Whatsapp: Facebook's ability to decrypt messages is a "limitation," not a "defect"

Facebook spokespeople and cryptographers say that Facebook's decision to implement Open Whisper Systems' end-to-end cryptographic messaging protocol in such a way as to allow Facebook to decrypt them later without the user's knowledge reflects a "limitation" — a compromise that allows users to continue conversations as they move from device to device — and not a "defect."

Cryptographic systems have to accommodate some means of "re-keying" a conversation when old keys are lost, expired, or disposed of. The Whatsapp version of Open Whisper Systems allows Facebook to force a re-keying and a re-send of stored messages without user intervention, something that normally happens when you install Whatsapp on a new device and sync messages from earlier devices.

By making this happen without user intervention, the process is seamless and painless for users. But it also means that a billion users are exposed to new threat-models that would be changed if re-keying required user permission by default. In this model, users are vulnerable to Facebook employees snooping on their conversation; to surreptitious court orders demanding that Facebook spy on them; and to changes in Facebook policy that include surveillance of their conversations.

Moreover, because it's possible for Facebook to spy on its users without their knowledge in a system that users believe to be immune from spying, it might be worth a prosecutor's efforts to compel them to do so (while a cryptographically clued-in prosecutor might not bother obtaining such an order if re-keying required user intervention, because suspects might be suspicious of requests to re-key and so discover that they are under investigation).

Getting a billion people into an end-to-end encrypted messaging protocol makes them secure against a very wide range of attackers, regardless of how re-keying is handled. The design compromise of not requiring explicit permission to re-key by default creates vulnerabilities that would otherwise be partially or wholly mitigated; the upside, according to the architects of the system, is that more users are willing to use the encryption features because they can preserve their old conversations without undertaking technical procedures. Defenders of this decision say that security conscious users always have the option to change the default — while critics say that most people never change defaults, and that being in a high-risk situation doesn't mean that you have the technical knowledge to understand why that default should be changed.

Moxie Marlinspike, developer of the encryption protocol used by both Signal and WhatsApp, defended the way WhatsApp behaves.

"The fact that WhatsApp handles key changes is not a 'backdoor,'" he wrote in a blog post. "It is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system."

He went on to say that, while it's true that Signal, by default, requires a sender to manually verify keys and WhatsApp does not, both approaches have potential security and performance drawbacks. For instance, many users don't understand how to go about verifying a new key and may turn off encryption altogether if it prevents their messages from going through or generates error messages that aren't easy to understand. Security-conscious users, meanwhile, can enable security notifications and rely on a "safety number" to verify new keys. He continued:

Given the size and scope of WhatsApp's user base, we feel that their choice to display a non-blocking notification is appropriate. It provides transparent and cryptographically guaranteed confidence in the privacy of a user's communication, along with a simple user experience. The choice to make these notifications "blocking" would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn't, effectively telling the server who it could MITM transparently and who it couldn't; something that WhatsApp considered very carefully.
Even if others disagree about the details of the UX, under no circumstances is it reasonable to call this a "backdoor," as key changes are immediately detected by the sender and can be verified.

Reported "backdoor" in WhatsApp is in fact a feature, defenders say [Dan Goodin/Ars Technica]