WhatsApp's Backdoor Isn't a Backdoor
2017-06-12 -  3:24
(Update 2022-11-18: Twitter at this exact moment doesn't seem to being doing that well, so I made screenshots of the 2 tweets mentioned in this blog post and put them in this blog post)
A few days ago, the CEO of Telegram made a "prediction" that signal would be found to have a backdoor in 5 years, causing people in multiple chatrooms I frequent to say WhatsApp had a backdoor in it, based on the poorly researched article from The Guardian, which can be found here: https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages
Telegram is a direct competitor to Signal and WhatsApp, so it doesn't surprise me that he's making these accusations, even though the (not on by default) encryption in Telegram is poorly implemented and uses cryptographic primitives and methodology that are known to be weak, but that is a blog post for another time. A good analogy I found for the tweet Pavel Durov made was a tweet from Martijn Grooten saying that this accusation is like the CEO of Pepsi claiming that Coca Cola is deliberately poisoned.
How Modern End-To-End Encryption Works
In modern end-to-end encryption schemes (including the Signal and Telegram protocols), every user has a private signing key to mathematically verify that messages came from them. This signing key is used to sign Diffie-Hellman key exchange (quite often using elliptic curves now) messages to set up a unique encryption key for every message, also known as ephemeral encryption. If you don't have the correct signing key, you can't figure out the encryption keys being used.
The Problem with WhatsApp
An attacker Eve can make a signing private key and trick the user Alice into thinking the attacker is the user Bob. With the default settings, WhatsApp does not notify the user of this signature key change. I would call this far from optimal for how things can work for security, but it's a trade-off for usability, as WhatsApp was not built to be an encrypted chat client when it was first created, but was updated later to include the signal protocol by default.
This is NOT a backdoor though because if Eve can successfully pretend to be Bob and trick Alice, Bob will not be able to read messages sent from Alice to Eve or messages sent from Eve to Alice. The encryption is still end-to-end, but Eve managed to trick Alice into messaging her instead of Bob. I am personally not a fan of this problem existing with the default settings of WhatsApp, but as I said before, it is NOT a backdoor.
The problem is key management. If a user changes keys, it is hard to verify that the user is the correct user without making removing the streamlined user experience that users are used to with WhatsApp. PGP (and pretty much every 2 way encrypted communication scheme) actually suffers from key management problems as well. If someone changes their signing key, you'll have to somehow verify with them that the key is correct, which is a long and manual process, which users generally refuse to do. I don't know anyone who uses PGP for messaging on a regular basis. Even I don't use it for emails more than maybe once or twice a year. It's very tedious and inconvenient. Key management is a hard problem and I don't have an answer to make it as secure as it should be AND convenient for users.
Instead of calling the WhatsApp problem a backdoor (which it isn't), let's work on trying to find a solution to this problem that both keeps the users as secure as possible while also keeping things from getting too inconvenient for users to use it.