I occasionally verify my security barcode with friends, and so far have never found any MITM's.
Has anyone ever found barcodes that mismatch, indicating a MITM?
If my understanding is correct, then for this to happen, either someone must be impersonating whatsapps server (which involves faking an HTTPS cert), or whatsapp themselves must be running en evil server. Both of those are quite a high bar, even for a state sponsored attack.
Some technical experts at GCHQ have publicly suggested using "ghost users" (a kind of server-forced MITM) as a way to wiretap encrypted messaging [0]. The proposal is slightly different from a traditional two-party MITM, since it involves adding additional users to group chats, but the basic idea is similar: legally compel messaging operators (e.g., WhatsApp) to participate in wiretapping. Presumably there are other clandestine agencies who might try to do something similar by illegally compromising service providers.
Key transparency makes standard MITM much more detectable, and so it will significantly dissuade agencies and private actors from investing in those capabilities. It obviously doesn't solve all problems (governments will still be able to hack, and hypothetically even to mandate client changes that break the disable transparency) it removes a piece of low-hanging fruit and signals to governments that it isn't worth trying to exploit protocol weaknesses.
> Key transparency makes standard MITM much more detectable, and so it will significantly dissuade agencies and private actors from investing in those capabilities.
Just the private actors. Agencies would just spend more on it, or investigate side channels that achieve the same ends.
That's the whole point of security: you try to make it too costly for your opponent to do it. That's why you have a threat model: to decide how much is "too costly".
Agencies, the ones you'd care about, don't spare expenses.
If your threat model includes agencies, making an operation expensive isn't your goal because money might as well be infinite. So you target a different resource:
Time.
It would've taken more time to convince Apple to let the FBI into the San Bernardino shooter's phone than it took for the FBI to use a vendor with a crack for that device and OS. Hence.
---
I'm not disagreeing with the value. I'm merely pointing out that if your goal is to tamper with attack economics, you need to target resources that are finite for the adversary. With many state actors, that resource is time.
Agencies have different interests that are much more complex. In particular, the United States government does not want to cause a global iCloud or WhatsApp outage because they were trying to spy on a few potential terrorists. They don’t want to spend a year in FISA court trying to make Meta alter their platform. They don’t want a whistleblower software engineer blowing their operation up. They don’t want half the world to ban US technology companies because they clumsily got caught adding backdoors. Even if none of that happens, they don’t want to risk their precious access getting broken because someone pushes a software update or a new security feature.
Updates like key transparency don’t perfectly prevent all those things, but they make it less useful to invest in capabilities that might now be incompatible with them, or might get detected because of this feature. They also signify that the organization is hostile to the sorts of exploit that might enable surveillance, and that it’s probably better not to engage with them.
Lastly, government agencies do not have infinite money.
Matt, we had this conversation in person at a bsimm conference years ago when we were talking about how best to focus energy during threat modeling exercises. And while your position has become more nuanced, it still reconciles with our original agreement that time is the finite resource.
Unless I'm missing something specific? I imagine the reason why an agency would avoid said hostile battles is specifically to preserve time or perhaps to also buy time. (Being noisy is a great way to lose time quickly)
Agree to disagree on the money component, though. Maybe my comment is best clarified as "infinite from the perspective of [defender]"
Because of people like you, we'd at least find out soon if someone does hack Facebook and starts tapping some percentage of conversations. It's like people that read terms of services, or use custom email addresses per service to learn of breaches before the company even knows it themselves. Keep it up :)
For me, I also just like the idea of not having to trust the servers. Probably is fine, like with IRC and MSN and old unencrypted WhatsApp and Facebook's homegrown chat (etc.) I don't think there have been major breaches either. Doesn't mean it's not nice to have better options and exercise them, at least in my opinion. (Not that I use WhatsApp, but I casually apply this principle on Signal/Threema/Wire, just whenever I meet someone irl whose key changed.)
I wonder if Facebook keeps stats on how many people do the key verification. It would be such a shame if the servers knew whom to mitm and who not.
Has anyone ever found barcodes that mismatch, indicating a MITM?
If my understanding is correct, then for this to happen, either someone must be impersonating whatsapps server (which involves faking an HTTPS cert), or whatsapp themselves must be running en evil server. Both of those are quite a high bar, even for a state sponsored attack.