> By making the discredited argument that WhatsApp's key-change behavior is a fatal flaw, you're disagreeing with... and about 50 more experts equally respected in the field if less known to the typical HN reader.
No, the vulnerability was confirmed and the argument that it represents a fatal flaw for those needing fully secure communications is sound. No one competent (and intellectually honest) has disputed this, or would even try to do so. The open letter itself acknowledges it, and I know every open letter signer I followed did so as well.
What the open letter did was take issue with the language used by The Guardian, point out the potential for such language to scare some people into less secure solutions, and argue that the vulnerability is a reasonable trade-off for convenience that can benefit some users too.
GP was questioning the implementation and OP is merely identifying a clear weakness (regardless of who you says, it is a trade-off). Not quite an appeal to authority, but it's pretty damn close.
What exactly about the post is a discredited argument? I'm genuinely curious. WhatsApp can be doing anything behind the scenes without clients knowing about it, how is questioning this a bad thing?
This is the problem with the security community, always with authoritative arguments. Building a religion around security is not going to end well. Some of those people already push government agendas and people eat it, because they were told not to question "experts".
EFF has criticized WhatsApp for being closed source, but not for this particular aspect of the key exchange functionality.
Because of the history around how WhatsApp was criticism over this and some of the apparent results of that criticism, tptacek particularly doesn't want people to conflate "there is something bad, unfortunate, or inadequate about WhatsApp" with "WhatsApp has a 'backdoor' in its key exchange" (and I understand that!).
> EFF has criticized WhatsApp for being closed source, but not for this particular aspect of the key exchange functionality.
The articles I've seen appeared carefully worded so as to achieve some balance, but did express some criticism and concern.
"Nevertheless, this is certainly a vulnerability of WhatsApp, and they should give users the choice to opt into more restrictive Signal-like defaults." from:
* The EFF
* Moxie Marlinspike
* Matthew Green
* Bruce Schneier
* Isis Lovecruft from Tor
* the grugq
* Matt Blaze
* Avi Rubin
* Steve Bellovin
* Joseph Lorenzo Hall
* Bart Preneel
* Peter Honeyman
* Jon Callas (who cofounded PGP Corp)
* Paulo Barreto
... and about 50 more experts equally respected in the field if less known to the typical HN reader.