←back to thread

Should We Chat, Too? Security Analysis of WeChat's Mmtls Encryption Protocol

(citizenlab.ca)
157 points lladnar | 4 comments | 16 Oct 24 20:06 UTC | HN request time: 1.066s | source
Show context
dtquad ◴[16 Oct 24 20:54 UTC] No.41863765[source]
The Chinese government has direct access to the WeChat backend so it's unlikely that these weaknesses were government mandated. Probably just the result of overworked 996 developers:

>The name 996.ICU refers to "Work by '996', sick in ICU", an ironic saying among Chinese developers, which means that by following the "996" work schedule, you are risking yourself getting into the ICU (Intensive Care Unit)

https://github.com/996icu/996.ICU

replies(8): >>41863871 #>>41863929 #>>41866186 #>>41866291 #>>41867063 #>>41867793 #>>41869162 #>>41869396 #
daghamm ◴[16 Oct 24 21:16 UTC] No.41863929[source]
WeChat is basically one of the tools the communist party uses to control the population. If something is on there it is most likely by design.

Off topic (or is it?): While back a western journalist in China reported that her wechat account was banned 10 minutes after changing her password to "fuckCCP"...

replies(5): >>41863953 #>>41864287 #>>41865365 #>>41865635 #>>41866132 #
1. tptacek ◴[16 Oct 24 21:20 UTC] No.41863953[source]
The point being made in the preceding comment is that the threat model for WeChat already overtly includes its operators being able to puncture its confidentiality. It doesn't make a lot of operational sense to introduce complicated cryptographic backdoors (such as the IV construction, which the authors say could potentially introduce an AES-GCM key/IV brute forcing attack) when you control the keys for all the connections in the first place.
replies(2): >>41864500 #>>41867645 #
2. throwaway48476 ◴[16 Oct 24 22:29 UTC] No.41864500[source]
Not only control keys, but control the software update mechanism (backdoor a la xz).
3. randomNumber7 ◴[17 Oct 24 08:49 UTC] No.41867645[source]
And the argument is pretty weak. It doesnt cost them much to introduce cryptographic backdoors. Once they have done this they have even more control. It is then also less effort, because you don't have to deal with a company (like WeChat) directly to spy on their customers.
replies(1): >>41871976 #
4. tptacek ◴[17 Oct 24 17:58 UTC] No.41871976[source]
Look at the weaknesses in this blog post; can you tell me which ones are suggestive of a broadly-useful backdoor that would be deployed to avoid having to deal directly with Tencent, which is already controlled by the CCP?