First, it must have been put there deliberately, for either benign or villainous reasons. However, running a story like this without taking the time to carefully evaluate claims of a ‘backdoor’ will ultimately only hurt their readers.”įor something to be a true “backdoor”, it must simultaneously satisfy two criteria beyond simply compromising security or privacy. “It is great that the Guardian thinks privacy is something their readers should be concerned about. The developer who co-authored the Signal protocol used by WhatsApp, Open Whisper Systems’ Moxie Marlinspike, said the backdoor claim was a misnomer: “Under no circumstances is it reasonable to call this a ‘backdoor,’ as key changes are immediately detected by the sender and can be verified.” As a mass-market product, WhatsApp was designed to make itself as transparent as possible and not to bother users with possibly confusing alerts about key pair changes. This also looks more like a design trade-off than a backdoor. The first objection with this is that hiding a malicious key reset indefinitely would be difficult on WhatsApp given the software’s “verify security code” feature that ensures both sides are using the same key and no MiTM is taking place. The issue is that WhatsApp’s servers could, hypothetically, force the resend of a message using a new key under its control without the sender being able to stop that – a man-in-the-middle (MitM) compromise of sorts. In WhatsApp, by apparent contrast, the sending app is simply asked to re-encrypt and re-send the message, something the sender will only be told about if alerting is turned on, after the fact. The message can then be re-encrypted and resent after verification that the recipient is still the same person. In the respected Signal app, whose underlying encryption protocol was adopted by WhatsApp in 2016, messages sent to anyone in this situation are deleted and the sender is informed that something has changed. The report described how the app generates a new key pair for “offline” users, for example when a user loses or changes a phone or phone number and then (after a period of time) reinstalls the app anew. Was this a fair accusation to throw at WhatsApp? The newspaper has since backed away from the emotive word but the fire had been lit. On Friday, The Guardian newspaper accused Facebook’s WhatsApp messaging app of having a “backdoor” security vulnerability on the basis of a security issue revealed to it by researcher, Tobias Boelter of the University of California at Berkeley.
0 kommentar(er)
