[HN Gopher] WhatsApp - Security of End-to-End Encrypted Backups ... ___________________________________________________________________ WhatsApp - Security of End-to-End Encrypted Backups [pdf] Author : FiloSottile Score : 92 points Date : 2021-09-10 17:28 UTC (5 hours ago) (HTM) web link (www.whatsapp.com) (TXT) w3m dump (www.whatsapp.com) | vinay427 wrote: | WhatsApp currently handles local backups entirely incompetently | and infuriatingly despite claiming (IMO dishonestly) that the | feature exists, providing inaccurate and incomplete | documentation. This is nice to see, but far too little too late | for me to trust the app for longevity. | | I recently had the issue for the second time of losing over a | year of messages due to dysfunctional WhatsApp backups, about | which I wrote a blog post of complaints/rants [1]. The user, as | far as I can tell at least on Android, currently has no viable | option besides uploading their messages, unencrypted, to Google. | | [1] https://vinayh.com/posts/2021-08-28/ | huhtenberg wrote: | They may say all the right words, but given how Facebook has been | consistently _behaving_ with respect to people 's privacy, all | this e2e goodness amounts to nothing less than an extremely | disingenuous and misleading charade. So, yeah, good to know. But, | no, still have zero trust in FB's implementation of it and won't | touch it with a long pole. | baby wrote: | WhatsApp has been pretty consistent with their track record, | not every Facebook product is the same but if there's one part | of the company that's doing really well in terms of security | and privacy for its users that's the one. | thesausageking wrote: | Last week they were fined $270m by the EU for claiming they | were anonymizing user data like phone numbers when they | weren't. | baby wrote: | that's news to me, had to find a source: | https://www.theverge.com/2021/9/2/22653747/whatsapp-fine- | amo... | | looks like WhatsApp is appealing, so not a case close. | | > noting that WhatsApp did not properly inform EU citizens | how it handles their personal data, including how it shares | that information with its parent company. | | I'm not sure I understand these kind of claims to begin | with. WhatsApp is facebook, why would they have to warn | users that the data is shared? | thesausageking wrote: | They did correct their policy to no longer lie to users | after they were fined. I'm not sure that counts as "doing | really well in terms of security and privacy for its | users". | prawnsalad wrote: | I can't remember the source so take this as you will, but | WhatsApp are appealing such a large fine because the | privacy policy was in the middle of being updated during a | transition. The policy was correct after the fact and ever | since. | ziddoap wrote: | I must say, it is unclear to me why this is being downvoted -- | it mirrors my exact reaction. | | The old saying "Actions speak louder than words" has never been | more apt. It was just two days ago that Ars & others ran | "WhatsApp "end-to-end encrypted" messages aren't that private | after all" [1]. Yet, here we are. | | It's a strong "No thanks" from me. | | [1] https://arstechnica.com/gadgets/2021/09/whatsapp-end-to- | end-... | shawnz wrote: | Isn't the rollout of this encrypted backup functionality an | "action"? And isn't the consistent availability of E2E | encryption in WhatsApp an "action"? Whereas it seems to me | like the idea that WhatsApp shouldn't be trusted just because | of who they answer to is merely "words". | FiloSottile wrote: | I don't trust Facebook's intentions, but WhatsApp has | demonstrated consistency in bringing encryption to users. | | The ProPublica article that the ones you saw are based on was | flawed, and has been updated. | https://twitter.com/propublica/status/1436054877663375372 | ziddoap wrote: | Thanks for linking that, I had not actually seen the update | to it. Of course, if one of the parties in E2EE shares the | message it doesn't constitute a 'break' in E2EE. However, | what I think was important from the Ars article I linked | was this statement: | | >An "end-to-end" encrypted messaging platform could choose | to, for example, perform automated AI-based content | scanning of all messages on a device, then forward | automatically flagged messages to the platform's cloud for | further action. Ultimately, privacy-focused users must rely | on policies and platform trust as heavily as they do on | technological bullet points. | | Which doesn't break E2EE technically, but it certainly | breaks it in spirit. And yes, I understand that really any | application could feasibly implement something like this, | it's not in many peoples threat models, etc. However, if I | had to bet on which company would implement such a feature, | it would be FB. | | It just felt sort of funny, seeing this only a few days | after all of those articles were written. Of course there | is no way FB weaved the whole system and documentation | together in two days, but I can't help but roll my eyes | slightly at the timing of their release. | fsociety wrote: | Your concerns seem reasonable and well-grounded, it's | just odd to insinuate a conspiracy of how these articles | were released. It probably was a reaction but it a | perfectly reasonable thing to do. WhatsApp is committed | to being transparent, and this is apart of it. If you are | highly principled about privacy or doing sketchy things | yeah... don't trust any software from for-profit | companies. | annadane wrote: | >it is unclear to me why this is being downvoted | | I would tell you why, but you're not allowed to according to | site rules (it rhymes with 'billing') | gordon_freeman wrote: | This. Exactly the reason why I use Signal and even though I | encounter some bugs once in a while, it is the only messaging | app I trust in respecting my privacy. | anaganisk wrote: | We're sorry that we have accidentally introduced a bug, which | allowed us to mine data and peep into everything. | pgalvin wrote: | Helpfully given in the introduction, here is some useful context | for this change in case some people miss this part: | | > Since 2016, all personal messages, calls, video chats and media | sent on WhatsApp have been end-to-end encrypted. [...] | | > WhatsApp's backup management relies on mobile device cloud | partners, such as Apple and Google, to store backups of the | WhatsApp data (chat messages, photos, etc ) in Apple iCloud or | Google Drive. Prior to the introduction of end-to-end encrypted | backups, backups stored on Apple iCloud and Google Drive were not | protected by WhatsApp's end-to-end encryption. Now we are | offering the ability to secure your backups with end-to-end | encryption before they are uploaded to these cloud services. | baby wrote: | And that's why I kept saying "no" to the backup requests in | WhatsApp. | sneak wrote: | Doesn't matter; everyone else you talk to on WhatsApp is | uploading those same conversations to Apple and Google | effectively unencrypted. | baby wrote: | I mean that's the problem of any protocol in general. Your | opsec can be great, but if it relies on someone else's | opsec... | quaintdev wrote: | And that is why I dont use WhatsApp. Self hosted matrix is | super awesome. | 5faulker wrote: | Still not total encrypted but getting there. | beagle3 wrote: | It used to be encrypted before upload to google, and then ... | one day it just wasn't (but came with the "candy" that it no | longer counts against your account quota). I could never found | any explanation for this, best hypothesis I found is that it's | a backdoor for law enforcement without admitting it. | | I would be surprised, given everything happening in the world | today, if the new system does not somehow allow law enforcement | to get access (possibly indirectly, through the app giving the | key in some weird back channel) | jbverschoor wrote: | Deduplication could be a thing | pgalvin wrote: | Fwiw, that "encryption" never used your own key or password. | Facebook held the key, Google held the encrypted blob, and I | doubt the extra warrant to get data from both companies was a | huge hurdle. | | Definitely was not E2EE before. | baby wrote: | Ah so that's how it worked? I heard that concept once and | thought it was a really interesting way to ensure a user | wouldn't lose their backup while preventing the company | from accessing it. | inasio wrote: | I'm pretty sure both Apple and Google are very happy with the | current state of affairs, this system works great to keep | people locked into IOS or Android, as exporting your data is | super hard (there were a number of expensive sketchy-looking | apps that claimed to be able to do this) | pgalvin wrote: | https://wabetainfo.com/how-to-migrate-your-chat-history- | from... | | This is possible now (in one direction, so far). | JohnJamesRambo wrote: | Does anyone have an NSA address users can just send their backups | to and cut out the middleman? | zionic wrote: | That's actually hilarious. If you loose all 3 of your backup | sources just FOIA the NSA for their copy! | erdos4d wrote: | That doesn't work for them, they want you to think you have | rights and stuff, its more fun that way. | phreack wrote: | The worst part is even if you disable automatic backups, which | you should, the app will nevertheless force the creation of a | backup every day at 2am. And keep 7 days worth of backups at a | time. Of every single thing it can gets its hands on. The amount | of storage and processing that globally occurs daily due to this, | that people neither want nor need, is probably jaw dropping. | | Many non-tech people I know that are not aware of this have just | come to terms with the fact that phone storage just runs out | quicker than it did before, and old phones just lag at 2am for | mysterious reasons. | annadane wrote: | Taking bets on how much of this is an ego trip from Zuck to stick | it to the Apple people about their child protection controversy | | "See? We're not like them" | AUSNA-ZI wrote: | End-to-end encryption should mean that the cloud provider doesn't | have the key to decrypt the data | 2Gkashmiri wrote: | Cool. At least now we can pretend the e2e didn't exist till now | on WhatsApp. According to them only. | | https://jknewsline.com/parras-email-whatsapp-data-to-be-acce... | | Here is how political vendetta is taken against people. This news | is just a few months old. | | I am not on WhatsApp for a couple of idealogocal reasons, this | being one of them | Andrew_nenakhov wrote: | It seems that _End-to-end_ (encryption) is now firmly established | as a buzzword. | | I'm not really a cryptographer, but from what I've gathered from | a whitepaper, it's just an encrypted backup with a fancy system | that allows users to safely store encryption keys on WhatsApp | servers. But of course they have to call it end-to-end because | _users know it is safe_ | upofadown wrote: | Saving encrypted stuff on a server is more properly known as | client side encryption[1]. Any instance of cryptography used to | protect the contents of anything in any way is commonly | referred to as end to end encryption these days. Fortunately, | the misuse of the term can serve to identify an entity with | poor understanding of the technology they are try to sell you. | | [1] https://en.wikipedia.org/wiki/Client-side_encryption | baby wrote: | I don't agree, if you were to define end-to-end encrypted | backup this is what it would be. | Andrew_nenakhov wrote: | End-to-end encryption is when to entities communicate and | establish an encrypted connection between them. | | In this case one device makes a backup while another might | not be even made yet. | | (Edit: Rephrased for better clarity) | baby wrote: | I'm not sure what you mean by "while another is not yet | even made" | Andrew_nenakhov wrote: | I mean it literally. It might be not yet even assembled | at a factory, not delivered to its destination country | and not sold to a user. | baby wrote: | Ah, well that doesn't really matter, you can still see | them as two separate participants in an asynchronous | protocol. | Andrew_nenakhov wrote: | End to wnd encryption is when on one end you encrypt data | for every remote end that is supposed to decrypt this | data. That's why it is called end-to-end, because all | ends are known and nobody can tamper the correctly | established communication with correctly verified | recipient. That's how all e2ee protocols work, otr, | omemo/signal, etc. | | If you do not know what end is going to decrypt it, is is | just an encryption with a key/password. Anybody who has | the credentials can access the data. | | These WhatsApp backups could be restored by 50 different | 'ends', so using e2e in this context is incorrect. | Retric wrote: | End to end encryption should be as secure as the underlying | encryption technology, this is only as secure as a users | password which 99% of the time is trivially crackable. | | It's like equating Fort Knox and a locked car. Fort Knox | might not be impenetrable, but they really don't provide | similar levels of protection. | [deleted] | whitetrump wrote: | End-to-end encryption should mean that the cloud provider doesn't | have access to the key to decrypt the data. | leonixyz wrote: | This is ridicolous, they block the account of people for no | reason, making them loose years of messages, and now they come up | with encrypted backups... they should focus on improving their | support. They have only an email address for support. Try to get | your account unblocked if their AI decides to block you. Good | luck | prirun wrote: | > To decrypt the backup, the key K is needed Thus, to safeguard K | in the HSM-based Backup Key Vault, the client performs a | registration of K with WhatsApp. | | > The key to encrypt the backup is secured with a user-provided | password. The password is unknown to WhatsApp, the user's mobile | device cloud partners, or any third party. The key is stored in | the HSM Backup Key Vault to allow the user to recover the key in | the event the device is lost or stolen. The HSM Backup Key Vault | is responsible for enforcing password verification attempts and | rendering the key permanently inaccessible after a certain number | of unsuccessful attempts to access it. These security measures | provide protection against brute force attempts to retrieve the | key. | | > Additionally, the users have a choice to use a 64-digit | encryption key instead of a password, which would require them to | remember the encryption key themselves or store it manually as in | this case the key is not sent to the HSM Backup Key Vault | | So they do allow not storing the key on their servers, which is | the only way I know to ensure encrypted backups can't be | decrypted, but they make it inconvenient by forcing the key to be | 64 digits, for a strength of 10^64. | | They could make "no store" keys much easier by allowing the key | to be _characters_ , so that people could use a sentence or other | sequence of words as a key and not have to write down or remember | 64 digits. Using just letters (ignoring case), you'd need at | least 46 to get equivalent (12x actually) strength. With | uppercase, lowercase, and digits, you'd only need 36 to get 3x | the strength of 64 digits. | | If users already need to create a password to secure the random | key stored on WhatsApp servers, it seems the strength of that | password is really the strength of the whole system. In that | case, they could just derive a key from the password and use that | directly as the encryption key. Assuming they actually want to | protect the backup that is. | | Disclaimer: I have never used WhatsApp, but am author of | HashBackup which does not store your key on any servers. | josh_today wrote: | Is this _really_ end to end encryption? | Andrew_nenakhov wrote: | To me it is just an encryption, which isn't bad, but still. | sneak wrote: | Your complete chat history with everyone on WhatsApp, to date, | has been provided in basically unencrypted form to Apple and | Google by your conversation partners, which means that it is | available on demand and without a warrant to US federal | authorities via FAA Section 702 (commonly known as PRISM, or | FISA). | | This means that even if you stop using it today, there is a huge | wealth of information about your habits, travel, personal | identifiers, social graph, location history, and personal | thoughts and opinions that will be permanently stored associated | with your name. | | Enabling e2e on backups won't purge this information, especially | if it has already been downloaded by USG from Apple/Google. | | If you want to mitigate this, you basically have to move, replace | all your friends/contacts, never go back to the same | venues/restaurants/cities, et c, because your existing pattern of | life is already archived. | | Too little, too late. | prawnsalad wrote: | I think the expectations of e2ee have been greatly stretched in | this case. e2ee means that the data is encrypted from device to | device only and that's it, from one end to another end. If | someone backs up their device in an unencrypted way then thats | out of scope for WhatsApp - that's not what e2ee is about. | | People that expected full at rest encryption (which is what a | backup system would include) despite the app never being | advertised that way would have always needed a large kick to | realise that isn't the case. Encryption is complicated and you | can't expect everybody to fully understand what e2ee/at | rest/etc really means. This whole situation is a learning | experience for everyone and I wouldn't blame WhatsApp for it | either. They now know that advertising encryption needs a | little more explanation. ___________________________________________________________________ (page generated 2021-09-10 23:00 UTC)