top | item 21753491

(no title)

If you read the article, it’s talking about not putting in a backdoor, and not Facebook saying “we have access to all encrypted messages, we’re just not giving them to you”. As it stands, they’re end-to-end encrypted so not even Facebook can’t see your messages, and that’s what Barr doesn’t like

discuss

tantalor|6 years ago

> they’re end-to-end encrypted so not even Facebook can’t see your messages

Not quite. Facebook still controls the endpoints, so when you see the message so can they. This is obvious: you use their app to view the encrypted message, hence the app has access to the cleartext.

https://en.wikipedia.org/wiki/Endpoint_security

fooker|6 years ago

This seems like a extreme argument.

If the app is not phoning home with the cleartext, this seems okay. You need some software to retrieve/read text anyway, so this becomes an exercise about trusting trust, etc.

Bartweiss|6 years ago

I agree that this is a risk for basically any networked app, but can't we distinguish whether this is an active concern or a hypothetical one?

In order to actually provide your messages to Facebook, the app needs to either call home when you view the message or write the cleartext somewhere on-device to send home later. If you view the message and then the app calls out with data we can't inspect, or writes something locally that we can't inspect, it could potentially be exfiltrating the message you viewed. If not... am I missing an attack vector, or is that message safe?

(To be precise: this would only prove forward secrecy, meaning safety for that viewing of that message. If we can't see the app's code, it could have testbench cutouts like Volkswagen or WannaCry, or more likely could only trigger for certain users or in certain cases à la Greyball.)

plicense|6 years ago

Yeah this - as far as I see it, there's nothing that prevents FB / WhatsApp from "accidentally" shipping the private keys on my phone / machine to their server.

jb775|6 years ago

Also, where is the private key stored and when/where exactly is it passed into the decryption algorithm? When/where is the original private key generated and managed? Inside fb software somewhere?

I'm sure realistically the US gov could creatively accomplish what they want.

SilasX|6 years ago

Why is everyone so confident Facebook hasn’t already backdoored it?

excalibur|6 years ago

They have in a manner of speaking. The communication channel is still encrypted, they just run their surveillance algorithms directly on your device.

https://www.forbes.com/sites/kalevleetaru/2019/05/05/faceboo...

nighthawk24|6 years ago

Don't trust closed source software for encryption.

bytematic|6 years ago

Not sure the fallout of the public finding out would be worth it over the value add of reading messages, maybe I'm wrong but that's how I would look at it.

likpok|6 years ago

People regularly reverse engineer the Facebook apps to see what’s inside. (For example: Jane Wong)