(citizenlab.ca)

157 points lladnar | 1 comments | 16 Oct 24 20:06 UTC | HN request time: 0.001s | source

Show context

thimabi ◴[16 Oct 24 21:29 UTC] No.41864030[source]▶

WeChat using a custom protocol like MMTLS instead of sticking with something solid like TLS 1.3 is a risky move. Rolling your own crypto almost always leads to trouble. Of course, there may be ulterior motives behind Tencent’s decision, and users have little power to change it. For an app with over a billion users, that’s pretty concerning.

replies(2): >>41864971 #>>41871490 #

tptacek ◴[16 Oct 24 23:35 UTC] No.41864971[source]▶

>>41864030 #

Is it concerning? It's not end-to-end secure to begin with.

replies(1): >>41865014 #

thimabi ◴[16 Oct 24 23:41 UTC] No.41865014[source]▶

>>41864971 #

It is insecure depending on one’s threat model. Though I agree end-to-end encryption would be the best practice.

replies(2): >>41865086 #>>41865601 #

1. est ◴[17 Oct 24 01:33 UTC] No.41865601[source]▶

>>41865014 #

> end-to-end encryption would be the best practice

If you think about it, no it's not in this case.

The "end" you are refering to here, are mostly Chinese android phones.

The system just hook into your apk, read your (encrypted) sqlite3 local data, or screen-read your UI for content.

Even the Wechat realized how badly the landscape was, so they even rolled rolled out inhouse "input method" for "privacy conerns"

↑

Should We Chat, Too? Security Analysis of WeChat's Mmtls Encryption Protocol