←back to thread

Should We Chat, Too? Security Analysis of WeChat's Mmtls Encryption Protocol

(citizenlab.ca)
157 points lladnar | 4 comments | 16 Oct 24 20:06 UTC | HN request time: 0.001s | source
Show context
kccqzy ◴[16 Oct 24 20:36 UTC] No.41863592[source]
I personally am not very interested in this research. WeChat is well known not to use end-to-end encryption. Considering that the app is unlikely to adopt end-to-end encryption (likely due to censorship being a business requirement, which was mentioned in the article and previously uncovered by this lab), I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption. Parties that are interested in subverting this kind of encryption, such as governments, likely already collaborate Tencent to get decrypted messages from the source.
replies(2): >>41863616 #>>41863625 #
palata ◴[16 Oct 24 20:40 UTC] No.41863625[source]
> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption.

That's the difference between "you have to trust WeChat" and "anyone can read your chats". Of course you may not personally be interested because you don't personally use WeChat, but for the billion active users who do, I think it should matter.

replies(1): >>41863717 #
kccqzy ◴[16 Oct 24 20:48 UTC] No.41863717[source]
Where did you see that "anyone can read your chats" in this article? Indeed near the beginning of the article in the fourth bullet point the author states "we were unable to develop an attack to completely defeat WeChat’s encryption" right there. The only parties who are interested in expending more effort to break this kind of encryption are just governments, who can simply force Tencent to give up plaintext records.
replies(3): >>41863844 #>>41863862 #>>41864256 #
1. kadoban ◴[16 Oct 24 21:03 UTC] No.41863844[source]
> I don't really feel like I care a whole lot between good non-end-to-end encryption and bad non-end-to-end encryption

Bad non-end-to-end encryption is exactly that: "anyone can read your chats". That's not what the research found, it's just the implication of your original statement.

replies(3): >>41865617 #>>41865678 #>>41865789 #
2. est ◴[17 Oct 24 01:35 UTC] No.41865617[source]
Please realize, in China, you can't trust your "end" either. It's always infested with spyware with local root access.
3. ◴[17 Oct 24 01:47 UTC] No.41865678[source]
4. kccqzy ◴[17 Oct 24 02:11 UTC] No.41865789[source]
Okay I shouldn't have used the word "bad" here. I should have used "flawed but not detrimental" just like what's described in the article.