Zamen | زامن
WhatsApp's new vulnerability is a concession, not a backdoor
This morning, a Guardian article reported a new weakness in WhatsApp's encryption, described as a backdoor in one of the most widely used encrypted chat apps in the world. WhatsApp was quick to push back against the allegation, saying in a statement, “WhatsApp does not give governments a ‘backdoor' into its systems and would fight any government request to create a backdoor.” The bug described in the article had long been known by security professionals, and there's no evidence WhatsApp ever tried to conceal it. But the weakness itself is real, and its persistence shows just how hard it is to balance security with the demands of everyday users.At its core, The Guardian piece describes an advanced but plausible attack that WhatsApp's current encryption can't stop. If an attacker gained access to a WhatsApp server, he could forcibly reset the keys used to encrypt messages and install himself as a relay point, intercepting any future messages sent between the parties. (This is commonly referred to as a man-in-the-middle attack.) The recipient of the message would not be alerted to the change in keys, and the sender will only be alerted if they've opted in to the app's “Show security notifications” setting. Because it requires server access, the attack is far beyond the reach of most criminals, but still it could be exploited by an unusually skilled attacker or used by a court to compel WhatsApp to break its own security.