←back to thread

Should We Chat, Too? Security Analysis of WeChat's Mmtls Encryption Protocol

(citizenlab.ca)
157 points lladnar | 7 comments | 16 Oct 24 20:06 UTC | HN request time: 0.001s | source | bottom
1. est ◴[17 Oct 24 01:24 UTC] No.41865556[source]
Chinese apps don't need encryption but pretends to, the government had direct access to all clear-text data. If you can't comply your business would be fucked one way or another.

Security researchers need to stop beating the dead horse. The encryption mechanism is mostly used for compliance or certification. In fact many corp-intranet middleboxes can decrypt wechat communications, it's not a bug, it's a feature.

IRL people just treat wechat as somekind of Discord with payment options. If you say something slightly wrong your account would instantly get into trouble. Just assume your wechat chat records are public one way or another.

replies(3): >>41865655 #>>41866400 #>>41870896 #
2. CGamesPlay ◴[17 Oct 24 01:43 UTC] No.41865655[source]
Just to be clear, encryption to hide from broad government surveillance is one valid use for encryption (which WeChat doesn't have), but it is far from the only reason for encrypted communications. Common theives, abusive exes, or overbearing employers are a few others that immediately come to mind.
replies(1): >>41865712 #
3. est ◴[17 Oct 24 01:54 UTC] No.41865712[source]
> Common theives, abusive exes, or overbearing employers

as I commented on other thread, they don't even bother with network protocols.

They just mandate install spyware on your end devices. So E2EE won't help here.

Chinese Android ROMs are notorious for this. Even the phone manufacturers are collecting data

replies(1): >>41866221 #
4. crazylogger ◴[17 Oct 24 04:21 UTC] No.41866400[source]
For one thing, Chinese government does have an incentive to enforce good encryption so that foreign adversaries cannot snoop in on important Chinese communications. Only the Chinese government has access via Tencent’s backend.
replies(1): >>41867441 #
5. Yeul ◴[17 Oct 24 08:10 UTC] No.41867441[source]
The Dutch government is a joke they'll happily communicate via WhatsApp. But then the Netherlands is hardly a geopolitical player.

But surely Chinese officials don't use Wechat?

replies(1): >>41869991 #
6. some_random ◴[17 Oct 24 14:25 UTC] No.41869991{3}[source]
First off the Dutch are pretty important for a few reasons, their ports and cyber program being the first things that pop into my head. As for Wechat, why wouldn't Chinese officials use it? Even if they didn't use it for official work (which they do, to the best of my knowledge), just about everyone there uses it.
7. Beretta_Vexee ◴[17 Oct 24 16:01 UTC] No.41870896[source]
Cryptography has one function: to protect Chinese users from malicious Chinese ISPs. As for DNS over HTTPS, which they use in the majority of their apps to avoid hijacking by traffickers, ads, etc., the cryptography has one function: to protect Chinese users from bad Chinese ISPs and their lying DNS.