Most active commenters
  • kccqzy(3)

←back to thread

Should We Chat, Too? Security Analysis of WeChat's Mmtls Encryption Protocol

(citizenlab.ca)
157 points lladnar | 11 comments | 16 Oct 24 20:06 UTC | HN request time: 0s | source | bottom
1. kccqzy ◴[16 Oct 24 20:36 UTC] No.41863592[source]
I personally am not very interested in this research. WeChat is well known not to use end-to-end encryption. Considering that the app is unlikely to adopt end-to-end encryption (likely due to censorship being a business requirement, which was mentioned in the article and previously uncovered by this lab), I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption. Parties that are interested in subverting this kind of encryption, such as governments, likely already collaborate Tencent to get decrypted messages from the source.
replies(2): >>41863616 #>>41863625 #
2. ◴[16 Oct 24 20:39 UTC] No.41863616[source]
3. palata ◴[16 Oct 24 20:40 UTC] No.41863625[source]
> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption.

That's the difference between "you have to trust WeChat" and "anyone can read your chats". Of course you may not personally be interested because you don't personally use WeChat, but for the billion active users who do, I think it should matter.

replies(1): >>41863717 #
4. kccqzy ◴[16 Oct 24 20:48 UTC] No.41863717[source]
Where did you see that "anyone can read your chats" in this article? Indeed near the beginning of the article in the fourth bullet point the author states "we were unable to develop an attack to completely defeat WeChat’s encryption" right there. The only parties who are interested in expending more effort to break this kind of encryption are just governments, who can simply force Tencent to give up plaintext records.
replies(3): >>41863844 #>>41863862 #>>41864256 #
5. kadoban ◴[16 Oct 24 21:03 UTC] No.41863844{3}[source]
> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption

Bad non-end-to-end encryption is exactly that: "anyone can read your chats". That's not what the research found, it's just the implication of your original statement.

replies(3): >>41865617 #>>41865678 #>>41865789 #
6. datadeft ◴[16 Oct 24 21:06 UTC] No.41863862{3}[source]
Yep. Btw the threat model for me is this:

- against random 3rd party, even WeChat is ok

- against random black hats, most of chat software is ok, maybe even WeChat

- against gov agencies, nothing is going to protect you

When I am in China, i happily use WeChat including the gazillion of services available through it. Buying metro pass, ordering food, getting a battery pack and so on.

Btw no country could replicate this outside of China, which is an interesting phenomenon. We have endless ads including actual scams and malware distributed by Google Ads yet I cannot buy train tickets in the EU through a single app and order food as well, let alone getting a cab. It would be great though.

replies(1): >>41867174 #
7. palata ◴[16 Oct 24 21:58 UTC] No.41864256{3}[source]
> Where did you see that "anyone can read your chats" in this article?

I didn't. I answered to what you wrote, which I quoted. But I can quote it again:

> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption.

8. est ◴[17 Oct 24 01:35 UTC] No.41865617{4}[source]
Please realize, in China, you can't trust your "end" either. It's always infested with spyware with local root access.
9. ◴[17 Oct 24 01:47 UTC] No.41865678{4}[source]
10. kccqzy ◴[17 Oct 24 02:11 UTC] No.41865789{4}[source]
Okay I shouldn't have used the word "bad" here. I should have used "flawed but not detrimental" just like what's described in the article.
11. xvilka ◴[17 Oct 24 07:13 UTC] No.41867174{4}[source]
Grab in SEA region could be said as one more example of such a "super app" too.