←back to thread

Should We Chat, Too? Security Analysis of WeChat's Mmtls Encryption Protocol

(citizenlab.ca)
157 points lladnar | 1 comments | 16 Oct 24 20:06 UTC | HN request time: 0.001s | source
Show context
spacebanana7 ◴[16 Oct 24 21:35 UTC] No.41864071[source]
I wonder whether WeChat is one of the safest messaging apps because it has the strength to say no to western agencies.

Signal and Matrix can be pressured with a rubber hose if there’s enough desire. And I imagine bureaucratic equivalents exits for iMessage and WhatsApp. But the CCP can offer genuine protection to WeChat executives.

replies(2): >>41864172 #>>41864215 #
osamagirl69 ◴[16 Oct 24 21:47 UTC] No.41864172[source]
I have not been following the end-to-end encryption discussion in a while so please excuse my ignorance in asking...

How does the 'rubber hose' threat apply to Matrix? So long as you are in control of your home server (or at least use a home server you trust) I am not sure who your advisary would pressure.

replies(1): >>41864444 #
jeltz ◴[16 Oct 24 22:23 UTC] No.41864444[source]
They could force them to add a backdoor in the Element build uploaded to the app store so they can use that backdoor to attack specific users. This is why we need reproducible builds and code which automatically check for discrepancies.
replies(1): >>41871057 #
osamagirl69 ◴[17 Oct 24 16:17 UTC] No.41871057[source]
FWIW, the current version of element (X) is published as a reproducible build on f-droid. https://f-droid.org/en/packages/io.element.android.x/
replies(1): >>41873389 #
1. zxilly ◴[17 Oct 24 20:23 UTC] No.41873389{3}[source]
The attack on xz illustrates that even if the code is open source and the build is reproducible, well-designed attacks can still be executed.