[HN Gopher] Expanding Features for End-to-End Encryption on Mess...
___________________________________________________________________
Expanding Features for End-to-End Encryption on Messenger
Author : marban
Score : 32 points
Date : 2023-01-23 18:52 UTC (4 hours ago)
(HTM) web link (about.fb.com)
(TXT) w3m dump (about.fb.com)
| _Algernon_ wrote:
| If the client is closed source, and developed by an untrustworthy
| company, e2ee doesn't matter.
| AdrenalinMd wrote:
| An open source client gives a false sense of security as the
| APK you're downloading is compiled. In the end you still need
| to decompile the APK to know what it is really doing.
|
| Open source client doesn't matter in mobile world, as you never
| compile the app yourself. This is only misleading to the non-
| tech users who don't get how the whole thing works. That's why
| Telegram's claim of security is total garbage because while
| their client is "open source", the backend is that has all the
| messages is not. Something they don't clearly state on their
| website.
|
| So the Telegram's admins can read all the messages in plain
| text on the backend. So "open source" client means absolutely
| nothing for the security.
| quyleanh wrote:
| True. And the Telegram founder still proud for their privacy.
| Lol
| sebzim4500 wrote:
| IIRC you can encrypt direct messages on Telegram, so there is
| some security there.
|
| I'd still rather use Signal though.
| londons_explore wrote:
| I disagree.
|
| Even a closed source client soon has opensource 'compatible'
| clients. To build those, you need to reverse
| engineer/understand the crypto. In the process of doing that,
| you will likely uncover any systemic flaw that reveals every
| conversation to a passive attacker.
|
| That effectively leaves the 'send a secret message to leak the
| key' type backdoors that the client could have. However, if
| this functionality existed and was used on every chat, then it
| is quickly discovered by anyone debugging the unofficial
| client.
|
| So the only remaining 'loophole' is that there _is_ a backdoor
| in the official client, but that it is only used very rarely or
| on request.
|
| That in turn means that facebook can't go do large scale data
| mining on the private chats. Thats a win.
| Y_Y wrote:
| When had anyone reverse engineered their way to a compatible
| client for FB Messenger or WhatsApp? To my knowledge there
| are only hacky bridges that involve running the official
| client under the hood.
| londons_explore wrote:
| [1] is that for whatsapp. It implements everything from
| scratch, including the crypto and all the many layers of
| message encapsulation. I believe there are a few other
| clients too. It even implements the API's to create a new
| account, so you don't even need to touch their client code
| at all.
|
| FB messenger doesn't yet have e2e encryption, so there
| hasn't yet been any need.
|
| [1]: https://github.com/tgalal/yowsup
| [deleted]
| btdmaster wrote:
| It looks like they're getting users banned [0] for using
| alternative clients.
|
| [0] https://github.com/tgalal/yowsup/issues?q=is%3Aissue+
| is%3Aop...
| masterof0 wrote:
| Taking into account that they are known to work closely with
| the FBI. So what they call e2ee cryptography is ridiculous.
| Their business is built off violating users privacy, why would
| anyone trust them? They've got your keys. Signal exists for
| this very reason.
| f38zf5vdt wrote:
| Technically we also trust Signal not to push a signed update
| to their software that exfiltrates our keys. Whether or not
| Meta is doing E2EE should be clear from snooping their
| protocol or reverse engineering the software.
| onlyrealcuzzo wrote:
| I think some users might be happy that the average FB
| engineer can't just see all their messages.
|
| That the FBI can is a concern to absolutists, but I don't
| think the masses.
| [deleted]
| EGreg wrote:
| _Active Status: Let people see when you're active, so they know
| when it's a good time to call. You can also choose to turn this
| feature off, if you want to improve your privacy._
|
| Why is calling still a thing? It interrupts whatever the person
| was doing. And just KNOWING that any one of your 5000 contacts
| can call you at any time can be very distracting and make you
| anxious subciously.
|
| What is wrong with async scheduling meetings? And threaded
| conversations?
|
| I can understand read receipts but online status is silly. It
| only enables stalking. Why not have people bid for your timeslots
| and fill up classes and office hours etc.? Everyone would have a
| happier life.
| teddyh wrote:
| Wait until you hear about doorbells.
| EGreg wrote:
| Pretty sure having to travel to my door is a good filter of
| effort that is lacking online.
|
| I wonder whether the people downvoting me are all guys, or
| really don't mind spam.
| noptd wrote:
| Seriously. Nothing like normalizing the gathering and (by
| default) over-sharing of sensitive data with your product...
| EGreg wrote:
| Yup, that's what Facebook's business model seems to always
| dip into.
| atonse wrote:
| Curious as to why they suddenly seem to care about adding E2E? I
| wonder if, with ML models running on devices now, they've found a
| way to show relevant-enough ads by doing all the "relevancy"
| processing on-device, at one of the "ends" of the encrypted chat.
|
| It just doesn't add up.
| baby wrote:
| They always cared about E2E. It was added really early to
| Whatsapp due to the mobile first client. Messenger always had
| trouble because users are expected to open the app from
| different browsers.
|
| The value? They don't need to secure their databases against
| external AND internal attacks (believe it or not, fb has
| protections in place so that employees don't randomly access
| user data), they can more easily be compliant with the never-
| ending stream of regulations like GDPR, and... they can more
| easily do interop with WhatsApp (which doesn't have plaintext
| messaging).
| chimeracoder wrote:
| > They always cared about E2E. It was added really early to
| Whatsapp due to the mobile first client.
|
| Define "always". The very early releases of WhatsApp used
| plaintext. Encryption was added in 2013, and E2E (using the
| Signal protocol) was added in 2016.
| dylan604 wrote:
| >It was added really early to Whatsapp
|
| so early it was pre-FB purchase?
| fsociety wrote:
| No and you are likely talking to a WhatsApp dev. They added
| E2EE in 2016, plans announced in 2014. Backups weren't
| encrypted until recently.
| noptd wrote:
| My thoughts exactly. With their closed source app running on
| the client, they can do literally anything with the plaintext
| before encrypting it.
|
| Be ready for an expansion of their fear-mongering ad campaigns
| about how anyone in your office or home can read your messages
| when you send them unencrypted.
| tapoxi wrote:
| Probably because their main competitor, iMessage, is E2E. If
| they can be E2E and cross-device, they can take share from
| Apple.
| baby wrote:
| BTW, iMessage is not their main competitor (or even
| comparable to a non-text message cross-platform messaging
| app). IMO that was messaging from Facebook to avoid antitrust
| issues. Their main competitors are telegram, wechat, kakao.
| JumpCrisscross wrote:
| In the U.S., the competition is Discord; overseas, WeChat,
| QQ, Snapchat and Telegram [1]. iMessage is a tool for the
| rich or young [2].
|
| [1] https://spectrm.io/insights/blog/messaging-app-
| statistics-mo...
|
| [2] https://www.androidauthority.com/imessage-big-deal-
| guide-308...
| masterof0 wrote:
| I agree with baby here, iMessage ate their lunch long
| ago,their competition is Kakao, Line, and the likes, not even
| Wechat, as they have 0 presence in China, and they are far
| behind features wise.
| blamestross wrote:
| So is this liability reduction for them? Too many subpoenas and
| this makes responding to them more efficient? It doesn't seem
| like "messenger is e2e encrypted" actually matters for marketing
| and adoption so either it is a cheap fiction for marketing or
| there is a motive I don't understand.
| baby wrote:
| IMO the value comes in this order:
|
| 1. liability reduction
|
| 2. interop with WhatsApp
|
| 3. marketing
|
| 4. added security for their users :D
| teddyh wrote:
| Does is pass the mud puddle test?
| capableweb wrote:
| That's a joke anyways. Regardless if Facebook
| can/will/wont/pretend to not being able to give you your data
| back, they could store it.
___________________________________________________________________
(page generated 2023-01-23 23:00 UTC)