[HN Gopher] WhatsApp - Security of End-to-End Encrypted Backups ...
___________________________________________________________________
WhatsApp - Security of End-to-End Encrypted Backups [pdf]
Author : FiloSottile
Score : 92 points
Date : 2021-09-10 17:28 UTC (5 hours ago)
(HTM) web link (www.whatsapp.com)
(TXT) w3m dump (www.whatsapp.com)
| vinay427 wrote:
| WhatsApp currently handles local backups entirely incompetently
| and infuriatingly despite claiming (IMO dishonestly) that the
| feature exists, providing inaccurate and incomplete
| documentation. This is nice to see, but far too little too late
| for me to trust the app for longevity.
|
| I recently had the issue for the second time of losing over a
| year of messages due to dysfunctional WhatsApp backups, about
| which I wrote a blog post of complaints/rants [1]. The user, as
| far as I can tell at least on Android, currently has no viable
| option besides uploading their messages, unencrypted, to Google.
|
| [1] https://vinayh.com/posts/2021-08-28/
| huhtenberg wrote:
| They may say all the right words, but given how Facebook has been
| consistently _behaving_ with respect to people 's privacy, all
| this e2e goodness amounts to nothing less than an extremely
| disingenuous and misleading charade. So, yeah, good to know. But,
| no, still have zero trust in FB's implementation of it and won't
| touch it with a long pole.
| baby wrote:
| WhatsApp has been pretty consistent with their track record,
| not every Facebook product is the same but if there's one part
| of the company that's doing really well in terms of security
| and privacy for its users that's the one.
| thesausageking wrote:
| Last week they were fined $270m by the EU for claiming they
| were anonymizing user data like phone numbers when they
| weren't.
| baby wrote:
| that's news to me, had to find a source:
| https://www.theverge.com/2021/9/2/22653747/whatsapp-fine-
| amo...
|
| looks like WhatsApp is appealing, so not a case close.
|
| > noting that WhatsApp did not properly inform EU citizens
| how it handles their personal data, including how it shares
| that information with its parent company.
|
| I'm not sure I understand these kind of claims to begin
| with. WhatsApp is facebook, why would they have to warn
| users that the data is shared?
| thesausageking wrote:
| They did correct their policy to no longer lie to users
| after they were fined. I'm not sure that counts as "doing
| really well in terms of security and privacy for its
| users".
| prawnsalad wrote:
| I can't remember the source so take this as you will, but
| WhatsApp are appealing such a large fine because the
| privacy policy was in the middle of being updated during a
| transition. The policy was correct after the fact and ever
| since.
| ziddoap wrote:
| I must say, it is unclear to me why this is being downvoted --
| it mirrors my exact reaction.
|
| The old saying "Actions speak louder than words" has never been
| more apt. It was just two days ago that Ars & others ran
| "WhatsApp "end-to-end encrypted" messages aren't that private
| after all" [1]. Yet, here we are.
|
| It's a strong "No thanks" from me.
|
| [1] https://arstechnica.com/gadgets/2021/09/whatsapp-end-to-
| end-...
| shawnz wrote:
| Isn't the rollout of this encrypted backup functionality an
| "action"? And isn't the consistent availability of E2E
| encryption in WhatsApp an "action"? Whereas it seems to me
| like the idea that WhatsApp shouldn't be trusted just because
| of who they answer to is merely "words".
| FiloSottile wrote:
| I don't trust Facebook's intentions, but WhatsApp has
| demonstrated consistency in bringing encryption to users.
|
| The ProPublica article that the ones you saw are based on was
| flawed, and has been updated.
| https://twitter.com/propublica/status/1436054877663375372
| ziddoap wrote:
| Thanks for linking that, I had not actually seen the update
| to it. Of course, if one of the parties in E2EE shares the
| message it doesn't constitute a 'break' in E2EE. However,
| what I think was important from the Ars article I linked
| was this statement:
|
| >An "end-to-end" encrypted messaging platform could choose
| to, for example, perform automated AI-based content
| scanning of all messages on a device, then forward
| automatically flagged messages to the platform's cloud for
| further action. Ultimately, privacy-focused users must rely
| on policies and platform trust as heavily as they do on
| technological bullet points.
|
| Which doesn't break E2EE technically, but it certainly
| breaks it in spirit. And yes, I understand that really any
| application could feasibly implement something like this,
| it's not in many peoples threat models, etc. However, if I
| had to bet on which company would implement such a feature,
| it would be FB.
|
| It just felt sort of funny, seeing this only a few days
| after all of those articles were written. Of course there
| is no way FB weaved the whole system and documentation
| together in two days, but I can't help but roll my eyes
| slightly at the timing of their release.
| fsociety wrote:
| Your concerns seem reasonable and well-grounded, it's
| just odd to insinuate a conspiracy of how these articles
| were released. It probably was a reaction but it a
| perfectly reasonable thing to do. WhatsApp is committed
| to being transparent, and this is apart of it. If you are
| highly principled about privacy or doing sketchy things
| yeah... don't trust any software from for-profit
| companies.
| annadane wrote:
| >it is unclear to me why this is being downvoted
|
| I would tell you why, but you're not allowed to according to
| site rules (it rhymes with 'billing')
| gordon_freeman wrote:
| This. Exactly the reason why I use Signal and even though I
| encounter some bugs once in a while, it is the only messaging
| app I trust in respecting my privacy.
| anaganisk wrote:
| We're sorry that we have accidentally introduced a bug, which
| allowed us to mine data and peep into everything.
| pgalvin wrote:
| Helpfully given in the introduction, here is some useful context
| for this change in case some people miss this part:
|
| > Since 2016, all personal messages, calls, video chats and media
| sent on WhatsApp have been end-to-end encrypted. [...]
|
| > WhatsApp's backup management relies on mobile device cloud
| partners, such as Apple and Google, to store backups of the
| WhatsApp data (chat messages, photos, etc ) in Apple iCloud or
| Google Drive. Prior to the introduction of end-to-end encrypted
| backups, backups stored on Apple iCloud and Google Drive were not
| protected by WhatsApp's end-to-end encryption. Now we are
| offering the ability to secure your backups with end-to-end
| encryption before they are uploaded to these cloud services.
| baby wrote:
| And that's why I kept saying "no" to the backup requests in
| WhatsApp.
| sneak wrote:
| Doesn't matter; everyone else you talk to on WhatsApp is
| uploading those same conversations to Apple and Google
| effectively unencrypted.
| baby wrote:
| I mean that's the problem of any protocol in general. Your
| opsec can be great, but if it relies on someone else's
| opsec...
| quaintdev wrote:
| And that is why I dont use WhatsApp. Self hosted matrix is
| super awesome.
| 5faulker wrote:
| Still not total encrypted but getting there.
| beagle3 wrote:
| It used to be encrypted before upload to google, and then ...
| one day it just wasn't (but came with the "candy" that it no
| longer counts against your account quota). I could never found
| any explanation for this, best hypothesis I found is that it's
| a backdoor for law enforcement without admitting it.
|
| I would be surprised, given everything happening in the world
| today, if the new system does not somehow allow law enforcement
| to get access (possibly indirectly, through the app giving the
| key in some weird back channel)
| jbverschoor wrote:
| Deduplication could be a thing
| pgalvin wrote:
| Fwiw, that "encryption" never used your own key or password.
| Facebook held the key, Google held the encrypted blob, and I
| doubt the extra warrant to get data from both companies was a
| huge hurdle.
|
| Definitely was not E2EE before.
| baby wrote:
| Ah so that's how it worked? I heard that concept once and
| thought it was a really interesting way to ensure a user
| wouldn't lose their backup while preventing the company
| from accessing it.
| inasio wrote:
| I'm pretty sure both Apple and Google are very happy with the
| current state of affairs, this system works great to keep
| people locked into IOS or Android, as exporting your data is
| super hard (there were a number of expensive sketchy-looking
| apps that claimed to be able to do this)
| pgalvin wrote:
| https://wabetainfo.com/how-to-migrate-your-chat-history-
| from...
|
| This is possible now (in one direction, so far).
| JohnJamesRambo wrote:
| Does anyone have an NSA address users can just send their backups
| to and cut out the middleman?
| zionic wrote:
| That's actually hilarious. If you loose all 3 of your backup
| sources just FOIA the NSA for their copy!
| erdos4d wrote:
| That doesn't work for them, they want you to think you have
| rights and stuff, its more fun that way.
| phreack wrote:
| The worst part is even if you disable automatic backups, which
| you should, the app will nevertheless force the creation of a
| backup every day at 2am. And keep 7 days worth of backups at a
| time. Of every single thing it can gets its hands on. The amount
| of storage and processing that globally occurs daily due to this,
| that people neither want nor need, is probably jaw dropping.
|
| Many non-tech people I know that are not aware of this have just
| come to terms with the fact that phone storage just runs out
| quicker than it did before, and old phones just lag at 2am for
| mysterious reasons.
| annadane wrote:
| Taking bets on how much of this is an ego trip from Zuck to stick
| it to the Apple people about their child protection controversy
|
| "See? We're not like them"
| AUSNA-ZI wrote:
| End-to-end encryption should mean that the cloud provider doesn't
| have the key to decrypt the data
| 2Gkashmiri wrote:
| Cool. At least now we can pretend the e2e didn't exist till now
| on WhatsApp. According to them only.
|
| https://jknewsline.com/parras-email-whatsapp-data-to-be-acce...
|
| Here is how political vendetta is taken against people. This news
| is just a few months old.
|
| I am not on WhatsApp for a couple of idealogocal reasons, this
| being one of them
| Andrew_nenakhov wrote:
| It seems that _End-to-end_ (encryption) is now firmly established
| as a buzzword.
|
| I'm not really a cryptographer, but from what I've gathered from
| a whitepaper, it's just an encrypted backup with a fancy system
| that allows users to safely store encryption keys on WhatsApp
| servers. But of course they have to call it end-to-end because
| _users know it is safe_
| upofadown wrote:
| Saving encrypted stuff on a server is more properly known as
| client side encryption[1]. Any instance of cryptography used to
| protect the contents of anything in any way is commonly
| referred to as end to end encryption these days. Fortunately,
| the misuse of the term can serve to identify an entity with
| poor understanding of the technology they are try to sell you.
|
| [1] https://en.wikipedia.org/wiki/Client-side_encryption
| baby wrote:
| I don't agree, if you were to define end-to-end encrypted
| backup this is what it would be.
| Andrew_nenakhov wrote:
| End-to-end encryption is when to entities communicate and
| establish an encrypted connection between them.
|
| In this case one device makes a backup while another might
| not be even made yet.
|
| (Edit: Rephrased for better clarity)
| baby wrote:
| I'm not sure what you mean by "while another is not yet
| even made"
| Andrew_nenakhov wrote:
| I mean it literally. It might be not yet even assembled
| at a factory, not delivered to its destination country
| and not sold to a user.
| baby wrote:
| Ah, well that doesn't really matter, you can still see
| them as two separate participants in an asynchronous
| protocol.
| Andrew_nenakhov wrote:
| End to wnd encryption is when on one end you encrypt data
| for every remote end that is supposed to decrypt this
| data. That's why it is called end-to-end, because all
| ends are known and nobody can tamper the correctly
| established communication with correctly verified
| recipient. That's how all e2ee protocols work, otr,
| omemo/signal, etc.
|
| If you do not know what end is going to decrypt it, is is
| just an encryption with a key/password. Anybody who has
| the credentials can access the data.
|
| These WhatsApp backups could be restored by 50 different
| 'ends', so using e2e in this context is incorrect.
| Retric wrote:
| End to end encryption should be as secure as the underlying
| encryption technology, this is only as secure as a users
| password which 99% of the time is trivially crackable.
|
| It's like equating Fort Knox and a locked car. Fort Knox
| might not be impenetrable, but they really don't provide
| similar levels of protection.
| [deleted]
| whitetrump wrote:
| End-to-end encryption should mean that the cloud provider doesn't
| have access to the key to decrypt the data.
| leonixyz wrote:
| This is ridicolous, they block the account of people for no
| reason, making them loose years of messages, and now they come up
| with encrypted backups... they should focus on improving their
| support. They have only an email address for support. Try to get
| your account unblocked if their AI decides to block you. Good
| luck
| prirun wrote:
| > To decrypt the backup, the key K is needed Thus, to safeguard K
| in the HSM-based Backup Key Vault, the client performs a
| registration of K with WhatsApp.
|
| > The key to encrypt the backup is secured with a user-provided
| password. The password is unknown to WhatsApp, the user's mobile
| device cloud partners, or any third party. The key is stored in
| the HSM Backup Key Vault to allow the user to recover the key in
| the event the device is lost or stolen. The HSM Backup Key Vault
| is responsible for enforcing password verification attempts and
| rendering the key permanently inaccessible after a certain number
| of unsuccessful attempts to access it. These security measures
| provide protection against brute force attempts to retrieve the
| key.
|
| > Additionally, the users have a choice to use a 64-digit
| encryption key instead of a password, which would require them to
| remember the encryption key themselves or store it manually as in
| this case the key is not sent to the HSM Backup Key Vault
|
| So they do allow not storing the key on their servers, which is
| the only way I know to ensure encrypted backups can't be
| decrypted, but they make it inconvenient by forcing the key to be
| 64 digits, for a strength of 10^64.
|
| They could make "no store" keys much easier by allowing the key
| to be _characters_ , so that people could use a sentence or other
| sequence of words as a key and not have to write down or remember
| 64 digits. Using just letters (ignoring case), you'd need at
| least 46 to get equivalent (12x actually) strength. With
| uppercase, lowercase, and digits, you'd only need 36 to get 3x
| the strength of 64 digits.
|
| If users already need to create a password to secure the random
| key stored on WhatsApp servers, it seems the strength of that
| password is really the strength of the whole system. In that
| case, they could just derive a key from the password and use that
| directly as the encryption key. Assuming they actually want to
| protect the backup that is.
|
| Disclaimer: I have never used WhatsApp, but am author of
| HashBackup which does not store your key on any servers.
| josh_today wrote:
| Is this _really_ end to end encryption?
| Andrew_nenakhov wrote:
| To me it is just an encryption, which isn't bad, but still.
| sneak wrote:
| Your complete chat history with everyone on WhatsApp, to date,
| has been provided in basically unencrypted form to Apple and
| Google by your conversation partners, which means that it is
| available on demand and without a warrant to US federal
| authorities via FAA Section 702 (commonly known as PRISM, or
| FISA).
|
| This means that even if you stop using it today, there is a huge
| wealth of information about your habits, travel, personal
| identifiers, social graph, location history, and personal
| thoughts and opinions that will be permanently stored associated
| with your name.
|
| Enabling e2e on backups won't purge this information, especially
| if it has already been downloaded by USG from Apple/Google.
|
| If you want to mitigate this, you basically have to move, replace
| all your friends/contacts, never go back to the same
| venues/restaurants/cities, et c, because your existing pattern of
| life is already archived.
|
| Too little, too late.
| prawnsalad wrote:
| I think the expectations of e2ee have been greatly stretched in
| this case. e2ee means that the data is encrypted from device to
| device only and that's it, from one end to another end. If
| someone backs up their device in an unencrypted way then thats
| out of scope for WhatsApp - that's not what e2ee is about.
|
| People that expected full at rest encryption (which is what a
| backup system would include) despite the app never being
| advertised that way would have always needed a large kick to
| realise that isn't the case. Encryption is complicated and you
| can't expect everybody to fully understand what e2ee/at
| rest/etc really means. This whole situation is a learning
| experience for everyone and I wouldn't blame WhatsApp for it
| either. They now know that advertising encryption needs a
| little more explanation.
___________________________________________________________________
(page generated 2021-09-10 23:00 UTC)