Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

By making the discredited argument that WhatsApp's key-change behavior is a fatal flaw, you're disagreeing with:

* The EFF

* Moxie Marlinspike

* Matthew Green

* Bruce Schneier

* Isis Lovecruft from Tor

* the grugq

* Matt Blaze

* Avi Rubin

* Steve Bellovin

* Joseph Lorenzo Hall

* Bart Preneel

* Peter Honeyman

* Jon Callas (who cofounded PGP Corp)

* Paulo Barreto

... and about 50 more experts equally respected in the field if less known to the typical HN reader.



> By making the discredited argument that WhatsApp's key-change behavior is a fatal flaw, you're disagreeing with... and about 50 more experts equally respected in the field if less known to the typical HN reader.

No, the vulnerability was confirmed and the argument that it represents a fatal flaw for those needing fully secure communications is sound. No one competent (and intellectually honest) has disputed this, or would even try to do so. The open letter itself acknowledges it, and I know every open letter signer I followed did so as well.

What the open letter did was take issue with the language used by The Guardian, point out the potential for such language to scare some people into less secure solutions, and argue that the vulnerability is a reasonable trade-off for convenience that can benefit some users too.


No, no he's not.

GP was questioning the implementation and OP is merely identifying a clear weakness (regardless of who you says, it is a trade-off). Not quite an appeal to authority, but it's pretty damn close.

What exactly about the post is a discredited argument? I'm genuinely curious. WhatsApp can be doing anything behind the scenes without clients knowing about it, how is questioning this a bad thing?


"you're disagreeing with"

This is the problem with the security community, always with authoritative arguments. Building a religion around security is not going to end well. Some of those people already push government agendas and people eat it, because they were told not to question "experts".


It's not just security. Nicholas Nassim Taleb even invented a word for this kind of thing. He describes his complaint, in typical pugnacious Taleb style, here: https://medium.com/incerto/the-intellectual-yet-idiot-13211e...


Do you have sources for that? Because just looking at the first two you named the EFF (who marked WhatsApp down for being closed source).

And the owner of the Signal protocol (which is what WhatsApp uses). Obviously he's not going to argue against it.


EFF has criticized WhatsApp for being closed source, but not for this particular aspect of the key exchange functionality.

Because of the history around how WhatsApp was criticism over this and some of the apparent results of that criticism, tptacek particularly doesn't want people to conflate "there is something bad, unfortunate, or inadequate about WhatsApp" with "WhatsApp has a 'backdoor' in its key exchange" (and I understand that!).


> EFF has criticized WhatsApp for being closed source, but not for this particular aspect of the key exchange functionality.

The articles I've seen appeared carefully worded so as to achieve some balance, but did express some criticism and concern.

"Nevertheless, this is certainly a vulnerability of WhatsApp, and they should give users the choice to opt into more restrictive Signal-like defaults." from:

https://www.eff.org/deeplinks/2017/01/google-launches-key-tr...

Key change notification concerns paragraph from:

https://www.eff.org/deeplinks/2016/10/where-whatsapp-went-wr...


Thanks, that's a better way to put it. I should have phrased the distinction I was drawing more carefully.





Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: