Should We Chat, Too? Security Analysis of WeChat's Mmtls Encryption Protocol

WeChat using a custom protocol like MMTLS instead of sticking with something solid like TLS 1.3 is a risky move. Rolling your own crypto almost always leads to trouble. Of course, there may be ulterior motives behind Tencent’s decision, and users have little power to change it. For an app with over a billion users, that’s pretty concerning.

Is it concerning? It's not end-to-end secure to begin with.

It is insecure depending on one’s threat model. Though I agree end-to-end encryption would be the best practice.

Can you articulate what that threat model would be?

You are only okay with the CCP and your recipient knowing your conversation.

That's kind of how I read it too, which makes some of the suppositions here (about the CCP inducing bad protocol design) odd.

> end-to-end encryption would be the best practice

If you think about it, no it's not in this case.

The "end" you are refering to here, are mostly Chinese android phones.

The system just hook into your apk, read your (encrypted) sqlite3 local data, or screen-read your UI for content.

Even the Wechat realized how badly the landscape was, so they even rolled rolled out inhouse "input method" for "privacy conerns"

I agree it's probably a mistake but I can also see another possibility:

But first, consider the CCP. The CCP has nearly 100 million members. That's a lot of people. More than many countries. It's not a very exclusive club. Clearly such a large organization cannot be considered as a united whole. It's not just whether "the CCP can read it" it's about which part of the CCP can read it.

Can the low ranking CCP member read the wechat message of the high ranking member fucking his wife? Maybe not? But maybe he would like to? Maybe he knows a mathematician that can help him for a reasonable sum of money? Or maybe someone wants to do a bit of corporate espionage?

In other words the inner core of the party wants nobus, whereas the periphery has incentives to undermine it.

The article says WeChat published a document in 2016 regarding MMTLS vs TLS 1.3. The finalized RFC for TLS 1.3 is from August 2018. There were a fair number of changes in the later drafts of TLS 1.3, and little support for it in 2016, so it wasn't a solid choice they could stick to when they needed it.

The comments on MMTLS don't seem that terrible. Is it really a problem to generate an IV once per connection and then increment it? My understanding (which could be wrong) is that's pretty much how people use AES-GCM? Maybe there's a concern about how they generate the IV, but that isn't stated or was lost in translation.

The comment about forward security on shortlink is that that's all in early data, so the PSK is problematic. It'd be early data with a PSK for TLS 1.3 too; eliminating a round trip for crypto establishment is a clear goal to reduce latency in message submission. The comment about longlink connections being long feels like it'd be a problem in TLS 1.3 as well.

From what I can tell, this report is lacking details (which may be in the original chinese report), but MMTLS looks like WeChat checked out the drafts of TLS 1.3 and did something roughly equivalent, and then tunnels it through whatever connectivity they have. Could they have come back after TLS 1.3 exited draft and redo it with a standard? sure; does it gain much? probably not. Switching to QUIC (or TCP fast open) may enable a single round trip for connectivity and crypto establishment, but there needs to be a fallback to regular TCP, because not all clients have UDP connectivity.

Then there's issues with the 'business layer' encryption, but that's not MMTLS.