it's all about developer trust, because no popular messaging has thriving multi-client ecosystem after Jabber was abandoned. They all have "official" blessed client and some even fight third-party clients.
Not even talking about server side, things are just grim there.
Signal does a far better job than most. They have open source clients. They sign their builds. The android build is reproducible (you can build it yourself and it will match exactly what they publish, see https://github.com/signalapp/Signal-Android/blob/main/reprod...). Presumably some people in the world do it.
Now of course I personally don't check the app shipped to me from the Google Play Store, but at least I could!
It's not that I disagree with your point at all. There are still many places for world powers to compel companies to spy on users (in both hardware and software). Just want to call out that Signal is doing pretty much the best they can.
I have not been following the end-to-end encryption discussion in a while so please excuse my ignorance in asking...
How does the 'rubber hose' threat apply to Matrix? So long as you are in control of your home server (or at least use a home server you trust) I am not sure who your advisary would pressure.
They could force them to add a backdoor in the Element build uploaded to the app store so they can use that backdoor to attack specific users. This is why we need reproducible builds and code which automatically check for discrepancies.
The Chinese government has direct access to the WeChat backend so it's unlikely that these weaknesses were government mandated. Probably just the result of overworked 996 developers:
>The name 996.ICU refers to "Work by '996', sick in ICU", an ironic saying among Chinese developers, which means that by following the "996" work schedule, you are risking yourself getting into the ICU (Intensive Care Unit)
https://github.com/996icu/996.ICU
Just my personal experience.
One of my family members who lived in China was involved in a Ponzi fraud couple years ago. They told me that when they entered the interrogation room, officers had already printed out their WeChat chatting history, even before they handed out their phone.
> The Chinese government has direct access to the WeChat backend
Oh dear, I need to rant about this.
Everyone and their grandma know in their guts that the ccp keep every single thing you ever send. So why on earth do wechat not back up your convo (a bog standard feature that is available to even e2ee messengers) when you need to switch to a new phone? Yes, I know you can transfer data locally (with unintuitive process since wechat does not support simultaneous login on multiple devices) but what happens if your old phone outright died? I already relinquish all my privacy to the overlord so can they at least give us back some usability instead of this archaic pos?
Just need to vent my recent painful experience.
Yes. The Chinese government likely have "front door" access rather than having to rely on capturing network traffic and exploit some hidden weakness in a protocol.
But why are Chinese companies making their own security protocol / libraries rather adopting "cryptographic best practices"? Do they actually think that common crypto libraries are flawed? Or is this a part of China's deep tech / self-sufficient efforts?
Probably they think more control is still better.
Most likely, yeah. This also reminds me of the issues with KakaoTalk:
https://stulle123.github.io/posts/kakaotalk/secret-chat/
https://stulle123.github.io/posts/kakaotalk-account-takeover..., https://news.ycombinator.com/item?id=40776880
Wondering if Line is next up!
WeChat is basically one of the tools the communist party uses to control the population. If something is on there it is most likely by design.
Off topic (or is it?): While back a western journalist in China reported that her wechat account was banned 10 minutes after changing her password to "fuckCCP"...
The point being made in the preceding comment is that the threat model for WeChat already overtly includes its operators being able to puncture its confidentiality. It doesn't make a lot of operational sense to introduce complicated cryptographic backdoors (such as the IV construction, which the authors say could potentially introduce an AES-GCM key/IV brute forcing attack) when you control the keys for all the connections in the first place.
And the argument is pretty weak. It doesnt cost them much to introduce cryptographic backdoors. Once they have done this they have even more control. It is then also less effort, because you don't have to deal with a company (like WeChat) directly to spy on their customers.
Not only control keys, but control the software update mechanism (backdoor a la xz).
I had my account banned for absolutely no reason (I didn't even use it to talk to anyone and was simply learning the interface myself to explain it later to a friend who was traveling to China). You can't infer anything from that story. Their "security" automation is even more paranoid than Google's, that's probably all there's to it.
The issue of accounts being banned after a password change is quite common, especially outside of China. This isn't related to the content of the new password.
Additionally, it's unlikely that the protocol has government-mandated vulnerabilities, as such weaknesses could potentially allow foreign governments to spy on WeChat users that are abroad. The Chinese government doesn't need such weaknesses, as they have access to the servers.
The server-side store a full plain text archive with government access is by design. the weak encryption is NOT by design. It's due to incompetent programmers.
> If something is on there it is most likely by design.
It's a common mistake to overestimate the 'bad guy'. The Chinese government, like all other large human institutions, certainly does plenty of dumb stuff.
Hanlon's Razor: never ascribe to malice that which can be adequately explained by incompetence or stupidity.
>Generally, NIST recommends[1] not using a wholly deterministic derivation for IVs in AES-GCM since it is easy to accidentally re-use IVs.
A quick skim of the referenced document did not show where NIST recommended against the use of deterministic IVs. The document actually spends a significant amount of text in discussing how one would do such a thing. Did I miss something?
>Lack of forward secrecy
The article mentions that the key is forgotten when you close the app. Probably enough forward secrecy for most people.
>Since AES-CBC is used alongside PKCS7 padding, it is possible that the use of this encryption on its own would be susceptible to an AES-CBC padding oracle, which can lead to recovery of the encrypted plaintext.
This is a messaging app. Is there actually an available oracle? Does the implementation even generate a padding error?
[1] https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpubli...
The GCM IV thing didn't ring true to me either; in fact, the whole reason we have XAES-type constructions is to enable fully nondeterministic IVs, which don't fit comfortably in the GCM IV space.
Regarding padding oracles: it is most definitely not necessary for a target to generate a "padding error", or even an explicit error of any sort, to enable the attack.
There has to be some reverse channel to do an oracle. Timing? That might not be a thing for messaging. Signal apparently also uses CBC with the same type of padding. So the same shade could be thrown in that direction if someone really wanted to do so.
I would be happier if there were fewer vague assertions in these sorts of writeups...
I'm not sure what part of Signal you're referring to, but the Signal Protocol generally uses AEAD constructions. That aside: the kind of padding is not the issue; every serious system that uses CBC uses PKCS7 padding. The issue is the lack of authenticated ciphertext, which is what enables the attack. The authenticated scheme composing CBC and HMAC in an EtM arrangement is not susceptible to padding oracle attacks. There are other error and behavior oracles for other padding schemes, and for different block cipher modes.
> nondeterministic IVs
Can you explain what this means?
In this case it's just a fancy way of saying "random". What's important about a GCM nonce is that it never repeat, not that it's unpredictable (to me, a distinction between a "nonce" and an "IV"; a CBC IV must be unpredictable).
Because you only get 96 bits of nonce space with vanilla GCM, there's common advice to use a counter as the nonce.
Chinese apps don't need encryption but pretends to, the government had direct access to all clear-text data. If you can't comply your business would be fucked one way or another.
Security researchers need to stop beating the dead horse. The encryption mechanism is mostly used for compliance or certification. In fact many corp-intranet middleboxes can decrypt wechat communications, it's not a bug, it's a feature.
IRL people just treat wechat as somekind of Discord with payment options. If you say something slightly wrong your account would instantly get into trouble. Just assume your wechat chat records are public one way or another.
Just to be clear, encryption to hide from broad government surveillance is one valid use for encryption (which WeChat doesn't have), but it is far from the only reason for encrypted communications. Common theives, abusive exes, or overbearing employers are a few others that immediately come to mind.
> Common theives, abusive exes, or overbearing employers
as I commented on other thread, they don't even bother with network protocols.
They just mandate install spyware on your end devices. So E2EE won't help here.
Chinese Android ROMs are notorious for this. Even the phone manufacturers are collecting data
[dead]
For one thing, Chinese government does have an incentive to enforce good encryption so that foreign adversaries cannot snoop in on important Chinese communications. Only the Chinese government has access via Tencent’s backend.
The Dutch government is a joke they'll happily communicate via WhatsApp. But then the Netherlands is hardly a geopolitical player.
But surely Chinese officials don't use Wechat?
These findings are so unsurprising that the research is borderline boring.
What I would like to see are similar efforts directed at the tower of complexity that is the modern TLS stack. From the Snowden leaks we know that the NSA has tried to break cryptographic algorithms for decades via their project Bullrun, and that they bribed the RSA to default to their compromised algorithm. From the recent XZ incident we also know that supply chain attacks can be very sophisticated and difficult to detect.
How likely is it that the protocols we consider secure today are silently compromised by an undetected agent? Should we just assume that they are, like a sibling comment suggested?
I'm frankly more interested in knowing if there is oversight of these complex technologies that could possibly alert us of any anomalies of this type, so that we don't have to rely on whistleblowers or people who happen to notice strange behavior and decide to look into it out of curiosity. Too much is at stake for this to be left up to chance.
WeChat using a custom protocol like MMTLS instead of sticking with something solid like TLS 1.3 is a risky move. Rolling your own crypto almost always leads to trouble. Of course, there may be ulterior motives behind Tencent’s decision, and users have little power to change it. For an app with over a billion users, that’s pretty concerning.
Is it concerning? It's not end-to-end secure to begin with.
It is insecure depending on one’s threat model. Though I agree end-to-end encryption would be the best practice.
> end-to-end encryption would be the best practice
If you think about it, no it's not in this case.
The "end" you are refering to here, are mostly Chinese android phones.
The system just hook into your apk, read your (encrypted) sqlite3 local data, or screen-read your UI for content.
Even the Wechat realized how badly the landscape was, so they even rolled rolled out inhouse "input method" for "privacy conerns"
Can you articulate what that threat model would be?
You are only okay with the CCP and your recipient knowing your conversation.
That's kind of how I read it too, which makes some of the suppositions here (about the CCP inducing bad protocol design) odd.
Show me the outcome and I'll show you the incentive.
Hint: backdoors
I wouldn't trust any federally approved encryption. From any country.
I wouldn't trust them, but I WOULD use them, given no other choice to reach the users I'm after. But always assume zero trust. With any computer thing, zero trust. Computer systems and those who orchestrate them are sneaky little devils.
And even if it isn't screwed up by active malice... don't be surprised if it's screwed up by pure incompetence. South Korea's internet is still plagued by government-approved encryption standards, which, due to the deprecation of ActiveX, sometimes require installing institution-specific cryptography software to tunnel connections through a local HTTP server so it can be encrypted outside of the web browser - https://palant.info/2023/01/02/south-koreas-online-security-...
> I wouldn't trust them, but I WOULD use them, given no other choice to reach the users I'm after.
Which is no different from trusting them. The reality is that you have to trust something at some point.
Not true, you can use something in an untrusting manner. Like assuming everything you send on the platform to be known to the government. Anyone in the USA who uses SMS should be operating like that, for example.
I personally am not very interested in this research. WeChat is well known not to use end-to-end encryption. Considering that the app is unlikely to adopt end-to-end encryption (likely due to censorship being a business requirement, which was mentioned in the article and previously uncovered by this lab), I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption. Parties that are interested in subverting this kind of encryption, such as governments, likely already collaborate Tencent to get decrypted messages from the source.
> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption.
That's the difference between "you have to trust WeChat" and "anyone can read your chats". Of course you may not personally be interested because you don't personally use WeChat, but for the billion active users who do, I think it should matter.
Where did you see that "anyone can read your chats" in this article? Indeed near the beginning of the article in the fourth bullet point the author states "we were unable to develop an attack to completely defeat WeChat’s encryption" right there. The only parties who are interested in expending more effort to break this kind of encryption are just governments, who can simply force Tencent to give up plaintext records.
Yep. Btw the threat model for me is this:
- against random 3rd party, even WeChat is ok
- against random black hats, most of chat software is ok, maybe even WeChat
- against gov agencies, nothing is going to protect you
When I am in China, i happily use WeChat including the gazillion of services available through it. Buying metro pass, ordering food, getting a battery pack and so on.
Btw no country could replicate this outside of China, which is an interesting phenomenon. We have endless ads including actual scams and malware distributed by Google Ads yet I cannot buy train tickets in the EU through a single app and order food as well, let alone getting a cab. It would be great though.
Grab in SEA region could be said as one more example of such a "super app" too.
> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption
Bad non-end-to-end encryption is exactly that: "anyone can read your chats". That's not what the research found, it's just the implication of your original statement.
Please realize, in China, you can't trust your "end" either. It's always infested with spyware with local root access.
Okay I shouldn't have used the word "bad" here. I should have used "flawed but not detrimental" just like what's described in the article.
> Where did you see that "anyone can read your chats" in this article?
I didn't. I answered to what you wrote, which I quoted. But I can quote it again:
> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption.
[flagged]
By "western encryption" do you mean crypto systems that have been subjected to public scrutiny?
Systems whose scrutiny/reputation is more subject to western "trust me bro". Authors had courtesy to recognize TLS drama in 2010s, and assumes it's... better/sufficient now because why, a bunch of US companies, many with teams of ex US intelligence on internal security teams is doing bulk of the scrutinizing.
PRC seems to like their home-grown cryptography gated behind language barrier. Maybe they're hedging on bet that enough diverse implementations better than eggs in single basket. Or the amount of Chinese fluency decreasing in west going to add another layer of security/obscurity. Ultimately who knows, other than PRC would be idiotic to listen to OTF-ICFP funded recommendations, a program that avoids "focus" on countries with minimal information controls, i.e. if there's a reason not to trust western scrutinized crypto systems, you likely won't find it from OTF and citizenlab.
I don't see how the language barrier provides any security. If your threat model is foreign governments and you're rolling your own crypto you have to assume they have plenty of budget for translation. Technology is one of the main collection activities of any spy agency.
Trust in a crypto system is established by having multiple adversarial parties use it and the system being open to attack for many years without success.
Western spy agencies already overwhelmed by volume of PRC cyber activity per recent headlines, meanwhile FVEY also short of Chinese specialists, and institutions not generating enough language talent. It's less budget issue as bodies issue. Multiple adversarial parties who are still likely cooperating with intelligence - MSS isn't going to get a seat at the table/behind the scenes for western crypto standards.
Do we really know system hasn't been attacked without success when there's frequent PRC penetration in the news. What we do know is west/US has advtanges along the hardware/software stack, so smart for PRC to obfusgate and add complexity at points they can control. And that one of OTF's explicit mission, especially ICFP funded fellows is to undermine PRC controlled web - it would be incredibly dumb for PRC to take their advice seriously.
Hello
What do you say to observers who would see this analysis as a parallel to the huawei or Tiktok western argument, meaning, "don't let them spy on you, let us spy on you instead!!!"
Isn't this the opposite? It is warning that WeChat's security might be weak since it is using weird non-standard stuff which means everyone might be able to spy on WeChat users, not just China. If WeChat fixed this then only China would be able to spy on the users.
Is there something you'd like those observers to hear?
I wonder whether WeChat is one of the safest messaging apps because it has the strength to say no to western agencies.
Signal and Matrix can be pressured with a rubber hose if there’s enough desire. And I imagine bureaucratic equivalents exits for iMessage and WhatsApp. But the CCP can offer genuine protection to WeChat executives.
> I wonder whether WeChat is one of the safest messaging apps because it has the strength to say no to western agencies.
That is not how cryptography works.
If you use proper end-to-end encryption (e.g. the Signal protocol), and assuming that you use it properly, then the server does not have access to the content of the encrypted messages. So the server cannot be pressured, period. So the Signal protocol is strictly better than a protocol that is audited and found wanting (TFA talking about the WeChat protocol here).
Until next update will send your keys. Do you disassemble every update? I doubt it. In the end it's all about developer trust, because no popular messaging has thriving multi-client ecosystem after Jabber was abandoned. They all have "official" blessed client and some even fight third-party clients.
Not even talking about server side, things are just grim there.
Signal does a far better job than most. They have open source clients. They sign their builds. The android build is reproducible (you can build it yourself and it will match exactly what they publish, see https://github.com/signalapp/Signal-Android/blob/main/reprod...). Presumably some people in the world do it.
Now of course I personally don't check the app shipped to me from the Google Play Store, but at least I could!
It's not that I disagree with your point at all. There are still many places for world powers to compel companies to spy on users (in both hardware and software). Just want to call out that Signal is doing pretty much the best they can.
I have not been following the end-to-end encryption discussion in a while so please excuse my ignorance in asking...
How does the 'rubber hose' threat apply to Matrix? So long as you are in control of your home server (or at least use a home server you trust) I am not sure who your advisary would pressure.
They could force them to add a backdoor in the Element build uploaded to the app store so they can use that backdoor to attack specific users. This is why we need reproducible builds and code which automatically check for discrepancies.