Why the WhatsApp backdoor is bad news



The Guardian recently published a story about a backdoor in WhatsApp that allows snooping on encrypted messages. Some people I know asked me if anything like that is relevant for Telegram. The short answer is no, but let's have a closer look.

First of all, let me explain why the WhatsApp backdoor is bad news.

WhatsApp can send your private messages to China

Since last year, WhatsApp promises end-to-end encryption for all messages sent using their app. It's already come out that WhatsApp violates this promise by pushing users into unencrypted third-party backups. [1] The Electronic Frontier Foundation has also criticized them for disabling key change notifications by default.

Now the big news is that WhatsApp can remotely trigger key changes and resend messages using a new key, even when the users didn't request it. As a result, WhatsApp is able to get transcripts of entire conversations without sending any notifications to the participants. A post-factum notification will be sent only if you went to Settings – Account – Security and enabled 'Security notifications' in the past.

Meanwhile, WhatsApp claims this in every chat:

"Messages you send to this chat are now secured with end-to-end encryption, which means WhatsApp and third parties can't read them."

This claim is a lie.

WhatsApp has every means, for example, to respond to a data request from an oppressive regime. The New York Times just recently uncovered that Facebook, WhatsApp's parent company, doesn't mind cooperating with oppressive regimes.

How did WhatsApp respond?

WhatsApp's official response was that the backdoor is a "design decision" and that WhatsApp "offers people security notifications to alert them to potential security risks." They did not mention that these "security notifications" are turned off by default, and are well hidden in Settings.

Meanwhile, the WhatsApp FAQ actually discourages you from looking:

"Only you and the person you're communicating with can read what is sent, and nobody in between, not even WhatsApp. [...] All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages."

This claim is also a lie.

With WhatsApp's default settings, even verifying keys will not protect you from Man-in-the-Middle attacks. [2]

Signal founder and WhatsApp advocate Moxie Marlinspike wrote in a blog post that the WhatsApp server does not know whether or not the user has turned key change notifications on. If true, this would create a risk of getting caught by users who verify keys, should the company attempt to extract data by way of an MitM attack.

But this is where another core problem with WhatsApp takes the stage. We can't know whether Moxie's statement is true or not without looking at the app's code. And WhatsApp's code is proprietary and legally protected from reverse-engineering. [3]

To sum it up

The backdoor news is certainly bad, but it's merely another drop in the bucket. Contrary to the company's claims, there is no way for you to be sure that your recipients are the only ones who can read your messages on WhatsApp:

Other users decide whether your data will go to unencrypted third-party backups unbeknownst to you.

WhatsApp's servers decide which keys to use for encrypting your messages, when to change these keys, and when to re-send the messages. They can send you a postcard when they're done, but only if you found the special setting you weren't supposed to need.

WhatsApp's closed-source clients make it impossible to verify any claims about their end-to-end encryption implementation.

How does Telegram keep your data safe?

By contrast, Telegram's approach is fully transparent. It is the user who decides what kind of encryption will be used for any particular message.

To satisfy people's need for backups and syncing in a safe manner, Telegram's Cloud Chats offer server-client encryption and secure in-house backups. The data centers and the relevant encryption keys are spread across different jurisdictions to protect them from government requests.

For the most sensitive data, Secret Chats guarantee end-to-end encryption. Unlike on WhatsApp, when you send a message into a secret chat, you can be 100% sure that nobody, including the Telegram server, knows the contents of that message.

And what about key changes?

In peacetime, key changes occur when a new device wants to participate in an end-to-end encrypted conversation. [4]

Secret Chats on Telegram are device-specific. As opposed to WhatsApp, they are also session-specific. When you log in on a new device, starting a secret chat creates an entirely new chat, visibly separated from the old one in the recipient's chat list. This serves as a much more prominent indicator that a key change has taken place, and more importantly, this is the default behavior. There's no need to turn on any extra settings.

On top of this, Telegram doesn't have any means of secretly forcing a key change, re-encrypting messages with a compromised key and re-sending messages. This is verifiable too. Not only is Telegram's protocol specification open. Unlike in the case of WhatsApp, the app code is also open. Thanks to this, researchers have all the tools to fully evaluate Telegram's implementation of end-to-end encryption.





Notes

[1] – WhatsApp aggressively pushes users to enable backups to third-party services by Apple and Google. Even if you don't backup your messages, it is extremely likely that your chat partners are doing so. It is likely that they don‘t even remember dismissing an annoying notification with a “yes” a long time ago. The interface provides no way of knowing whether or not your messages are being backed up. Meanwhile, for group chats of five members, there’s a 99% probability that all messages are stored on Apple‘s or Google’s servers in the US.

As Product Manager Randall Sarafa put it, just one month after Google Drive backups were introduced to Whatsapp:

“About 75% of Whatsapp users are on Android, and of our Android users, we have about 40% of them opted into Google Drive backups today. That will likely continue to increase over time, as people get prompted.”

[2] – This is because even if you checked and verified your key for a particular contact, nothing prevents the server from silently changing the key after you did this.

[3] – See the WhatsApp Terms of Service, "Acceptable use of our services": "[...] including that you must not directly or through automated means: (a) reverse engineer, [...] decompile, or extract code from our Services."

[4] – Keys are also routinely recycled and updated for the sake of Perfect Forward Secrecy, but this is done over an already end-to-end encrypted channel, so it's irrelevant for the topic at hand.