In my last post I explained how it is possible for most governments, Wire, anyone who compromises Wire, and many employers to invisibly intercept Wire voice and video calls without being detected.
Wire responded to say that this attack is partially mitigated, because they do certificate pinning, while pointing to this code.
One week ago, I notified them that this code does not actually implement certificate pinning, but they have yet to create a fix or notify their users that they are vulnerable.
The Wire source code is very sloppy, and many choices were not made defensively. Here we can see that instead of pinning to the host name the app is trying to connect to, the app applies pinning based on what is presented in the certificate. The certificate being presented over a network is what a defensive programmer would usually consider an “untrusted input,” (the entire reason the app needs pinning to begin with) but Wire chooses to make trust decisions based on what it is given. …
Wire advertises itself as a private messaging and calling app. In their announcements, they claim things like:
Wire’s voice calls have always been end-to-end encrypted. Today, we expand this to include all conversation content — text messages, video calls, photos, sketches. It is all now encrypted end-to-end, which means it is private and secure.
According to Wire, their voice and video calls have been “end-to-end encrypted” since 2014. These would be wonderful claims, if true, but in this post I will show how it is possible for Wire, most governments, and many employers to intercept Wire voice and video calls. …
Last week The Guardian published a story about a “backdoor” in WhatsApp. I don’t think their findings are a backdoor, but the story did raise some good questions about how private messaging apps should respond to key changes.
I was curious how other private messengers handle the same question, so I checked them out and found some results I did not expect.
A friend and I used our two Android phones, representing Alice and Bob. Here is our process: