Should We Chat, Too? Security Analysis of WeChat's Mmtls Encryption Protocol

(citizenlab.ca)

157 points lladnar | 1 comments | 16 Oct 24 20:06 UTC | HN request time: 0.211s | source

Show context

dtquad ◴[16 Oct 24 20:54 UTC] No.41863765[source]▶

The Chinese government has direct access to the WeChat backend so it's unlikely that these weaknesses were government mandated. Probably just the result of overworked 996 developers:

>The name 996.ICU refers to "Work by '996', sick in ICU", an ironic saying among Chinese developers, which means that by following the "996" work schedule, you are risking yourself getting into the ICU (Intensive Care Unit)

https://github.com/996icu/996.ICU

replies(8): >>41863871 #>>41863929 #>>41866186 #>>41866291 #>>41867063 #>>41867793 #>>41869162 #>>41869396 #

daghamm ◴[16 Oct 24 21:16 UTC] No.41863929[source]▶

>>41863765 #

WeChat is basically one of the tools the communist party uses to control the population. If something is on there it is most likely by design.

Off topic (or is it?): While back a western journalist in China reported that her wechat account was banned 10 minutes after changing her password to "fuckCCP"...

replies(5): >>41863953 #>>41864287 #>>41865365 #>>41865635 #>>41866132 #

olalonde ◴[17 Oct 24 00:47 UTC] No.41865365[source]▶

>>41863929 #

The issue of accounts being banned after a password change is quite common, especially outside of China. This isn't related to the content of the new password.

Additionally, it's unlikely that the protocol has government-mandated vulnerabilities, as such weaknesses could potentially allow foreign governments to spy on WeChat users that are abroad. The Chinese government doesn't need such weaknesses, as they have access to the servers.

replies(1): >>41868445 #

Spooky23 ◴[17 Oct 24 11:12 UTC] No.41868445[source]▶

>>41865365 #

“The government” isn’t a single entity. Agents within the bureaucracy have to within rules and policies. And the front door access methods have things like audit trails to prevent internal abuse.

There are many scenarios where the existence of an official investigation as evidenced by said audit logs is undesirable for a variety of reasons.

replies(1): >>41869691 #

1. mschuster91 ◴[17 Oct 24 13:53 UTC] No.41869691[source]▶

>>41868445 #

> Agents within the bureaucracy have to within rules and policies. And the front door access methods have things like audit trails to prevent internal abuse.

In Western countries, yes - but even there, abuse and evasion of audit trails is quite common. The most infamous scandal here in Germany was around a cop station that more than not resembled a pig sty when it comes to procedures [1] - after the address of a lawyer representing the victims of the far-right NSU terror crew got leaked to another far-right terror cell, the audit trail led to a precinct in Frankfurt but went cold there as supposedly, the cops there all used a shared account of one of them. IMHO, every single one of these cops should have faced a year or two in jail for that stunt.

[1] https://taz.de/Ermittlungen-zu-NSU-20-eingestellt/!5989941/

↑