Neither WhatsApp nor The Guardian are having a good day.
The UK-based newspaper published a scathing exclusive report early Friday morning, purporting to reveal disturbing news about the encryption used by WhatsApp’s, the Facebook-owned messaging service. Almost as soon as the article went live, however, security experts took to the internet to publicly question the nature of its claims.
Late in the day Friday, Open Whisper Systems, the team behind the end-to-end encryption service used by WhatsApp and secure messaging client Signal, published a blog post in response to the article. The post refuted The Guardian‘s claims at length, expressing the team’s disappointment with the way in which the news was reported.
According to The Guardian‘s article, WhatsApp has a glaring security flaw in the manner its end-to-end encryption is set up, which creates a wide-open backdoor which “allows snooping” by Facebook — and, by extension, government agencies or others who might gain access to it by legitimate or nefarious means.
The Guardian story reports that WhatsApp’s encryption is vulnerable when a user sends a message to a contact who is offline. When that happens, the end-to-end encryption is, in a sense, broken, since one of the ends no longer exists. In that case, the service creates a new set of encryption keys for the offline user so the message can they can still get it when they come back online. (For a primer on encryption, check out this helpful video or view it at the bottom of this post.)
However, WhatsApp doesn’t alert either the sender or the recipient about of the change, and the messages are caught in a kind of limbo in the meantime, the security of which is unclear — at least until the recipient comes back online. According to the Guardian, this “effectively allows WhatsApp to intercept and read users’ messages.”
By comparison, Signal doesn’t automatically resend offline messages like WhatsApp does, theoretically making those messages more secure.
Information security experts were turned off by the article. Complaining on Twitter, they were critical of The Guardian‘s reporting. Frederic Jacobs, who actually worked on Signal with Open Whisper Systems, the service’s developer, even added his voice to the discussion:
It’s ridiculous that this is presented as a backdoor. If you don’t verify keys, authenticity of keys is not guaranteed. Well known fact.
— Frederic Jacobs (@FredericJacobs) January 13, 2017
The Guardian report cited UC Berkely PhD student Tobias Boelter as having discovered the backdoor and claimed to have an “exclusive” on his findings. But that’s not quite true.
As reported, Boelter notified Facebook of the vulnerability back in April 2016. The company then called the issue “expected behavior,” confirming the existence of the issue and admitting it to be a feature of the service instead of a “backdoor,” telling him “…for now it’s not something we’re actively working on changing.”
In addition to contacting Facebook, Boelter detailed his findings on the vulnerability in a blog post. It wasn’t published on an outlet like The Guardian — but Boelter’s reports on the subject have been online for the better part of a year.
When contacted by Mashable via email, Boelter clarified his role in the report. “I gave a 5-minute lightning talk at 33c3 in Hamburg on December 30, 2016 and was contacted by a reporter working for the Guardian afterwards,” he said.
Following the article’s publication, Boelter posted on the topic once again, discussing the nature of the issue and admitting the different interpretation of what it represents to end users.
After reaching out to a WhatsApp spokesperson for comment, Mashable received this response:
The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams. This claim is false [emphasis theirs].
WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.
Later in the day, co-founder of WhatsApp Brian Acton posted a direct response on Reddit, again calling the story “false” and emphatically stating, “WhatsApp would fight any government request to create a backdoor.”
In WhatsApp’s white paper describing the service, it explicitly states, “WhatsApp servers do not have access to the private keys of WhatsApp users, and WhatsApp users have the option to verify keys in order to ensure the integrity of their communication.”
Whether or not this so-called “backdoor” is an issue or a feature depends on your interpretation. In any case, it’s probably the best thing to happen to Signal lately.