NEW EPISODE!

It seems like everyone that deploys E2EE encrypted cloud storage seems to mess it up, often in new and creative ways. Our special guests Matilda Backendal, Jonas Hofmann, & Kien Tuong Trong give us a tour & discuss how to actually build one securely:

www.youtube.com/watch?v=sizL...

Ooh -- also: The "More is Less" paper (eprint.iacr.org/2017/713 ) pointed out this group membership issue with WhatsApp in 2017 -- almost 8 years ago!

... who have to constantly monitor the UI for changes to the member list. And it is a burden that is unnecessary: Signal deploys cryptographic control of group membership at scale, for example. Thanks @dangoodin.bsky.social for your coverage of our work in this piece: arstechnica.com/security/202...

Our reverse-engineering work also confirms what many in the cryptographic community already knew: a malicious server, either Meta or someone who broke into their infrastructure, can add and remove group members at will. This places an unnecessary burden on users...

Not all is lost, though! In our analysis, we show that WhatsApp's device revocation functionality presents a nice alternative, enabling users to effectively recover from compromise of a secondary device (like their laptop) as long as their primary device remains uncompromised.

We found the same issue during our previous analysis of Matrix. Upon reading the WhatsApp whitepaper, we were hopeful that they did not use session management for the channels that distribute group keys. Unfortunately, this turned out to be a gap in documentation rather than a keen protocol choice.

This completely undermines the healing of individual two-party channels after compromise (see prior work dl.acm.org/doi/abs/10.1...) . Since WhatsApp (and Signal) use these channels to distribute keys for group messaging, this has a similar (if not worse) impact on the security of group chats.

The whitepaper is missing documentation of a few key features, features whose presence (or lack thereof) alter WhatsApp's security guarantees considerably. WhatsApp allows for multiple active Signal channels between devices (like many implementations of the Signal protocol).

To start, it seems that WhatsApp is honestly aiming to provide end-to-end encryption to their users; we saw no signs of funny business. And, for the most part, they achieve this goal. There are some caveats, however.

How does WhatsApp implement encrypted group chats? And are they secure? @malb.bsky.social, @bedow.bsky.social and myself were keen to figure this out. After two years of reverse-engineering, analysis and a few too many proofs, I presented our work at Eurocrypt earlier today. So, what did we learn?