←back to thread

Should We Chat, Too? Security Analysis of WeChat's Mmtls Encryption Protocol

(citizenlab.ca)
157 points lladnar | 4 comments | 16 Oct 24 20:06 UTC | HN request time: 0s | source
Show context
maxglute[dead post] ◴[16 Oct 24 21:51 UTC] No.41864204[source]
[flagged]
1. throwaway48476 ◴[16 Oct 24 21:53 UTC] No.41864218[source]
By "western encryption" do you mean crypto systems that have been subjected to public scrutiny?
replies(1): >>41864354 #
2. maxglute ◴[16 Oct 24 22:11 UTC] No.41864354[source]
Systems whose scrutiny/reputation is more subject to western "trust me bro". Authors had courtesy to recognize TLS drama in 2010s, and assumes it's... better/sufficient now because why, a bunch of US companies, many with teams of ex US intelligence on internal security teams is doing bulk of the scrutinizing.

PRC seems to like their home-grown cryptography gated behind language barrier. Maybe they're hedging on bet that enough diverse implementations better than eggs in single basket. Or the amount of Chinese fluency decreasing in west going to add another layer of security/obscurity. Ultimately who knows, other than PRC would be idiotic to listen to OTF-ICFP funded recommendations, a program that avoids "focus" on countries with minimal information controls, i.e. if there's a reason not to trust western scrutinized crypto systems, you likely won't find it from OTF and citizenlab.

replies(1): >>41864579 #
3. throwaway48476 ◴[16 Oct 24 22:39 UTC] No.41864579[source]
I don't see how the language barrier provides any security. If your threat model is foreign governments and you're rolling your own crypto you have to assume they have plenty of budget for translation. Technology is one of the main collection activities of any spy agency.

Trust in a crypto system is established by having multiple adversarial parties use it and the system being open to attack for many years without success.

replies(1): >>41866224 #
4. maxglute ◴[17 Oct 24 03:42 UTC] No.41866224{3}[source]
Western spy agencies already overwhelmed by volume of PRC cyber activity per recent headlines, meanwhile FVEY also short of Chinese specialists, and institutions not generating enough language talent. It's less budget issue as bodies issue. Multiple adversarial parties who are still likely cooperating with intelligence - MSS isn't going to get a seat at the table/behind the scenes for western crypto standards.

Do we really know system hasn't been attacked without success when there's frequent PRC penetration in the news. What we do know is west/US has advtanges along the hardware/software stack, so smart for PRC to obfusgate and add complexity at points they can control. And that one of OTF's explicit mission, especially ICFP funded fellows is to undermine PRC controlled web - it would be incredibly dumb for PRC to take their advice seriously.