Security gurus condemn sensational reporting of encryption backdoor-that-wasn’t
Computer security experts and cryptographers have accused The Guardian of overblowing what was reported to be a backdoor in WhatsApp’s encryption.
Zeynep Tufekci, an assistant professor at the University of North Carolina and associate at the Harvard University’s Berkman Center for Internet and Society, wrote an open letter this week criticizing the newspaper for portraying the “vulnerability” – which can be exploited by snoopers in certain circumstances to decrypt messages – as a “huge threat” to users.
The Graun‘s “exclusive” focused on the handling of public encryption keys by WhatsApp and a corner case in which a third party triggers the generation of new keys. This could, under specific conditions, theoretically allow an attacker to intercept and decrypt WhatsApp messages.
As El Reg noted, exploitation is non-trivial. Noted security researchers are re-affirming that opinion, and taking journalists to task for portraying the condition as a serious flaw.
“The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off,” Tufekci noted. “A debate on this trade-off is fine, but calling this a ‘loophole’ or a ‘backdoor’ is not productive or accurate.”
The letter has already received endorsements from some of the biggest names in the infosec space, including Assistant Prof Matthew Green, Bruce Schneier, and Tor Project developer Isis Lovecruft.
In addition to objecting to the portrayal of the security condition as a “vulnerability,” Tufekci’s letter slaps down The Guardian for portraying the condition as being easy to exploit and recommending that users abandon WhatsApp for other messaging tools that, in many cases, would be easier for an attacker to compromise.
“Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people,” the letter reads. “These concerns are concrete, and my alarm is from observing what’s actually been happening since the publication of this story and years of experience in these areas.”
Tufekci is asking the paper to retract and apologize for the story and ask reporters to consult security professionals for input on future information security articles. “Considering the stakes, security reporting must be measured and well-researched,” the letter concludes.
“My unfortunate prediction is that the harm from your story will be real, widespread, and corrections and rebuttals likely minimally reported on.” ®
Sponsored: Flash enters the mainstream. Visit The Register’s storage hub