My WhatsApp Security code changed, with no login or logout
old.reddit.comSecurity codes ("safety numbers" on Signal) are supposed to provide you with a means to detect malicious MITM attacks. Since most users don't check their contacts' numbers out-of-band -- or even verify their own codes regularly -- it's kind of a probabilistic mechanism. In theory these checks should dissuade attacks on the system, but in practice does it?
This post illustrates one of the many reasons the solution is less effective than I would like it to be. Specifically, when the system spits out weird results (changing safety numbers, mismatched numbers) it tends to be hard to diagnose the problem in a way that lets you verify, let alone prove to third parties, that there really was an attack. Since changes and mismatches "just happen", people tend to take warnings less seriously than they would if there was a path to diagnosing the problem. Moreover, from a hypothetical attacker's perspective there isn't much disincentive when most users will just shrug at these problems. I'm not sure there's a perfect solution to this, but I think it would be interesting to make these systems more robust.
Yes, a system with so many false positives will be ignored by users. Warnings should only occur if a genuine problem is detected.
Ideally we'd all use an append-only merkle log ala certificate transparency to lookup public keys. This is much harder to MITM, and you can do lookups over onion routing to make it even harder. Of course, if your identifiers have PII (like phone numbers in Signal and Whatsapp) this is not going to fly, but that's the bed they made for themselves.
The system you propose is exactly the design of Keybase! In fact, KB even supports proofs of real-world identities that are themselves signed on the Merkle tree, automatically periodically checked by clients. (However, this still leads to tons of false positives...)
Yep keybase was great, apart from being closed source, centralized and not having a viable business model.
Oh, a fellow fan of transparency logs!
I'd love to hear what you think about a log a few colleagues and I have designed. We've tried to get to the essence of transparency logging. It's a minimalistic design, and it doesn't require trusting the log operator.
www.sigsum.org
I feel like you are hinting at one solution already. Security features are worthless without education. WhatsApp should give a "step by step guide" on what to do when the safety number changes, and they should block users from continuing to use the app until they have verified that they have taken these steps.
This is by no means fool-proof, but it would at least work against the problem now where they are basically training users to ignore these dialogs.
Not directly related to the article, but the other day I saw the "camera in use" indicator in the Android status bar while WhatsApp was open. The camera usage history showed it was being used by WhatsApp at the time (not another app), but I wasn't making use of any feature that required a camera at that time (browsing contacts).
I doubt it was nefarious. Anyone know why something like this would happen? Is there some internal calibration going on or maybe a bug? I disabled WhatsApp's camera permission immediately afterwards.
I don't use WhatsApp anymore but I do remember a nifty feature where you can swipe right from the contact list to the camera. What was interesting is you can gradually swipe and the camera seemed always on so you can see the preview viewfinder displaying live feed while swiping.
I imagine for that to work it needed my camera to always be permitted by WhatsApp, and now with Android's latest version where it shows what's using your live mic or camera, FB didn't bother updating the above feature.
Just my hypothesis!
> I doubt it was nefarious
Given they're a Facebook company, I'm not sure why you'd doubt it was nefarious
Didn't instagram get caught keeping the camera open recently?
Was just gonna mention something similar but on iOS and with the microphone, opened Whatsapp and the "Using microphone" thing started showing for about 5-6 seconds before disappearing. Turned off most permissions after that and will only enable when I know I need it for specific things.
I believe that this has something to do with the new WhatsApp Desktop beta for multi-device. Every time I log in with a new device, I see the "security code changed" message.
Yes and every time you add a new browser it changes your security code again.
It's a bit annoying because it undermines the value of the security notification. People get used to it (the boy that cried wolf). I used to get people asking if things were ok if I moved to a new device. This won't happen anymore when people get ten of these a day
Interestingly enough, my contacts didn't receice the security code changed message for me while I did in all my chats with them once I added a new device. Did you check with your contacts if they actually see the message as well?
Yes, two contacts of mine asked me what happened after they received multiple "security code changed" messages.
These 'Security codes' are problematic. WhatsApp servers can force regeneration, allowing to set up a MitM. Users may compare their codes to confirm their channel is secure, but nobody does that.
Readable link on mobile: https://www.reddit.com/r/whatsapp/comments/qmwtyn/my_securit...
More readable link on mobile: https://teddit.net/r/whatsapp/comments/qmwtyn/my_security_co...
old reddit is always better than new one, even on mobile
I disagree. It's unreadable on mobile. I also prefer new Reddit on desktop.
Yeah nobody really cares about those… people get new phones or, (in case of GPG) forget to renew their certificates so often that people just ignore this stuff.
This is a problem that is as old as public key cryptography and nobody really solved it since… uhhh the 90s? I don’t know
See "Why Johnny Can't Encrypt", 2005: http://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Can...
Also see "Why Johnny Still Can't Encrypt", 2015: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.22...
Also see "Why Johnny Still, Still Can't Encrypt", 2016: https://arxiv.org/abs/1510.08555
The first paper is the landmark and did a good job of identifying the root problem. The second two are just repeats of the first with no added insight and can be safely skipped.
It is kind of depressing that so many years have passed and we are still confusing people with impossible to understand stuff as per the current WhatApp example.
I do think that it is caused by some kind of a glitch in their back-end. They should probably do something about this as soon as possible.
I had this when enabling the new web experience beta. Maybe they enabled it for everyone (or for a big enough group of users)?
I was on desktop Beta feature briefly but was incompatible with anyone who wasn't.... pretty useless to me so I reverted. Surprised to see it rolled out this morning (EU)
I wonder why the founders left? I'm sure it has nothing to do with "end to end" encryption of WhatsApp being a spoof game since Z took charge.