Most active commenters

    ←back to thread

    Should We Chat, Too? Security Analysis of WeChat's Mmtls Encryption Protocol

    (citizenlab.ca)
    157 points lladnar | 12 comments | 16 Oct 24 20:06 UTC | HN request time: 0.559s | source | bottom
    Show context
    dtquad ◴[16 Oct 24 20:54 UTC] No.41863765[source]
    The Chinese government has direct access to the WeChat backend so it's unlikely that these weaknesses were government mandated. Probably just the result of overworked 996 developers:

    >The name 996.ICU refers to "Work by '996', sick in ICU", an ironic saying among Chinese developers, which means that by following the "996" work schedule, you are risking yourself getting into the ICU (Intensive Care Unit)

    https://github.com/996icu/996.ICU

    replies(8): >>41863871 #>>41863929 #>>41866186 #>>41866291 #>>41867063 #>>41867793 #>>41869162 #>>41869396 #
    1. daghamm ◴[16 Oct 24 21:16 UTC] No.41863929[source]
    WeChat is basically one of the tools the communist party uses to control the population. If something is on there it is most likely by design.

    Off topic (or is it?): While back a western journalist in China reported that her wechat account was banned 10 minutes after changing her password to "fuckCCP"...

    replies(5): >>41863953 #>>41864287 #>>41865365 #>>41865635 #>>41866132 #
    2. tptacek ◴[16 Oct 24 21:20 UTC] No.41863953[source]
    The point being made in the preceding comment is that the threat model for WeChat already overtly includes its operators being able to puncture its confidentiality. It doesn't make a lot of operational sense to introduce complicated cryptographic backdoors (such as the IV construction, which the authors say could potentially introduce an AES-GCM key/IV brute forcing attack) when you control the keys for all the connections in the first place.
    replies(2): >>41864500 #>>41867645 #
    3. homebrewer ◴[16 Oct 24 22:02 UTC] No.41864287[source]
    I had my account banned for absolutely no reason (I didn't even use it to talk to anyone and was simply learning the interface myself to explain it later to a friend who was traveling to China). You can't infer anything from that story. Their "security" automation is even more paranoid than Google's, that's probably all there's to it.
    4. throwaway48476 ◴[16 Oct 24 22:29 UTC] No.41864500[source]
    Not only control keys, but control the software update mechanism (backdoor a la xz).
    5. olalonde ◴[17 Oct 24 00:47 UTC] No.41865365[source]
    The issue of accounts being banned after a password change is quite common, especially outside of China. This isn't related to the content of the new password.

    Additionally, it's unlikely that the protocol has government-mandated vulnerabilities, as such weaknesses could potentially allow foreign governments to spy on WeChat users that are abroad. The Chinese government doesn't need such weaknesses, as they have access to the servers.

    replies(1): >>41868445 #
    6. mmooss ◴[17 Oct 24 01:40 UTC] No.41865635[source]
    > If something is on there it is most likely by design.

    It's a common mistake to overestimate the 'bad guy'. The Chinese government, like all other large human institutions, certainly does plenty of dumb stuff.

    replies(1): >>41867344 #
    7. lucw ◴[17 Oct 24 03:21 UTC] No.41866132[source]
    The server-side store a full plain text archive with government access is by design. the weak encryption is NOT by design. It's due to incompetent programmers.
    8. shiroiushi ◴[17 Oct 24 07:46 UTC] No.41867344[source]
    Hanlon's Razor: never ascribe to malice that which can be adequately explained by incompetence or stupidity.
    9. randomNumber7 ◴[17 Oct 24 08:49 UTC] No.41867645[source]
    And the argument is pretty weak. It doesnt cost them much to introduce cryptographic backdoors. Once they have done this they have even more control. It is then also less effort, because you don't have to deal with a company (like WeChat) directly to spy on their customers.
    replies(1): >>41871976 #
    10. Spooky23 ◴[17 Oct 24 11:12 UTC] No.41868445[source]
    “The government” isn’t a single entity. Agents within the bureaucracy have to within rules and policies. And the front door access methods have things like audit trails to prevent internal abuse.

    There are many scenarios where the existence of an official investigation as evidenced by said audit logs is undesirable for a variety of reasons.

    replies(1): >>41869691 #
    11. mschuster91 ◴[17 Oct 24 13:53 UTC] No.41869691{3}[source]
    > Agents within the bureaucracy have to within rules and policies. And the front door access methods have things like audit trails to prevent internal abuse.

    In Western countries, yes - but even there, abuse and evasion of audit trails is quite common. The most infamous scandal here in Germany was around a cop station that more than not resembled a pig sty when it comes to procedures [1] - after the address of a lawyer representing the victims of the far-right NSU terror crew got leaked to another far-right terror cell, the audit trail led to a precinct in Frankfurt but went cold there as supposedly, the cops there all used a shared account of one of them. IMHO, every single one of these cops should have faced a year or two in jail for that stunt.

    [1] https://taz.de/Ermittlungen-zu-NSU-20-eingestellt/!5989941/

    12. tptacek ◴[17 Oct 24 17:58 UTC] No.41871976{3}[source]
    Look at the weaknesses in this blog post; can you tell me which ones are suggestive of a broadly-useful backdoor that would be deployed to avoid having to deal directly with Tencent, which is already controlled by the CCP?